WikiLeaks
Part
7 - How the CIA dramatically increased proliferation risks
In what is
surely one of the most astounding intelligence own goals in living
memory, the CIA structured its classification regime such that for
the most market valuable part of "Vault 7" — the CIA's
weaponized malware (implants + zero days), Listening Posts (LP), and
Command and Control (C2) systems — the agency has little legal
recourse.
The CIA made
these systems unclassified.
Why the CIA
chose to make its cyberarsenal unclassified reveals how concepts
developed for military use do not easily crossover to the
'battlefield' of cyber 'war'.
To attack
its targets, the CIA usually requires that its implants communicate
with their control programs over the internet. If CIA implants,
Command & Control and Listening Post software were classified,
then CIA officers could be prosecuted or dismissed for violating
rules that prohibit placing classified information onto the Internet.
Consequently the CIA has secretly made most of its cyber spying/war
code unclassified. The U.S. government is not able to assert
copyright either, due to restrictions in the U.S. Constitution. This
means that cyber 'arms' manufactures and computer hackers can freely
"pirate" these 'weapons' if they are obtained. The CIA has
primarily had to rely on obfuscation to protect its malware secrets.
Conventional
weapons such as missiles may be fired at the enemy (i.e into an
unsecured area). Proximity to or impact with the target detonates the
ordnance including its classified parts. Hence military personnel do
not violate classification rules by firing ordnance with classified
parts. Ordnance will likely explode. If it does not, that is not the
operator's intent.
Over the
last decade U.S. hacking operations have been increasingly dressed up
in military jargon to tap into Department of Defense funding streams.
For instance, attempted "malware injections" (commercial
jargon) or "implant drops" (NSA jargon) are being called
"fires" as if a weapon was being fired. However the analogy
is questionable.
Unlike
bullets, bombs or missiles, most CIA malware is designed to live for
days or even years after it has reached its 'target'. CIA malware
does not "explode on impact" but rather permanently infests
its target. In order to infect target's device, copies of the malware
must be placed on the target's devices, giving physical possession of
the malware to the target. To exfiltrate data back to the CIA or to
await further instructions the malware must communicate with CIA
Command & Control (C2) systems placed on internet connected
servers. But such servers are typically not approved to hold
classified information, so CIA command and control systems are also
made unclassified.
A successful
'attack' on a target's computer system is more like a series of
complex stock maneuvers in a hostile take-over bid or the careful
planting of rumors in order to gain control over an organization's
leadership rather than the firing of a weapons system. If there is a
military analogy to be made, the infestation of a target is perhaps
akin to the execution of a whole series of military maneuvers against
the target's territory including observation, infiltration,
occupation and exploitation.
Source
and links:
Comments
Post a Comment