The document dump by anti-secrecy group WikiLeaks that identifies alleged CIA hacking tools has reopened a vigorous debate about whether the U.S. government should secretly stockpile cyber-weapons.
Critics say the publication of source code for the CIA cyber-weapons would be a cybersecurity disaster akin to the release of anthrax from a government laboratory — and are calling for a new policy.
Defenders of U.S. policy say there is already a process in place to weigh the risks any time the government decides to keep a newly discovered software vulnerability to itself and weaponize it, rather than sharing it with the vendor so it can be fixed.
And a former White House official tells CyberScoop that U.S. agencies should be reaching out to the manufacturers of the products CIA hackers owned to help them fix the holes they have been using.
“Time is of the essence,” former White House Cybersecurity Coordinator J. Michael Daniel, told CyberScoop.
In a blog post accompanying its document dump Tuesday, WikiLeaks says it has the source code for the exploits it has published descriptions of — but said it would not release it for the time being.
WikiLeaks has “carefully reviewed” its disclosure so as to avoid “the distribution of ‘armed’ cyber-weapons, until a consensus emerges on … how such ‘weapons’ should analyzed, disarmed and published,” reads the post. The group has previously been criticized for its publication of unredacted documents — for instance the Iraq and Afghanistan “War Logs,” which contained the names of civilians who had cooperated with the U.S. military.
The CIA’s hacking armory
If the code for the several dozen highly sophisticated exploits apparently included in the leak were to be published, it would effectively throw open the doors of the CIA’s digital armory for anyone to use.
“If the information released in today’s reports are accurate, then it proves the CIA is undermining the security of the internet — and so is WikiLeaks,” said Heather West, senior policy manager for Mozilla.
The leak’s news brought immediate calls for U.S. officials to reach out to manufacturers and privately disclose technical details of the cyber-weapons — so the work of fixing them could start before they were made public.
“I sincerely hope the CIA and other government agencies are reaching out to companies in order to identify and patch any vulnerabilities that are being revealed by this leak,” Nathan White, senior legislative manager for digital rights and security advocacy campaigners Access Now, told CyberScoop.
“Regardless of what you think about the CIA using these tools yesterday, criminals will be using them tomorrow,” he added.
A former senior White House cybersecurity official told CyberScoop the government also needed to re-examine and re-engineer its process for deciding how to deal with zero day vulnerabilities that it discovered.
The vulnerability equities process, or VEP, that the U.S. government began using during the Obama administration is overdue for an overhaul, in part because so many tools have been disclosed, said Ari Schwartz, a former member of the National Security Council.
“We should have already had that re-evaluation,”Schwartz said via email. The problem of disclosure “is only increasing.”
Is the process broken?
Daniel, the architect of the VEP, insists that the process is still very “robust.”
“The system is already designed to put a thumb on the scale in favor of disclosure,” he said, adding “The default assumption was that we would disclose [zero day vulnerabilities], and that if any agency wants not to disclose, they have to make an argument as to why that should be.”
He said the possibility of future disclosure was also built into the VEP system. “We were always mindful of the fact that anything we could discover, someone else might discover as well,” he said.
“It’s easy in hindsight, once a risk has manifested itself, to say you underestimated the risk… There’s always a risk, you have to balance it with the benefit” of having the hacking tool.
But he acknowledged, “You always need to be looking at this process and and making sure the weighting is right.”
Not everyone agrees.
“Once governments become aware of a security vulnerability, they have a responsibility to consider how and when (not whether) to disclose the vulnerability to the affected company so they can fix the problem and protect users,” said Mozilla’s West.
Access Now’s White said his organization was advocating for a total overhaul of the VEP.
A global approach to Damage Control
Daniel said that, if the WikiLeaks dump was indeed genuine, officials should now be moving to control the damage.
“There’s a whole series of steps the government would have to go through,” he said, starting with the questions “Were we using these tools? Where?”
The next step, he said, would be “removing them from active service and where necessary telling partners and allies,” including the vendors of any products impacted.
“Time is of the essence,” he said, because of the speed with which hackers could convert vulnerabilities into exploits.
But he cautioned against overreaction. U.S. exploits, he said, were written for specific targets.
“Some of this stuff, because of the way that we want to operate, is highly tailored to a particular environment, which means that its exploitability is more limited.”
Some exploits might require physical access, or other exploits to be pre-positioned. Some might even rely on known, but widely unpatched vulnerabilities.
“Not all zero days are created equal,” he said. “True zero days are few and far between.”
He said unpacking the real exposure each exploit represented would require detailed analysis.
“You have to work with the vendors to understand the implications of it becoming public,” he said.
Access Now believes in a global legal framework for government hacking, with a strong presumption towards responsible disclosure.
“We need to insist on a legal framework for hacking operations that protects human rights of innocent people and leads toward greater digital security for all people,” White told CyberScoop. “The CIA aren’t the only smart people in the world and any time these vulnerabilities and exploits are stockpiled there is a risk for everyone.”
Greg Martin, CEO of cybersecurity start up JASK, and a former technical advisor to the FBI and U.S. Secret Service, agreed. “That is part of a larger conversation about if and how we can regulate cyber weapons and their proliferation” at a global level, he said, highlighting the danger that non state actors like terrorist groups might get cyber weapons.
But Contrast Security CTO Jeff Williams disagreed. “The right path forward is not to focus on ‘cyber arms control,’ which will never work,” he told CyberScoop.
“We need a massive increased focus on writing secure code,” he continued. Writing secure code is “not impossible. It’s not even that difficult. But we have to change the incentives in the software market, which currently don’t encourage writing secure code.”