THE FIRST thing to say about the archive of cyberhacking tools stolen from the CIA and released by WikiLeaks is that they are not instruments of mass surveillance, but means for spying on individual phones, computers and televisions. There is no evidence they have been used against Americans or otherwise improperly; if there were, we can be sure that WikiLeaks, whose core mission is not transparency but undermining U.S. national security, would have trumpeted it. It follows that the targets of the hacking methods, and the prime beneficiaries of their release, will be Islamic State terrorists, North Korean bombmakers, Iranian, Chinese and Russian spies, and other U.S. adversaries.
WikiLeaks claims it obtained the 8,761 documents and files it released Tuesday from a former U.S. government employee or contractor. But given the organization’s close ties with Russia’s intelligence services, a link established by the U.S. intelligence community’s investigation into the hacking of the Democratic National Committee, it won’t be a surprise if Moscow again turns out to be the source of the leak. The Kremlin surely will be celebrating the prospect of CIA spying operations around the world going dark, and it could have dictated WikiLeaks’ faux pious call for “a public debate” about the agency’s powers and external supervision.
In addition to losing valuable surveillance tools, the CIA will now be subjected — as the leakers intended — to disruptive controversy and unreasonable demands for greater “cooperation” with technology companies. Adherents to the theory that a “deep state” is attempting to undermine the Trump administration will seize on the revelation that the CIA arsenal included the tools and languages of other countries — proof, it will be said, that the DNC hack was a CIA “false flag” operation after all.
Civil libertarians are insisting that U.S. government hackers inform phone- and computer-makers of vulnerabilities, rather than using them for their own vital work. But defending the integrity of devices is the job of the companies, not the CIA. As The Post’s Ellen Nakashima reported, U.S. agencies already submit all software vulnerabilities they discover to a governmental review that determines whether they should be disclosed. And do the privacy zealots suppose that the Russian FSB will also inform Apple and Google of the “zero-day” hacks it has developed? They are, in effect, advocating unilateral U.S. disarmament in cyberspace.
The CIA will doubtless recover from this leak and find new tools; some experts say much of what was disclosed was relatively unsophisticated malware. But the agency, like the rest of the intelligence community, still faces the critical challenge of how to operate effectively in cyberspace while safeguarding its own secrets and methods. Procedures for vetting employees and contractors and providing them access to highly classified information must be studied again, and servers hardened against external penetration. One thing the agency must not do, though, is stop trying to develop a qualitative technological edge over U.S. adversaries, including the means to surveil them.