Espionage Act and CFAA charges levied; Joshua Schulte faces over a century in prison

A superseding indictment with several Espionage Act and Computer Fraud and Abuse Act charges has been brought against Joshua Schulte, the alleged source of the Vault 7 leak of CIA hacking tools published by WikiLeaks. Schulte, a former software engineer with the CIA’s Engineering Development Group, is accused of providing WikiLeaks with thousands of pages detailing the CIA’s software and techniques for carrying out espionage.

As the New York Times reported upon Vault 7’s initial release in March 2017, the document trove revealed previously unknown capabilities:

WikiLeaks said that the C.I.A. and allied intelligence services have managed to compromise both Apple and Android smartphones, allowing their officers to bypass the encryption on popular services such as Signal, WhatsApp and Telegram. According to WikiLeaks, government hackers can penetrate smartphones and collect “audio and message traffic before encryption is applied.”

The new charges against Schulte include several counts under the Espionage Act and the Computer Fraud and Abuse Act, each of which carries a ten-year maximum prison sentence, meaning Schulte could face over a century of prison time. We have expressed our concerns about the use of the Espionage Act and CFAA in these cases repeatedly and all of those apply just as strongly in this one.

When Schulte was arrested last year, investigators charged him with possession of child pornography, which they allege they found on his seized computer, but they didn’t charge him for the breach and disclosure at the time, even though that was the subject of the initial investigation. The appearance of child pornography charges as a pretext for detention in national security investigations is something we’ve seen before and provides an additional reason for this case to be monitored carefully.

Several observers have noted that, whatever its merits of his case, Schulte does appear to have adopted some objectively terrible operational security practices, including uploading CIA source code (some of which did indeed appear in the Vault7 leaks) to his public GitHub page. In the light of the second massive loss of US intelligence community hacking tools in a year, questions should be asked about whether it is ever justified to hoard devastating vulnerabilities when their security and use has to be entrusted to fallible humans.