A cloud of uncertainty hangs over a cohort of private companies that hope to receive software vulnerability information from WikiLeaks, according to top national security lawyers.
“The law is unsettled as to whether tech companies can receive stolen, classified information from WikiLeaks for the purpose of patching security vulnerabilities that the CIA has allegedly been exploiting,” said Edward McAndrew, a former federal cybercrime prosecutor in the U.S. Attorney’s Offices for the Eastern District of Virginia.
The transparency organization published thousands of internal, classified CIA documents two weeks ago in an effort to highlight apparent contradictions between how the U.S. government values digital espionage capabilities over the security and privacy of private technology companies.
In a press conference live-streamed to Twitter on March 9, WikiLeaks’ Julian Assange claimed he would work with affected technology companies by privately providing them with executable code and other technical details that had been redacted from the document dump, known as Vault7.
For companies, any cooperation with Assange carries a risk.
“A number of federal laws — including the Espionage Act and the Computer Fraud and Abuse Act — criminalize the publication, other dissemination, and in some instances receipt of classified information,” said McAndrew, the now co-chairman of law firm Ballard Spahr’s privacy and data security practice.
Two different D.C.-area government contractors who hold security clearances and spoke with CyberScoop on condition of anonymity said they had not and do not plan to review WikiLeaks’ CIA documents. They fear damaging their relationships with U.S. intelligence community contacts, they said, and generally view the WikiLeaks material as useless. The CIA has not confirmed the documents’ authenticity.
“First off, and this is just based on the news I have seen, what [WikiLeaks] published is unsurprising, old material. It’s far from groundbreaking and I don’t see how reading that would realistically help me anyway,” said one contractor. “Spies spy. That is what they do … these documents don’t show some sort of sweeping surveillance program. This isn’t Snowden, OK?”
The contractor continued, “at this point, I think people are just hesitant to talk about it and to read it because there isn’t any upside. I mean you tell me, what’s the upside here? Most of these supposedly exploits were patched years ago … this will fade in a week or two.”
Until now, WikiLeaks has been largely unable to engage with the affected technology firms to provide them with any material, CyberScoop previously reported. One of the reasons may be that companies are worried about the legal and potential business repercussions involved in accepting stolen, government documents from the controversial group.
“It’s probably legal for most people to read the Wikileaks materials. But as I tell my clients when they get their first security clearance, ‘Congratulations. You now qualify for criminal prosecution under a whole new set of laws.’ This is a problem mainly for people and companies that have security clearances,” said Steptoe & Johnson LLP partner Stewart Baker. “Unfortunately, that’s a lot of people and companies.”
Jeff Greene, senior director for global government affairs and policy at Symantec, said he had not seen the CIA documents published by WikiLeaks even though his employer was mentioned in the leak.
Greene — a former senior counsel for the Senate Homeland Security and Governmental Affairs Committee — said he would not review the material because he still holds a security clearance.
“I mean yeah, I am curious, but that’s just not something I am going to mess with,” Greene said. “It’s just that simple.”
Baker explained that “parts of the government realize it’s dysfunctional to prevent security firms from reviewing the leaked materials to devise protective software, but finding a way to reassure contractors that they won’t get in trouble for doing so is proving to be complicated.”
More than 15 different technology companies are mentioned in various contexts in the CIA files, including Apple, Microsoft and Samsung in addition to a contingent of cybersecurity firms.
“It is illegal to steal classified information and illegal to disclose it if you have signed a nondisclosure agreement. But it’s not illegal to posses it if you have not been a party to stealing it,” said national security lawyer Sheldon Cohen. “The problem Apple and these other companies have is that they all have contracts with the government to do classified projects which the government could put in jeopardy if they took Wikileaks information and held on to it or used it without authorization.”
Avira, Comodo and BitDefender’s products are also discussed in the leaked documents under a section labelled “AV defeated,” which contains some information about how operators can bypass different anti-virus protections used by a target. Regardless of Assange’s promise though, all three of these companies have not been contacted by WikiLeaks.
Initial contact was reportedly made between WikiLeaks and several of the more high-profile tech companies named in the CIA documents, including Microsoft and Apple.
“We have not negotiated with Wikileaks for any information,” a statement released by Apple on Thursday night reads, “we have given them instructions to submit any information they wish through our normal process under our standard terms. Thus far, we have not received any information from them that isn’t in the public domain.”
Vice’s Motherboard reported last week that Assange sent emails to Apple, Google and Microsoft, but instead of reporting the bugs or exploits found in the leaked CIA documents, WikiLeaks made several demands. The transparency organization reportedly wanted companies to agree to a set of terms that included, among other things, a 90-day disclosure policy.
“If I were the attorney advising a tech company, especially an American one, I would absolutely decline to engage in any substantive involvement with Wikileaks, much less agree to any demands it may present,” said national security lawyer Mark Zaid.
WikiLeaks claims it received the trove of classified documents from a disgruntled defense contractor. The FBI is now conducting an investigation into who stole the material and how it was provided to Assange’s outfit.
“Wikileaks is not an ally of American tech companies and there is existing evidence from our Intelligence Community that it is aligned or engaged in some manner with the Russian Government,” Zaid said. “The proper course of action would be to engage directly with the USGOVT in assessing vulnerabilities and creating levels of cooperation.”
If the Trump administration chose to pursue prosecutions — under espionage laws— of tech companies for receiving WikiLeaks’ stolen information, it would need to prove an intent to harm national security interests or to aid a foreign government, according to McAndrew. And that’s where it where it could get dicey for both sides, because intent is generally a question for a jury.
Baker, however, said it will likely never get that far in the courts.
“The idea of a criminal prosecution here is so implausible as a practical matter that it may well be enough, especially if the government signals, as it should, that it supports companies reviewing the documents for cybersecurity purposes,” said Baker, who helped create the Homeland Security Department’s Policy Directorate.
On Thursday, WikiLeaks published additional material it says came from the CIA. The newly released documents detail outdated hacking techniques and methods allegedly used by the spy agency to break into older versions of Apple’s Mac and iPhone.
After publishing the first package of documents two weeks ago, Assange said that WikiLeaks had only shared “1 percent” of the CIA material it obtained.