Published by The Lawfare Institute
in Cooperation With
There are two real stories involving the CIA data dump by Wikileaks, neither of which is about the actual documents themselves. The first is that somebody managed to exfiltrate the data from the CIA in the first place, but the second still seems unappreciated: Wikileaks once again successfully hacked the media, shaping discussions into deliberately deceptive ways.
How many articles did you read about the CIA “hoarding zero days”, with “24 Android exploits”? How many breathless pieces about how the “CIA will frame others by recycling their malcode”? That the CIA is “breaking Signal”? Or that CIA can “spy on you through your Samsung TV”?
How many of those stories mentioned that most of the Android “zero days” referenced were anything but, instead documentation on old exploits for out of date devices? Or that the CIA malcode reuse is not about a “false flag” operation but instead
lazy efficient programmers taking advantage of existing code? Or that the “breaking” of Signal is equivalent to saying “I broke Signal” when I look over your shoulder as you type? Or that the CIA’s TV bug requires physical access? These critical caveats change the stories completely.
Wikileaks actually has a very strange track record of credibility. There is no indication yet that they have deliberately manipulated documents (apart from one case of suspicious exclusion) and, more surprising, no indication that someone else has successfully tricked them into distributing false information. Wikileaks relies on this, as it means that the press will trust the content. Yet Wikileaks’s own statements are rightly viewed as completely untrustworthy.
Consider Wikileaks’ framing of the claim that “the CIA had 24 "weaponized" Android "zero days.” A study of the actual document in question shows that most exploits target old Android: version 4.4 or earlier, which was considered insecure back in 2016 when these documents were stolen. Old Android doesn’t meet the security requirements of a teenager, and to claim that such exploits are weaponized zero-days is patently false. One of the claimed “zero-days” targeted Android 2.3.6, a version dating back to 2011!
By dumping a massive amount of data at once, Wikileaks simply overwhelmed the press and ensured that reporters couldn’t process the data. Wikileaks created a race: everybody suddenly had a copy of the data and an immediate pressing urge to report something. A few reporters, notably Ellen Nakashima at the Washington Post, did it right. She knew multiple experts who would be looking at the data, reached out to contact them, and reported what was discovered.
But most other reporting on the leak proved abominably bad, including the New York Times, which initially lead with a “CIA Breaks Signal” slant. In the hurry to get articles out, they simply trusted Wikileaks’ “analysis” of the documents, which was deliberately deceptive and required expertise to uncover.
And this is consequential, especially right now as we grapple with the flood of “fake news” and “alternative facts.” As we’ve seen in recent months, misleading reporting can have serious and negative effects—more now than ever that the President of the United States routinely sends out provocative tweets on the basis of news stories of uncertain reliability. This isn’t just speculation: mainstream reporting on the CIA’s malcode reuse laid the groundwork for conspiracies that “Wikileaks showed that the CIA will frame the Russians for hacking,” not just on Twitter but on right-wing websites as well. It is outright dangerous when the President’s leading “news” source endorses such statements and the President’s son then retweets the logical extension that the CIA, not Russian Intelligence, hacked the DNC. This disinformation might have spread even without the assistance of poor reporting on Wikileaks by major outlets, but the Times and others certainly didn’t help matters.
I’ll continue to attempt to help reporters when such data dumps happen, trying to keep them focused on the real stories in such large data dumps. But the press needs to understand the real story: they were the ones hacked.