Wikileaks aid on CIA software holes could be mixed blessing
NEW YORK — WikiLeaks has offered to help the likes of Google and Apple identify the software holes used by purported CIA hacking tools — and that puts the tech industry in a bind.
While companies have a responsibility — not to mention financial incentive — to fix problems in their software, accepting help from WikiLeaks raises legal and ethical questions. And it’s not even clear at this point exactly what kind of information WikiLeaks has to offer.
THE PROMISE
WikiLeaks founder Julian Assange said Thursday the anti-secrecy site will work with technology companies to help defend them against software vulnerabilities in everyday gadgets such as phones and TVs. In an online news conference, Assange said some companies had asked for more details about the purported CIA cyberespionage toolkit he revealed in a massive disclosure on Tuesday.
“We have decided to work with them, to give them some exclusive access to the additional technical details we have, so that fixes can be developed and pushed out,” Assange said. The digital blueprints for what he described as “cyberweapons” would be published to the world “once this material is effectively disarmed by us.”
Terms for disclosure, if any, weren’t immediately known. Nor was it known how much detail WikiLeaks has on specific vulnerabilities, rather than just the tools capable of exploiting them.
LEGAL QUESTIONS
Tech companies could run into legal difficulties in accepting the offer, especially if they have government contracts or employees with security clearances.
“The unauthorized release of classified documents does not mean it’s unclassified,” said Stewart Baker, a former official at the Department of Homeland Security and former legal counsel for the National Security Agency. “Doing business with WikiLeaks and reviewing classified documents poses a real risk for at least their government contracting arms and their cleared employees,” Baker said.
But it’s tough to prosecute cases involving classified documents, said Robert Cattanach, a former U.S. Department of Justice attorney. At some point, he and other experts said, courts and the administration may consider such material as having passed into the public domain.
TRUST MATTERS
But tech companies might face a bigger problem with public perception. “They don’t want to be seen as endorsing or supporting an organization with a tainted reputation and an unclear agenda,” Cattanach said.
For instance, WikiLeaks published thousands of emails, some embarrassing, from breached Democratic Party computers and the account of a top aide to Hillary Clinton during the 2016 election. Those emails were stolen by hackers connected to the Russian government, an act U.S. intelligence agencies concluded was a Russian attempt to help Donald Trump win the presidency.
“You are getting in bed with someone who is … happy to harm the interests of the United States in whatever way they can,” Baker said. “That does raise concerns of an ethical sort for companies that take their nation seriously.”
Joseph Lorenzo Hall, chief technologist with the civil-liberties group Center for Democracy and Technology, said companies would have to navigate with care and assume that any discussions will ultimately become public, given WikiLeaks’ past and “Assange’s philosophy of radical transparency.”
A BETTER PATH
Ideally, the CIA would have shared such vulnerabilities directly with companies, as other government agencies have long done. In such a case, companies not only would be dealing with a known entity in an above-board fashion, they also might obtain a more nuanced understanding of the problems than might be apparent in documents or lines of computer code.
And if companies could learn details about how the CIA found these vulnerabilities, they might also find additional vulnerabilities using the same technique, said Johannes Ullrich, director of the Internet Storm Center at the SANS Institute.
But there are risks as well. Should tech companies obtain the actual hacking tools, Ullrich said, they’d have to treat them with great caution. Some, for instance, might have unadvertised features that could, for instance, start extracting data as soon as they launch.