WikiLeaks to help tech firms prevent hackings
Radical transparency group offers info for defending against CIA cyberespionage tools.
WikiLeaks will work with technology companies to help defend them against the CIA’s hacking tools, WikiLeaks founder Julian Assange said Thursday. The approach sets up a potential conflict between Silicon Valley firms eager to protect their products and an agency stung by the radical transparency group’s disclosures.
In an online news conference, Assange acknowledged that some companies had asked for more details about the CIA cyberespionage toolkit whose existence he purportedly revealed in a massive leak published Tuesday.
“We have decided to work with them, to give them some exclusive access to some of the technical details we have, so that fixes can be pushed out,” Assange said. Once tech firms had patched their products, he said, he would release the full data of the hacking tools to the public.
Assange said some of the small fixes could be issued by tech companies “potentially in two to three days,” but problems that affected more critical aspects of computer codes, such as those in televisions or phones, could take a lot longer.
So far, the CIA has declined to comment directly on the authenticity of the leaked documents. On Thursday a CIA spokesman said Assange “is not exactly a bastion of truth and integrity” but reiterated an agency statement issued Wednesday that suggested the release had equipped adversaries “with tools and information to do us harm.”
Assange began his news conference with a dig at the agency for losing control of its cyberespionage arsenal, saying that all the data had been kept in one place.
“This is a historic act of devastating incompetence,” he said, adding: “WikiLeaks discovered the material as a result of it being passed around.”
Assange — who has lived in London’s Ecuadorean Embassy for years to avoid extradition to Sweden for questioning concerning sexual assault allegations — said the technology was nearly impossible to keep under wraps, or under control.
“There’s absolutely nothing to stop a random CIA officer” or even a contractor from using the technology, Assange said. “The technology is designed to be unaccountable, untraceable; it’s designed to remove traces of its activity.”
On Tuesday, after WikiLeaks posted the documents, public advocacy groups raised questions about whether the CIA was doing enough to tell technology companies about vulnerabilities in their products.
Under a practice established under the Obama administration, the government is to carefully weigh whether it’s better to hold onto a secret hacking technique or share it with manufacturers. Not disclosing it could leave U.S. systems vulnerable if adversaries come up with the same method.
“It’s simply a fantasy to believe that only the ‘good guys’ will be able to use these tools,” said Nathan White, senior legislative manager at Silicon Valley-funded Access Now. “It is critical for governments, law enforcement, technologists and civil society to have an honest conversation about the impact of government hacking in the digital age.”
Justin Cappos, a computer security professor in New York University’s Tandon School of Engineering, said any group that had this information first — whether it was WikiLeaks or a government agency — should have worked to disclose it to tech companies before making it public.
“Now we’re in a position where a bunch of companies are scrambling to put in fixes because now their users are at risk,” he said.
The leak could also strengthen tech companies’ resolve against installing socalled backdoors into their products for the government to access.
“This should be a big wakeup call that it’s really hard for anyone, even an organization with the resources of the government … to properly secure something that no one can get in and get,” Cappos said.
The documents appear to span from 2013 to early 2016. Many tactics mentioned date back years earlier.
Makers of protection software apparently defeated by CIA malware offered limited comment Tuesday, saying the issues are outdated or fixed.
Apple said in a statement Tuesday that its “initial analysis indicates that many of the issues leaked today were already” fixed in its latest mobile operating system.
“We will continue work to rapidly address any identified vulnerabilities,” it said.