WikiLeaks’ release on Tuesday of a massive cache of data describing CIA hacking tools has renewed a debate over how well the U.S. government balances the protection of Americans’ cybersecurity against the need to protect national security.
Some of the tools, the anti-secrecy group said, are based on “zero-day” flaws — or previously unknown software bugs — for targeting iPhone and Android devices.
“At a time of increasingly damaging hacking by cybercriminals and governments, it’s essential that U.S. agencies not undermine the security of our digital systems,” said Ben Wizner, director of the American Civil Liberties Union’s Speech, Privacy and Technology Project. “These documents, which appear to be authentic, show that the intelligence community has deliberately maintained vulnerabilities in the most common devices used by hundreds of millions of people.”
He added, “Patching security holes immediately, not stockpiling them, is the best way to make everyone’s digital life safer.”
To date, WikiLeaks has not released actual source code for the exploits, or the tools built to take advantage of the flaws, although security experts who have reviewed the internal documents say descriptions of the exploits may be detailed enough to recreate source code.
But former Obama administration cyber officials take a more tempered view. “The idea that there’s an operational need for the CIA to target Apple and Google overseas shouldn’t surprise anybody, given the pervasiveness of the Android and iPhone,” said Rob Knake, a former White House cyber official who left the administration in 2015.
The Obama officials established a policy in early 2014 that called for agencies including the CIA, the National Security Agency, the FBI and the Secret Service to submit software flaws they discovered or purchased for review by all the agencies with an interest in their use or disclosure.
The policy is called the “Vulnerabilities Equities Process,” and it is not designed “to disclose all vulnerabilities,” Knake said. “The policy is not unilateral disarmament of the United States.”
Former officials could not comment on whether the CIA disclosed the specific vulnerabilities cited in the WikiLeaks cache, but in general, they said, all the agencies, including the CIA, participated in the process.
Michael Daniel, the former top cybersecurity adviser to President Barack Obama, said that while officials would “weigh very heavily toward disclosure” a software flaw found in an Apple or Microsoft or other widely-used product, “there’s no hard-and-fast rule that says because this is in an Apple system, we must disclose it.”
The “default assumption,” he said, is disclosure.
But in a minority of cases, he said, the government will opt to keep secret the flaw so it can continue to be used in hacking operations. “You might have a vulnerability in a system that is not widely used in the U.S., or it might be the only way we know of to get access to certain kinds of networks,” he said.
Even if a decision is made to withhold information about a flaw, the policy requires that the decision be periodically reviewed, he said.
Others were dismayed at what WikiLeaks exposed.
“The CIA reports show the USG [U.S. government] developing vulnerabilities in U.S. products, then intentionally keeping the holes open,” tweeted Edward Snowden, the former NSA contractor who in 2013 released documents about widespread government surveillance. “Reckless beyond words.”
One of the documents shows that the CIA purchased some of its tools to exploit flaws, and some were bought by the NSA and shared with the CIA.
Under the Obama-era policy, an agency buying information about a flaw must agree to submit it to the vulnerabilities review, Daniel said. But if an agency has bought a hacking tool without the rights to the underlying flaw, it may not be able to do so, he said.
A case in point involved the FBI, which last year paid hundreds of thousands of dollars for a solution to crack an iPhone that had been used by a terrorist in the San Bernardino, Calif., mass shootings in 2015.
“As long as the CIA keeps these vulnerabilities concealed from Apple and Google (who make the phones), they will not be fixed, and the phones will remain hackable,” WikiLeaks said in a news release.
On Tuesday, technology firms were scrambling to review the documents to determine which, if any, of the security flaws mentioned might still exist. Apple spokesman Fred Sainz said in a statement, “While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities.”
The CIA data dump, coming on the heels of a massive breach of NSA hacking tools last year, underscores the importance of the vulnerabilities review process in a new administration, said Ross Schulman, senior counsel at New America’s Open Technology Institute, a think tank. He noted that the review policy “existed by the grace of the Obama administration.”
Trump cyber officials have indicated that it will continue, he said. But there’s no law requiring the review, and critics have said it could have stronger transparency requirements.
“Congress ought to pass a law saying that something like the [Vulnerabilities Equities Process] ought to exist,” Schulman said.
Devlin Barrett and Elizabeth Dwoskin contributed to this report.