On March 7, WikiLeaks published several thousands of pages of documents detailing software used by the United States Central Intelligence Agency (CIA) to break into all kinds of digital devices. One program called "Wrecking Crew" details how agents can crash a targeted computer, whereas another tool focuses on the theft of passwords using Internet Explorer's auto-complete feature. Other utilities describe exploits for Android and Apple mobile phones as well as for smart television sets.
To a certain extent, The New York Times is right to have called the leaks, which are collectively nicknamed "Vault 7," a "serious blow" to the CIA. But the impact of the leaks extends beyond the Agency. CIA Director Mike Pompeo articulated this viewpoint in an address to the Center for Strategic and International Studies when he labeled WikiLeaks a "non-state hostile intelligence service often abetted by state actors like Russia."
"The truth of the matter is that the breach of the CIA’s attack tools not only placed the U.S. at a deficit in our offensive cyber capabilities, it has threatened the world’s most critical businesses, organizations and national security peace of mind. To echo Pompeo’s statements, we are now all more vulnerable."
Sound familiar? It should. After all, it's only been a few years since national security officials voiced those same concerns after Edward J. Snowden gave National Security Agency documents to journalists. This leak is different in that the exposed documents don't include examples of how the agents used the tools against foreign targets, which The New York Times notes could limit the leaks' effects on U.S. national security. But the FBI will spend much of its investigation into the CIA breach examining how WikiLeaks obtained the documents. For example, it will look to see if a foreign agent recruited an insider to perpetrate the leaks or if a CIA employee exposed the hacking tools on their own accord.
Between Snowden and now the CIA breach, the intelligence community has an ongoing problem with insiders exposing sensitive information. Government entities can shore up their IT security by reallocating spending to remediation and detection as well as investing in automated security systems. But as Venafi pointed out after the Snowden leaks, organizations in the public sector also need to increase (or establish) their awareness of their encryption keys and certificates.
Around the time of the Snowden leaks, the Ponemon Institute surveyed 2,300 large organizations and reported that these organizations have, on average, more than 17,000 keys and certificates in their core infrastructure alone. This number doesn’t include mobile apps or the SSH keys that administrators use to access systems. Ponemon also reported that 51% of organizations don’t know where and how these keys and certificates are used. Unfortunately, industry experts agree this number is grossly underreported.
Has anything really changed since Snowden? If anything, the number of keys and certificates managed by organizations has grown in the last three years. Therefore, if organizations haven't worked to improve control of their keys and certificates, they are still vulnerable to attackers abusing trusted status to evade detection.