The latest information release is potentially devastating to the CIA — but it should promote a positive discussion about U.S. cyber-capabilities and steps forward to promote resiliency in all targets. Here are four big questions:
1) Was Russia involved?
None of the revelations reported by WikiLeaks should be shocking — and we must first consider the source. The intelligence community previously reported direct linkages between WikiLeaks and Russia in relation to the DNC hack. A WikiLeaks news release on March 7 suggests these documents were obtained from a contractor and have been in circulation for some time. While a third-party contractor is likely the source of this information, with the great majority of successful attacks against U.S. targets coming through third parties, this also does not preclude Russia’s involvement, given their previous relationship with WikiLeaks.
A key point here is that this document trove shifts the narrative away from the hacking of the DNC and Russia’s relationship with Trump and toward a focus on the malfeasance allegedly committed by the CIA. Instead, we must consider where the information came from and the lack of credibility WikiLeaks has as a news source.
Attribution in cyberspace is difficult, but not impossible, as scholars have pointed out. In cyberspace, we mainly have a reasonability problem, not an attribution problem. There is a clear motive for Russia to engage in passing this document dump on, both to distract from current speculation about close ties to Trump and to gain revenge for the previously released Panama Papers, which they blame on the United States.
But can we know that Russia is directly responsible? That is tough given the likely many layers of insulation between the source of the information and its delivery.
2) What does the leak suggest about U.S. cyber-capabilities?
At this point, the information dump does seem legitimate — but it will take some time for technical experts to sift through the data and code. There’s an important question here: How many “zero day” exploits does the U.S. control? “Zero day” exploits are unknown vulnerabilities and possible avenues of attack, called zero days because they have yet to be discovered and can act as open doors to inaccessible systems.
Former cybersecurity official Jason Healey, now a Columbia University professor, had previous research that suggested the U.S. was only in control of dozens of zero days. This information dump could possibly reveal many important vulnerabilities held by U.S. assets.
If so, the leaked information could be a troubling degradation of U.S. cyber-capabilities, because once known, these pathways toward access become useless. But we should remember that cyber-capabilities are as much about the technical abilities and human capital in the U.S. government rather than the pure number of exploits available at one time. If there is any positive to be taken from this, it could be that this allows for the holes identified in the data dump to be fixed. It also reignites the debate on the responsibility of government to disclose vulnerabilities to the public.
3) Is cyberespionage on the rise?
Caution is the key, and we should not be surprised that the CIA has extensive cybersecurity capabilities. The great majority of cyber-actions that are not criminal are what might be termed cyberespionage. Information operations seeking to gain an advantage by manipulating information and risk often drive cyberconflict behavior, a key theme in my team’s ongoing research on cyber-coercion.
The real danger here was pointed out by Thomas Rid, professor at King’s College, who noted that misinformation could be slipped into these files to sow discord. Among the thousands of files, one or two fake campaigns waged by the U.S. would foment discord and mistrust. The common misguided focus on cyberwar often misses the importance of deception in cyber-operations, a point noted by Erik Gartzke and Jon Lindsay in their research.
4) What’s next?
The next steps are clear. The cybersecurity community has been waiting for the Trump administration to release its promised cybersecurity executive order. Now is the time to do this, but we must go beyond the circulated drafts that just order more studies on current vulnerabilities and capacity. A clear plan of action that would delineate lines of control over cyber-operations and protection of critical infrastructure in the U.S. government, limit access of critical systems to contractors, and create a scalable plan to recruit young cybersecurity talent are pressing needs. And responsibility for these continued cyber-breaches needs to be established — and prevented in the future.
Brandon Valeriano is the Donald Bren Chair of Armed Politics at the Marine Corps University and a Reader at Cardiff University. He also serves as an Adjunct Fellow at the Niskanen Center and is the author of Cyber War versus Cyber Realities (Oxford University Press, 2015).