In what looks like a re-run of the Edward Snowden morality play, an insider from the CIA’s web of operators has leaked a trove of documents compromising national security in the name of a loftier goal. Partnering with Wikileaks, the perpetrator is reported to be seeking the protection of American citizens from its own intelligence agencies.
The report on the Wikileaks site, posted on March 7, is worth a close read, but there is room for skepticisim about at least one of its biggest claims. While pointing out the total trove is “largest ever publication of confidential documents on the agency”, it claims that it represents “the entire hacking capacity of the CIA”. It also says that the trove comes directly from “an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virgina.” I doubt that this the leaks reveal the entire hacking capacity of the CIA.
The suite of more than 7000 documents released this week is, according to Wikileaks, the first in a series that will see the entire trove — codenamed “Vault 7” — put into the public domain.
If you think Edward Snowden started a culture war between the millennials and the intelligence agencies about the ethics of cyber espionage, this new round of leaks has made that war a whole lot hotter. The United States government has launched a criminal investigation.
Snowden claimed his motivation was a reaction to the official denial in the Congress of a mass cyber surveillance program targeting US citizens. The Vault 7 leaks seem to be inspired by the leaker’s belief that the US government has an obligation to inform its citizens of all known vulnerabilities in consumer software and to protect them against possible attacks. Instead, the leaker sees the US government as actively concealing these threats and then building software based on those vulnerabilities to attack (foreign) consumers for intelligence purposes.
Is the leaker a “son” of Snowden? Well, it could be a “daughter”, but research suggests that women are more reliable than men when it comes to protecting the cyber secrets with which they are entrusted. Another finding of note is that IT professionals are less ethical in handling cyber secrets than their colleagues from other professions with the same access.
The Australian government is now on notice to address the main ethical question raised by the reported motivation for the leak. What does the Australian government know about vulnerabilities in consumer products, such as Samsung TVs, automobiles and mobile phones that it is withholding in the interests of using such vulnerabilities for intelligence purposes or even offensive cyber attack against foreign targets?
Who should decide that? Do consumers (Australian citizens) have an absolute right to be informed? Do the intelligence and security agencies have an over-riding national interest in keeping this information secret in some cases as long as certain oversight arrangements are in place?
I can make an argument for both points of view. Though I personally lean to the latter, in a world where foreign intelligence agencies actively use such vulnerabilities in consumer products to target Australian political leaders and business chiefs (perhaps against Crown Casino executives), maybe we need a mature debate about the limits of such a policy.
More importantly, the leaks about consumer product weaknesses imply an urgent need for more secure technologies. Australia is investing in some, such as quantum computing, but our defence industry policy is biased in favour of building boats (twentieth century technologies with cyber add-ons). We may need a far bigger investment, working with global partners, in building “highly secure computing”. If we don’t, our shiny new navy boats and their cyber add-ons could be useless anyway.
Prime Minister Turnbull has given a lead on national innovation redirection, and the country’s best scientists (under the auspices of the Australian Council of Learned Academies) have produced strategies to achieve it. Yet the bulk of the government, including ministers and the civil service, seems unable to find ways (and resources) for making the big leaps we need. The country has adopted a policy of gradual adaptation to cyber threats, and industry responses, not the radical breakthroughs that are needed.
The Vault 7 leak reveals just how insidious and pervasive the emerging cyber arsenals will be for Australian businesses, consumers and government agencies themselves. The current government’s cyber strategy in the civil sector, premised on $230 million over four years, including $3 million spread among the country’s many universities for new education measures, does not begin to match the scale of the emerging threats foreshadowed in the Vault 7 leaks.