lolloj - Fotolia

How intelligence data leaks caused collateral damage for infosec

Alvaka Networks' Kevin McDonald looks at the real-world damage caused by data leaks at the CIA and NSA, which have put dangerous government cyberweapons in the hands of hackers

WikiLeaks' CIA data dump shook a lot of regular folks because it showed that the U.S. government can allegedly monitor not only social media, but inside cars, offices and homes through a variety of electronics. PCs; Macs; and iOS, Android and Windows phones are all potential targets. It revealed that internet of things devices, smart TVs, cameras, routers, switches and maybe even refrigerators are all vulnerable.

But this is not news, and it should be a matter of general knowledge by now. The specific techniques are coming to light, but no one should be surprised that the U.S. intelligence community had these hacking capabilities. Many think it's great that this information has come out. I am not one of them.

The recent WannaCry ransomware attack is an example of the predictable damage to come from intelligence leaks. WannaCry leveraged a Microsoft Windows vulnerability and spread itself through the Server Message Block file-sharing protocol. Microsoft patched several of the zero-day vulnerabilities before the data was released by the Shadow Brokers. WannaCry provided a front-row view of what happens when organizations maintain and use zero-day vulnerabilities.

Why is WannaCry relevant to the NSA and CIA hacks? Because the vulnerability it leverages was attributed to the EternalBlue exploit released in a Shadow Brokers dump of alleged NSA exploits in May 2017.

The recent WannaCry ransomware attack is an example of the predictable damage to come from intelligence leaks.

This is just one example of what will likely be a tidal wave of advanced attacks as leaks continue from insider threats and outside hackers. I am confident that the NSA leaks and the massive amounts of CIA data released by WikiLeaks will impact American national security and global cybersecurity for some time. We do not know what the Shadow Brokers may still have of the CIA's and NSA's secret hacking information, but the group has pledged to sell these stolen cyberweapons via a monthly subscription service.

The additional public uncertainty of OS, networking and internet of things security raised by the leaks will delay operations and inject cost and caution where they did not exist previously. Operations all over the world have to be reconsidered with the leaks in mind. Billions will be spent defending governments, businesses and individuals from both the known and unknowable implications of these continued leaks.

The blowback from data leaks

There is much talk about the so-called data democratization of government information being leaked and the need to equalize the balance between secrecy and transparency in government. While we cannot have an out of control intelligence community, the absurdity of that statement is just painful; secrecy is, by definition, the antithesis of transparency.

Secrecy offers many benefits to the work of intelligence, criminal investigations, defense and even competition in the commercial sector. Without secrecy, there can be no advantage in anything that matters in any competition of wits. Secrecy in software and hardware design slows the illicit copying of intellectual property. Secrecy in military systems designs and capabilities enable many advantages against an enemy, such as the element of surprise.

The Snowden effect

I had the unique opportunity to interview a retired CIA officer with more than two decades in the field undercover in war zones and other hot spots. My source could not confirm or deny the most recent CIA data leaks, codenamed Vault 7, the largest release of confidential CIA documents to date. My source, however, did respond to the damage from the Snowden data dump and the massive potential for damage assuming that the Vault 7 leaks are, in fact, that of CIA data.

"I do not know what actual damage the most recent data leaks have caused. But I do know we leveraged a whole suite of tools that would allow us to penetrate and monitor systems needed to track an asset. If those tools were released, and even their specific existence were merely proven, there is no doubt that it has significantly compromised ongoing operations."

When I asked my source to be specific, he replied, "It is a dual-pronged effect. First, it causes bad guys -- terrorists, for example -- preparing for an attack to reconsider their plans. We know that top terror leaders are now using couriers and encrypted communications and apps to mask their actions after the Snowden leaks. Knowledge provided by these leaks causes them to change. They look more closely at everything, from participants in their activities to communications, operations, financing, logistics and recruiting. Terrorist and counterintelligence people learn; they adapt and overcome. The leakers are teaching our enemies."

As a result of the Snowden leaks, on July 11, 2013, then Lt. Gen. Michael Flynn established the Information Review Task Force 2, "to acquire, triage, analyze, and assess all Defense Intelligence Agency (DIA) and Department of Defense (DOD) compromised information." The resulting 2013 top-secret report, titled, "DoD Information Review Task Force-2: Initial Assessment, Impacts Resulting from the Compromise of Classified Material by a Former NSA Contractor," states, "The scope of the compromised knowledge related to U.S. intelligence capabilities is staggering."

