WikiLeaks Will Help Tech Companies Fix Security Flaws, Assange Says
“We have decided to work with them to give them some exclusive access to the additional technical details we have, so that fixes can be developed and pushed out so people can be secured,” Mr. Assange said.
The companies reacted cautiously to the WikiLeaks offer, saying there could be legal complications in accepting classified information stolen from the government. Sean Spicer, the White House press secretary, advised the companies to seek legal advice before accepting the leaked code.
“I do think that I would check with the Department of Justice in particular about if a program or a piece of information is classified,” he said at a press briefing. “It remains classified regardless of whether or not it is released into the public venue or not.”
Microsoft suggested in a statement that it did not want to be seen as collaborating with WikiLeaks, declaring dryly that its “preferred method for anyone with knowledge of security issues, including the C.I.A. or WikiLeaks, is to submit details to us at firstname.lastname@example.org.” Microsoft, Apple and Google all said that some of the C.I.A. attacks had targeted old versions of their software and would be blocked by recent updates.
WikiLeaks’ reputation was marred in some circles by its previous splash in the news, the release last year of emails from Hillary Clinton’s presidential campaign that were believed to have come from Russian government hackers. Now Mr. Assange, who once worked as a computer security specialist, insists that his goal was to safeguard the privacy of everyone’s communications from the intrusive gaze of the C.I.A.
“Why has the Central Intelligence Agency not acted with speed to come together with Apple, Microsoft and other manufacturers to defend us all from its own weapons systems?” he asked.
The C.I.A. issued an unusually lengthy response, emphasizing that any spying it does is restricted by law to foreigners and foreign countries, with Americans off limits.
“As we’ve said previously, Julian Assange is not exactly a bastion of truth and integrity,” the C.I.A. statement said. “Despite the efforts of Assange and his ilk, C.I.A. continues to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries.”
By his offer, Assange was inserting WikiLeaks into a strained relationship between the government and Silicon Valley, where some executives believe their products’ reputations are endangered by aggressive American espionage efforts.
The Obama administration addressed this conflict by setting up a formal review process for technical vulnerabilities that the government discovered — or purchased from hackers.
When an intelligence agency or the F.B.I. wanted to make use of a major chink in a company’s technological armor, it first had to get approval through a committee organized by the White House. At a sort of court of vulnerabilities, intelligence agencies argued for using the flaw for surveillance, while other officials made the case for revealing it to Apple, Microsoft, Google or some other firm.
“The default position was to disclose the vulnerability,” said Michael Daniel, the cybersecurity coordinator at the National Security Council under President Barack Obama, who ran the process. Last year, the administration said in congressional testimony that over 80 percent of vulnerabilities discovered by the government had been revealed to the industry.
But there were moments, Mr. Daniel said on Thursday, when the committee he assembled judged that it was in the national interest to keep secret a “zero day” flaw — so named because the target would have zero days of notice that there was a vulnerability. That would give the National Security Agency, the C.I.A. or the F.B.I. time to exploit it.
Not all of the flaws revealed in the new WikiLeaks trove of C.I.A. documents would necessarily have gone through this process, and the committee would not have reviewed the “tools,” or software techniques, used to exploit a vulnerability. But Mr. Daniel said that “all the appropriate agencies, including the C.I.A., participated in this process.” That suggests that using at least some of the vulnerabilities exposed by WikiLeaks would have required White House approval.
A new RAND Corporation study concludes that these “zero day” exploits, and the vulnerabilities they are based on, last longer than most thought. It found that the average vulnerability had a “life expectancy” of 6.9 years before it became useless to hackers.
Brian White, the chief operating officer of RedOwl Analytics, a cybersecurity firm, said the companies were caught between conflicting pressures, especially if some of their employees have security clearances to work on government contracts.
“If you are holding a security clearance and you engage in the movement or sharing of this data, you could have your clearance revoked,” he said.
But he said that companies like Apple and Google also had a responsibility to their shareholders and customers to make their products as safe as possible. “The likelihood of prosecution is much less important than understanding any vulnerability in their products,” he said.
In addition to the legal quandary, dealing with Mr. Assange, a mercurial personality who is considered a criminal by some people and a hero by others, is fraught with political complications.
While WikiLeaks has often been criticized for releasing sensitive data without regard for the consequences, Mr. Assange is acting responsibly this time, said Jennifer Granick, the director of civil liberties at the Stanford Center for Internet and Society. WikiLeaks redacted the actual computer code for C.I.A. exploits from its initial release to avoid spreading such cyberweapons.
“He is trying to do the right thing,” Ms. Granick said.
She said that the legal risk to companies using the leaked information to fix their products is minimal, but that the government could make it easy by sharing more information about the vulnerabilities directly with the companies.
Paul Kocher, a cryptographer who was previously an executive at the chip company Rambus, said that helping companies patch security holes was accepted practice in the industry.
“There are lots of things at WikiLeaks that are ethically questionable,” Mr. Kocher said. “But the normal thing to do if you come across vulnerabilities, regardless of who’s using them, is to help them get fixed.”
Continue reading the main story