WikiLeaks published new information thought to be from the CIA in mid-November, releasing source code from a tool known as “Hive,” which allows operators to control malware. The dump, dubbed Vault 8, marked the first time WikiLeaks has released source code for a CIA spying tool.
In a post on its website, WikiLeaks said: “This publication will enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components. Source code published in this series contains software designed to run on servers controlled by the CIA. Like WikiLeaks' earlier Vault 7 series, the material published by WikiLeaks does not contain 0-days or similar security vulnerabilities which could be repurposed by others.”
Over the past several months, WikiLeaks has released information detailing the extent and sophistication of the CIA’s offensive cyberspace efforts. Despite countless hours searching, investigators still don't know who is behind the CIA leaks.
While the CIA hunts for the source of their breach, the NSA has fared no better. The Shadow Brokers, who have previously released NSA hacking tools for anyone to download, continue to flummox investigators. After more than a year of searching, we still don't know who the Shadow Brokers are. The massive and ongoing breach of the NSA sometime in 2016 (we think) might be the work of the Russians, the North Koreans, a trusted insider, all three, or some other as yet unknown actor. The recent New York Times feature story highlights just how disastrous these leaks have been to the NSA’s morale, as well as our global cybersecurity efforts.
The fact that 15 months of investigations into our premier spy agencies by some of the brightest forensic and spy hunting minds on earth has turned up nothing should keep us up at night. It also demonstrates that the United States has fallen behind our adversaries in cyber warfare and espionage. We've focused so much of our time and attention on offensive cyber capabilities — attacking — that we’ve left the walls that defend us unmanned and shot full of holes.
Cyber intelligence work requires we gather information clandestinely — without alerting our adversaries we've compromised their computers, while preventing those adversaries from doing the same to us. Whichever side “wins” in this equation beats the other in the global cyber war. The United States has been losing.
In 2013 Edward Snowden's treachery and (for all intents and purposes) defection to Russia caused the NSA to scrap countless operations and start over. A few years later, the Shadow Broker's knocked the NSA back to square one again.
In at least the NSA case, and quite possibly the CIA's breach as well, I believe the attack must have had assistance from a trusted insider — a rogue employee or recruited spy that burned the agencies from within.
In the NSA's case, I don't believe the claim that the insider was corrupt hoarder Harold Martin, a former contractor for Booz Allen Hamilton who has been accused of stealing approximately 50 terabytes of data from the NSA. But the NSA has not found a mole within its ranks that is either behind (or has assisted with) the Shadow Broker's breach, and it may be years before one is uncovered.
It took the FBI nearly two decades to find Robert Hanssen, arguably the worst spy in U.S. history. Hanssen spied for the Russians from within the FBI for nearly 22 years before we caught him. Catching a trusted insider requires patience, diligence and plenty of time. In the case of the NSA and CIA, we may not have that time.
The primary lesson to be learned from the NSA and CIA breaches is that we cannot focus so heavily on our ability to attack that we forget to defend, especially when our adversaries are using our own stolen weapons against us.
Eric O'Neill is a former FBI counterintelligence operative and current national security strategist at endpoint security firm Carbon Black.