WikiLeaks Prods Government System for Sharing Cybersecrets With Companies
March 11 2017 - 7:29AM
Dow Jones News
By Robert McMillan
WikiLeaks has offered to give technology companies technical
information on U.S. government hacking tools that target their
products.
But there is already a federal program designed to do just
that.
The Vulnerability Equities Process was established by the Obama
administration as a way for the government to share cybersecurity
flaws that intelligence agencies discover in commercial products to
help companies protect their customers and businesses.
Michael Daniel, who led the process as cybersecurity coordinator
from 2012 until this January, said the government has the ability
to release details on computer-security flaws to relevant tech
companies within "a matter of days." If the hacking tools described
in the leaked documents are from the Central Intelligence Agency,
as WikiLeaks claims, some security experts believe that this could
very well happen.
The technical details are important to tech companies such as
Apple Inc., Microsoft Corp. and Alphabet Inc.'s Google. Since
WikiLeaks release Tuesday of the nearly 9,000 documents it says
came from the Central Intelligence Agency -- which described tools
for hacking a range of software, smartphones and other products --
companies have been trying to determine what vulnerabilities
described in the documents still exist and how to fix them. The
technical information is vital for ensuring that process is
effective, cybersecurity specialists say.
But it isn't clear whether the government in this case will use
the Vulnerability Equities Process, known as VEP -- or indeed
whether the public would know if it has. It is even possible the
government already has selectively disclosed some of the security
bugs described in the WikiLeaks documents.
White House representatives didn't respond to requests seeking
comment Friday.
Many of the details of the VEP are classified. Mr. Daniel
couldn't say how many bugs were reported through the process during
his tenure, or whether any of them were provided by the CIA. He
said when the government has used the VEP to provide U.S. companies
with data on their vulnerabilities, it generally has involved no
fanfare. "The federal government does not take credit for the
vulnerabilities they discover," he said.
The VEP has been under development since 2008, but its profile
rose in 2014, when the White House said the government would be
"biased toward responsibly disclosing" computer bugs rather than
hoarding them in stockpiles of cyberweapons. Led by the National
Security Council, the VEP entails a review board that includes
representatives from agencies such as the Department of Homeland
Security, the Federal Bureau of Investigation, the National
Security Agency and the CIA.
Several major companies, including Google, have said they
believe software updates they made before the WikiLeaks release
already protect users from many of the attacks the documents
describe. But until the actual tools are made public, security
experts say, it is impossible to say whether users are completely
protected.
One Apple IOS attack described in the WikiLeaks document called
"Saline" could potentially be used by hackers to run unauthorized
software on an iPhone, said Rich Mogull, an analyst at research and
consulting firm Securosis. According to the WikiLeaks
documentation, the bug affects somewhat recent versions of Apple's
iOS operating system, although it isn't clear whether it would work
on the latest release of iOS.
An Apple spokesman said many of the issues described in the
WikiLeaks documents have already been patched and the company would
"continue work to rapidly address any identified
vulnerabilities."
The tech companies face a dilemma. WikiLeaks founder Julian
Assange on Thursday offered to share with them the technical
details on the hacking tools described in the purported CIA
documents. Since the information, if valid, is classified, that
raises thorny legal and ethical issues. There is no evidence that
big companies have taken Mr. Assange's offer.
WikiLeaks didn't respond to messages seeking comment. Apple and
Google declined to comment on the group. Microsoft said that as of
Friday neither Mr. Assange nor his organization had contacted
it.
At the same time, WikiLeaks has threatened to release more
information from the CIA files, and the companies don't want the
technical information put out publicly.
"I do not know what the resolution to this event will be," said
Dan Guido, director at hack/secure, a cybersecurity investment
firm. "Nobody knows what Julian Assange is going to do and there's
a lot of anxiety about how the government will respond," given the
Trump administration's evolving relationship with technology
companies, Mr. Guido said.
Tripp Mickle,
Jay Greene
and Jack Nicas contributed to this article.
Write to Robert McMillan at Robert.Mcmillan@wsj.com
(END) Dow Jones Newswires
March 11, 2017 07:14 ET (12:14 GMT)
Copyright (c) 2017 Dow Jones & Company, Inc.
Microsoft (NASDAQ:MSFT)
Historical Stock Chart
From Mar 2024 to Apr 2024
Microsoft (NASDAQ:MSFT)
Historical Stock Chart
From Apr 2023 to Apr 2024