Wikileaks’ seismic Vault 7 release didn’t follow the usual Wikileaks procedure: perhaps in response to earlier criticism, the organization redacted many of the files prior to their release, cutting names of CIA operatives and the sourcecode for the cyber-weapons the CIA had developed, which exploit widely used mobile devices, embedded systems, and operating systems.
Wikileaks has offered to share the sourcecode for those exploits with tech companies whose products were compromised, so they can develop patches for the underlying vulnerabilities. This is in line with the idea of “responsible disclosure”: the security research community has had a lively, long-running debate on the best way to disclose vulnerabilities that could put users at risk. Companies typically want to have any vulnerabilities handed to them under permanent nondisclosure, but security researchers who’ve entered into such arrangements have been frustrated to discover that the companies then squat on their research, continuing to put users at risk and using the nondisclosure agreement to gag the security researcher.
More common now is a kind of “ticking bomb” scenario, in which researchers hand over a vulnerability and promise a certain period of confidentiality before going public (some will even disclose the vulnerability after first securing publication in a journal or a slot to present at a conference, to add to the pressure on the company to disclose). Other times, security researchers go public without giving the company time to patch, either because they lack confidence in the company, or feel that it is better for users to understand the risk (and perhaps shut down or disconnect vulnerable systems) than to have them wait for the vendor to issue a patch (Google has repeatedly disclosed serious Microsoft operating system vulnerabilities in this way).
Though many debate the proper ethical framework for disclosure, the legal questions of disclosure are much more settled: in general, saying true things about defects in products is always, always legal. No one is the custodian of bad news about defective products — especially not those products’ manufacturers, who are, to say the least, conflicted about any release.
There is one area, though, in which companies get a veto over disclosure of their mistakes: that’s in the ever-expanding realm of DRM-equipped devices. Courts have taken the attitude that the laws that ban breaking DRM also ban disclosing defects in DRM, lest those defects be exploited to bypass the DRM altogether. This is one of the real hazards of the addition of DRM to web standards, presently underway at the World Wide Web Consortium.
Incredibly the W3C has mooted turning this accidental right to censor bad news about defective products into a feature, announcing voluntary guidelines for its members to consult before deciding whether to legally destroy security researchers who make accurate disclosures about defects in their products.
One thing the Vault 7 release demonstrates is that security vulnerabilities that aren’t fixed are instead weaponized. Everything the CIA is doing is also being done by other governments and by criminals, who are exploiting the same undisclosed bugs — kept secret by the CIA in the name of American security — to attack Americans. The idea that keeping a vulnerability secret will keep it from being exploited is a nonsense: what one researcher discovers will be rediscovered by others, and the only proof against exploitation is disclosure and patching.
“We’ve seen Julian Assange’s statement and have not yet been contacted,” a Microsoft spokesperson told WIRED. “Our preferred method for anyone with knowledge of security issues, including the CIA or Wikileaks, is to submit details to us at secure@microsoft.com so we can review information and take any necessary steps to protect customers.” Other tech companies WIRED contacted did not immediately respond.
“I will believe that when I hear independent confirmation,” Jake Williams, founder of the threat intelligence firm Rendition Infosec, said of Assange’s promise. “This sounds like pure hype to me.”
It’s also possible that tech companies already have access to the information in question. The CIA has reportedly been aware of the leak for a few months, and White raises the possibility that the agency had already begun notifying tech companies about vulnerabilities described in the stolen data.
Psst, Silicon Valley. WikiLeaks Wants to Help You Fight the CIA [Lily Hay Newman/Wired]