CIA won’t discuss breach Will WikiLeaks help tech firms?
Washington: The Central Intelligence Agency (CIA) has gone dark about the WikiLeaks dump of nearly 9,000 pages of purported US intelligence files, even as the anti-secrecy group raised the prospect of providing technology companies additional sensitive details it says it has about the agency’s hacking tools.
The CIA wouldn’t confirm Wednesday that the material came from its files, although no one is doubting they did. The CIA wouldn’t talk about whether there was any investigation underway to figure out how the material ended up on the internet for all to see. And the agency wouldn’t say whether it suspects that a mole lurking inside the CIA secretly spirited the material to WikiLeaks, or whether the CIA could have been the victim of a hack.
Still, without acknowledging any breach, the CIA warned: “The American public should be deeply troubled by any WikiLeaks disclosure designed to damage the intelligence community’s ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize US personnel and operations, but also equip our adversaries with tools and information to do us harm.”
It was the same message at the White House. “It is our policy as a government not to confirm the authenticity of any kind of disclosure or hack,” said press secretary Sean Spicer. Outside political circles, the fallout and damage to US intelligence operations was still being assessed, but causing alarm nonetheless.
The WikiLeaks disclosures were an extraordinary coup for a group that has already rocked American diplomacy with the release of 250,000 State Department cables and embarrassed the Democratic Party with political back channel chatter and the US military with hundreds of thousands of logs from Iraq and Afghanistan.
The intelligence-related documents describe clandestine methods for bypassing or defeating encryption, antivirus tools and other protective security features for computers, mobile phones and even smart TVs. They include the world’s most popular technology platforms, including Apple’s iPhones and iPads, Google’s Android phones and the Microsoft Windows operating system for desktop computers and laptops.
WikiLeaks has not released the actual hacking tools themselves, some of which were developed by government hackers while others were purchased from outsiders.
The group indicated it was still considering its options but said in a statement Wednesday: “Tech companies are saying they need more details of CIA attack techniques to fix them faster. Should WikiLeaks work directly with them?” It wasn’t clear whether WikiLeaks — a strident critic of Google and Facebook, among others — was serious about such action.
If that sharing should take place, the unusual cooperation would give companies like Apple, Google, Microsoft, Samsung and others an opportunity to identify and repair any flaws in their software and devices that were being exploited by US spy agencies and some foreign allies, as described in the material.
A message seeking additional details from WikiLeaks was not immediately returned, and an attempt to speak to founder Julian Assange at the Ecuadorean Embassy in London on Tuesday was rebuffed.
Security experts said WikiLeaks was obligated to work privately with technology companies to disclose previously unknown software flaws, known as zero-day vulnerabilities because consumers would have no time to discover how to defend themselves against their use, and with companies that design protection software. WikiLeaks has said the latest files apparently have been circulating among former US government hackers and contractors.
“The clear move is to notify vendors,” said Chris Wysopal, co-founder and chief technology officer of Veracode Inc. “If WikiLeaks has this data then it’s likely others have this data, too. The binaries and source code that contain zero days should be shared with people who build detection and signatures for a living.”
One clear risk is that WikiLeaks revealed enough details to give foreign governments better opportunities to trace any of the sophisticated hacking tools they might discover back to the CIA, damaging the ability to disguise a US government hacker’s involvement. “That’s a huge problem,” said Adriel T. Desautels, the chief executive at Netragard LLC, which formerly sold zero-day exploits to governments and companies. “Our capabilities are now diminished.”
Apple said many of its security vulnerabilities disclosed by WikiLeaks were already fixed. In a statement late Tuesday, it said its initial analysis showed that the latest version of the iOS system software for iPhones and iPads fixed many of those flaws. Apple said it will “continue work to rapidly address any identified vulnerabilities.”