Of course, people will argue the intelligence community would say this no matter what. The comments are imbedded in a top-secret report redacted from public consumption and, frankly, some of the direct impacts are pretty obvious to any honest and intelligent person without a political ax to grind. Is it possible the intelligence community injected this comment with the expectation it would likely be seen by the public some day? Sure, it's possible. Is it likely? Not in my opinion.

When I asked my source if he thought officers in the field were less safe, he replied, "Look, assuming we have lost field intelligence capability, then yes, the whole country is less safe. We will, if not already, see the injury and death of some who rely on the information or were somehow defended by its capability. At a minimum, our efforts led by field officers and foreign assets will be hampered in ways that are significant."

To offer some evidence of what happens when critical intelligence techniques are released, let's look closer at the NSA leaker and, yes, criminal Edward Snowden. Snowden, who was a trusted contractor, stole over a million pages of top-secret information from the NSA and the Joint Worldwide Intelligence Communications System. On June 6, 2013, the media began to publish stories that were based entirely on Snowden's leaks.

"There is no question that tactics, techniques and procedures discussed in the Snowden leaks were of great benefit to our foreign enemies," my source said. "Regardless of where you stand on the criminality of Snowden's leaks, there is no doubt that foreign intelligence services, international criminals and even jihadists have benefited from Snowden's actions." 

In The Art of War, Sun Tzu, the ancient Chinese general, military strategist and philosopher, wrote: "Hence that general is skillful in attack whose opponent does not know what to defend; and he is skillful in defense whose opponent does not know what to attack." Secrecy stops technology from being obtained by the enemy and makes defense from its unknown capabilities difficult, if not impossible. Secrecy provides cover for activities that are vital to our national defense.

Those who advocate for the total destruction of government secrecy are advocates for the destruction of American supremacy. For more proof of what a loss of secrecy can do in a war, we need only look back at the compromise of the German Enigma machines and Japanese super-encipherment techniques during World War II. Both of these breaches in secrecy had heavy costs to these countries. If the Allies had not breached their enemies' secrecy, the outcome of the war could have been very different. Without secrecy, there is only defeat.

Muddying the attribution waters

Now let's address the elephant in the room: Attribution of an attacker. It is undeniable that cyber attribution has always been difficult. Whether a simple criminal matter or a nation-state attack, attributing and identifying who the attacker was with little doubt is critical to response, prosecution and future defense. This is especially true when a response can lead to criminal prosecution of Americans or, worse yet, potential acts of war in response to attacks.

According to a WikiLeaks post on March 31, 676 pieces of the source code files released were from the CIA's secret antiforensic group known as Marble Framework. The WikiLeaks' statement claimed, "Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, Trojans and hacking attacks to the CIA."

The release of these tools and techniques (if proven to be legitimate) casts new doubt on future investigations; claims of foreign cyber attribution for attacks, such as Russian involvement in our elections; crimes purportedly committed by political activists; and more. Any bright defense attorney or government spokesperson will be able to simply point to the release of these tools as evidence of potential alternate theories.

Now that these tools are in the wild for anyone to use, how can we ever really know who does what? Criminal convictions come from evidence beyond a reasonable doubt, and the ability to falsely attribute any action provides just that. This is one ugly result that supporters of these leaks fail to recognize.

For those who support leakers like Edward Snowden and these most recent data dumps, I hope you might consider some facts. We know for a fact that hundreds of thousands of computers were infected by the use of these NSA tools. That means that likely thousands will never see their data again. Whether it be personal pictures and financial information or business data, the loss of data is no joke and has real consequences.

We also know that this is just the beginning of potential attacks that will likely impact thousands, if not millions more in tangible ways -- not theoretical actions or violations of privacy, but real losses. I have no doubt lives have been lost where foreign organizations, who are enemies of the U.S., have eliminated those who they believed were potentially involved with the CIA based on the leaks.

While I am a huge advocate for privacy, the search for it cannot be a license to commit detrimental acts or treason against America and to cause real harm to individuals and businesses. There has to be a balance between the desperate and life-threatening need for secrecy and the need to protect the right to privacy and keeping government in check.

Next Steps

Read more on how the WannaCry ransomware worm exposed enterprise security holes

Find out why spotting a data breach requires defensive and offensive measures

Discover how mobile application assessments can benefit enterprise security

Dig Deeper on Data security and privacy