One example of how the WikiLeaks Vault 7 dump was both terrifying and powerful can be found in a recent critical warning issued by Cisco Systems, the manufacturer of network devices found in most corporate and industrial networks today.

The warning announced that more than 300 models of Cisco switches contain a lethal vulnerability that allows the CIA to execute remotely malicious code that can take full control of the devices. There currently is no way to stop the CIA from doing so.

Close

I am quite sure that this problem is not limited to Cisco, but applies to HP, Huawei, Ericsson, Nokia, and the other network product manufacturers that constitute the other 40 percent of the switch market.

The documents that were stolen from the CIA and passed to WikiLeaks describe how remote hackers can gain special privileges, and then execute a malware attack that assumes full control of the network and all associated applications, databases, and systems running thereupon. This of course means that an attacker can steal all information that runs across that network, regardless of source. Your personal identification, health and financial information, bank balances, historical browsing preferences, and more are all vulnerable to a cyberattack of this nature.

Importantly, this vulnerability is also found in industrial network switches and embedded services, which means attackers can take over manufacturing and process control operations at places like power grids, oil pipelines, and nuclear reactors. These vulnerabilities pose a far greater potential impact to our lives than hacks related to personal information, as they can affect the proper operations of our critical infrastructure. And, while Julian Assange may not be your favorite international villain, he has done us all a favor with both the release of this information along with his vow to disclose privately the details to manufacturers so they can put a fix in place before the vulnerabilities become widely known.

[lz_ndn video=32164180]

The malware, once installed, provides a range of capabilities including data collection and extraction, hidden command execution, network traffic redirection, manipulation and modification, domain name poisoning, and other advanced malware behavior, indicating that the authors are sophisticated and have spent scholarly energy making sure their product remains hidden from detection and that it won’t cause the network to crash or misbehave.

This release and Cisco’s inability to respond in time to prevent serious breaches across the install base is indicative of the size of the problem that covert intel cyberwarfare has created for businesses, citizens, and organizations of all stripes in this digitally connected age. If we continue to spend extravagant amounts of money to defend against cyberattacks from bad guys around the world while our own government is intentionally or otherwise working at cross-purposes, then the whole cybersecurity industry begins to resemble a Kafkaesque play.

In the private sector alone, we have spent more than $400 billion in 2016 on cyberdefense while we have incurred over $550 billion in losses related to cybercrime. Those numbers are higher than the national income of most countries and governments in the world. Yet we are battling largely against open back doors, unknown and unpatched vulnerabilities, and gaping holes in our leading vendor-supplied computer products. The problem is so widespread and common that we even maintain a list of these things called CVEs — and the list is sponsored, perhaps ironically, by the Department of Homeland Security.

The goal of the CVE (common information security vulnerabilities and exposures) list is to make it easier to share data across separate vulnerability capabilities (software, hardware, etc.) so that defenders (banks, hospitals, retailers, hotels, etc.) can know which products need patching and where.

Who do you think would win the Presidency?

By completing the poll, you agree to receive emails from LifeZette, occasional offers from our partners and that you've read and agree to our privacy policy and legal statement.

Now, with the fresh understanding that our own intelligence agencies have been aware of these vulnerabilities for years, it seems faintly surreal that after creating an arsenal of sophisticated attack information they would fail to secure it properly and prevent it from being passed around.

While WikiLeaks just tweeted that it had contacted Apple, Microsoft, Google, Mozilla, and others to help protect users against CIA malware, responding has become a significantly complicated task for tech companies.

[lz_related_box id=468104]

Most of the firms affected have not agreed, disagreed, or commented on WikiLeaks’ disclosure as many, if not all of them, have conflicts of interest due to their classified work for U.S. government agencies. It is now understood that some of these companies have legal experts studying whether they could be prosecuted for working with any of the alleged CIA hacking tools WikiLeaks shares. It turns out that even viewing WikiLeaks’ material will at least pose a risk to government contractors.

I don’t know about you, but I am torn between shock at the infinite loop into which the CIA has cast these companies who provide the main global infrastructure components for all things computing and anger at the government contracting laws that create this “gotcha” problem for any company that wants to actually use the WikiLeaks’ dump to fix their vulnerabilities.

Come on, President Trump. The runway’s getting shorter every day.

Steve King is the COO and CTO of Netswitch Technology Management.