On March 7, 2017, Wikileaks released the first in a series of leaks that they claim are documents from or pertaining to the U.S. Central Intelligence Agency (CIA). The leaks contain many “zero-day” exploits discovered by the CIA. A zero-day exploit is a flaw in the code that the manufacturer is unaware of upon their product’s release that allows malicious actors a way to take advantage of the program. According to Wikileaks, they have discovered “weaponized exploits against a wide range of U.S. and European company products, include Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.”
The first thought that came to my mind when reading the multiple reports of the severity of the leaks was, why hadn’t our government alerted the manufacturer of the discovered exploit to fix the problem? The issue comes down to two moral poles, protecting the public’s privacy and protecting the public’s safety. For instance, the CIA using the weaponized exploits to gain intelligence breaks U.S. privacy laws. Beyond that, as reported by Vindu Goel and Nick Wingfield, President Obama promised tech companies that the government would release discovered exploits to tech companies to ease tensions after the Snowden leaks.
If the government were to discover a faulty airbag system, we would expect the government to alert the public and mandate a corrective action due to public safety concerns. Why would we not demand the same disclosure of discovered security and privacy concerns in the digital realm?
This issue becomes all the more serious if you realize that there are many more actors, some of them malicious, out there trying to find such exploits.
— Edward Snowden (@Snowden) March 11, 2017
In a recent paper, titled Taking Stock: Estimating Vulnerability Rediscovery by Trey Herr and Bruce Schneier of Harvard University, they break down, for the first time, the statistical probability of multiple actors discovering the same exploit. Additionally, they purport the longer an exploit exists, the more likely that it will be discovered. The study concludes that “one in five vulnerabilities are rediscovered, and overall the rate is higher than 10%.” Wouldn’t you want your government to step in and mitigate an issue they have knowledge of, given the greater than 10% likelihood someone else could use the same knowledge against you?
This heightens the moral conundrum the intelligence community faces because even though they can use vulnerabilities to their advantage (in doing so breaking laws and promises), so can other malicious actors. Now there is data to back that up.
Even though many US officials have called Wikileaks an arm of the Russian government, it is them, not our own government, that has stated they want to work with tech companies to mitigate exploits and strengthen their products’ security. Julian Assange, in an online press conference, stated:
Wikileaks does have a position – we want to secure communications technology because without secure communications technology journalists are not able to effectively hold the state to account…Apple and Dell and so on are all based in the United States where it’s understood that the u.s. government is breaching previous promises that is [sic] made which is to tell [US] industry about these vulnerabilities – then it starts to look like that the u.s. government and US industry is in cahoots and then you can’t trust any exports from United States…We have decided to work with [the tech companies], to give them some exclusive access to some of the technical details we have, so that fixes can be pushed out.
Wikileaks has yet again put the U.S. government in a moral dilemma. Do they honor the laws and promises made to the American people and U.S.-led companies, or do they continue to use damaging information and lie to the American people for its perceived benefit?