By Robert McMillan 

WikiLeaks has offered to give technology companies technical information on U.S. government hacking tools that target their products.

But there is already a federal program designed to do just that.

The Vulnerability Equities Process was established by the Obama administration as a way for the government to share cybersecurity flaws that intelligence agencies discover in commercial products to help companies protect their customers and businesses.

Michael Daniel, who led the process as cybersecurity coordinator from 2012 until this January, said the government has the ability to release details on computer-security flaws to relevant tech companies within "a matter of days." If the hacking tools described in the leaked documents are from the Central Intelligence Agency, as WikiLeaks claims, some security experts believe that this could very well happen.

The technical details are important to tech companies such as Apple Inc., Microsoft Corp. and Alphabet Inc.'s Google. Since WikiLeaks release Tuesday of the nearly 9,000 documents it says came from the Central Intelligence Agency -- which described tools for hacking a range of software, smartphones and other products -- companies have been trying to determine what vulnerabilities described in the documents still exist and how to fix them. The technical information is vital for ensuring that process is effective, cybersecurity specialists say.

But it isn't clear whether the government in this case will use the Vulnerability Equities Process, known as VEP -- or indeed whether the public would know if it has. It is even possible the government already has selectively disclosed some of the security bugs described in the WikiLeaks documents.

White House representatives didn't respond to requests seeking comment Friday.

Many of the details of the VEP are classified. Mr. Daniel couldn't say how many bugs were reported through the process during his tenure, or whether any of them were provided by the CIA. He said when the government has used the VEP to provide U.S. companies with data on their vulnerabilities, it generally has involved no fanfare. "The federal government does not take credit for the vulnerabilities they discover," he said.

The VEP has been under development since 2008, but its profile rose in 2014, when the White House said the government would be "biased toward responsibly disclosing" computer bugs rather than hoarding them in stockpiles of cyberweapons. Led by the National Security Council, the VEP entails a review board that includes representatives from agencies such as the Department of Homeland Security, the Federal Bureau of Investigation, the National Security Agency and the CIA.

Several major companies, including Google, have said they believe software updates they made before the WikiLeaks release already protect users from many of the attacks the documents describe. But until the actual tools are made public, security experts say, it is impossible to say whether users are completely protected.

One Apple IOS attack described in the WikiLeaks document called "Saline" could potentially be used by hackers to run unauthorized software on an iPhone, said Rich Mogull, an analyst at research and consulting firm Securosis. According to the WikiLeaks documentation, the bug affects somewhat recent versions of Apple's iOS operating system, although it isn't clear whether it would work on the latest release of iOS.

An Apple spokesman said many of the issues described in the WikiLeaks documents have already been patched and the company would "continue work to rapidly address any identified vulnerabilities."

The tech companies face a dilemma. WikiLeaks founder Julian Assange on Thursday offered to share with them the technical details on the hacking tools described in the purported CIA documents. Since the information, if valid, is classified, that raises thorny legal and ethical issues. There is no evidence that big companies have taken Mr. Assange's offer.

WikiLeaks didn't respond to messages seeking comment. Apple and Google declined to comment on the group. Microsoft said that as of Friday neither Mr. Assange nor his organization had contacted it.

At the same time, WikiLeaks has threatened to release more information from the CIA files, and the companies don't want the technical information put out publicly.

"I do not know what the resolution to this event will be," said Dan Guido, director at hack/secure, a cybersecurity investment firm. "Nobody knows what Julian Assange is going to do and there's a lot of anxiety about how the government will respond," given the Trump administration's evolving relationship with technology companies, Mr. Guido said.

Tripp Mickle,

Jay Greene

and Jack Nicas contributed to this article.

Write to Robert McMillan at Robert.Mcmillan@wsj.com

 

(END) Dow Jones Newswires

March 11, 2017 07:14 ET (12:14 GMT)

Copyright (c) 2017 Dow Jones & Company, Inc.
Apple (NASDAQ:AAPL)
Historical Stock Chart
From Feb 2024 to Mar 2024 Click Here for more Apple Charts.
Apple (NASDAQ:AAPL)
Historical Stock Chart
From Mar 2023 to Mar 2024 Click Here for more Apple Charts.