The CIA should help vendors patch the flaws it was exploiting

The CIA exploits exposed this week reveal that the agency does hacking just like criminals do, including buying exploits from black-hat researchers who sell their wares on the dark web.

It’s also a demonstration of bad security on the part of the CIA, which apparently entrusted the entire portfolio to both agency employees and contractors, one of whom turned out not to be trustworthy and passed them on to Wikileaks.

A criminal investigation into who that was is underway so the CIA is rightfully busy with that, but it should try to find time to help out the vendors whose gear was exploited patch the flaws quickly. Before the leak, these attacks were not widely known. But now that they are, they have little value to the CIA anymore, so the CIA should help shore up the vulnerabilities.

Wikileaks chief Julian Assange has offered that help. He says he will reveal to the vendors involved the exploit code contained in the leaked documents. He says that information was withheld in order to prevent it from being used by criminals.

The CIA ought to do the same, since it knows exactly how all the exploits can be carried out and because as a government entity it ought to have serving the public good as a priority. At this point the public good is served best by plugging up this glut of holes.

Some have criticized the CIA for hoarding these exploits instead of disclosing them responsibly to the makers of the affected platforms so they can patch them. President Obama issued a policy that that should be done if didn’t affect national security. That’s a big if.

The CIA is a bunch of spies, and their work is to find out secret stuff. They need tools like this to do their job, so it makes no sense to give away all their tools. If there’s a problem with the policy it’s that it seems to promise more than it actually does, not that the CIA isn’t living up to it.

Not that all of the exploits are currently feasible. Apple, the Linux Foundation and Kaspersky, for example, all say that they had already patched many of the vulnerabilities the CIA took advantage of.

That demonstrates that flaws found by one party can be independently discovered by another. As a corollary, it shows that there is always a rich research community at work trying to find vulnerabilities, so if they exist, they will eventually be found.

That’s one of the arguments against legally requiring backdoors into encryption systems that will allow vendors and service providers to comply with court orders to reveal the content of encrypted communications in plain language. Backdoors are vulnerabilities and vulnerabilities are eventually found and exploited.

The Wikileaks dump is notable in that it contains nothing about backdoors into encryption systems, something the FBI and other law enforcement agencies want so badly.

What the dump does contain are examples of how to get the content of these communications without breaking the encryption itself. The CIA uses exploits that take over the entire machine sending and receiving the communications and installs software that views messages before they are encrypted and after they are decrypted.

It’s not the equivalent of having an encryption backdoor or an escrowed encryption key that can unlock encrypted devices, but it’s a workaround for some scenarios. And it doesn’t have anywhere near the downsides that backdoors have.

The point is that this is a tool that works now for the CIA, and law enforcement, with the authorization of the courts, ought to be using it if they aren’t now.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.


Leave a Reply