The release of a large trove of documents and tools that are linked to CIA’s cyber espionage activities has raised a lot of questions, especially about the way that the agency and other government groups handle information on undisclosed vulnerabilities.
Some of the documents, released by Wikileaks Tuesday, show that CIA has had access to exploits for a number of vulnerabilities that aren’t publicly known. That includes bugs in Android and iOS, the latter of which are highly prized because of the relative difficulty of attacking that operating system. On the private market, vulnerabilities that give full access to current versions of iOS sell for more than $1 million. Such flaws are highly valuable to intelligence agencies as well, and CIA apparently had access to some.
There’s no way to know whether other adversaries have discovered the same vulnerabilities, and security and policy experts yesterday questioned why CIA officials didn’t disclose any of the vulnerabilities it discovered to the affected vendors. This has been an ongoing conflict in the security community for many years, and it recently expanded to include government agencies, some of which have teams dedicated to finding zero days in popular operating systems and applications.
Barack Obama’s administration developed a Vulnerability Equities Process as a set of guidelines for federal agencies on when to disclose newly discovered vulnerabilities. The VEP is designed to ensure that severe vulnerabilities that affect a large number of users aren’t left open–unless there’s a clear need for the intelligence or law enforcement community to keep it secret. The policy has been criticized for not being clear enough, and critics this week said CIA violated the VEP by not disclosing the vulnerabilities it had in its possession.
“The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process. As these leaks show, we’re all made less safe by the CIA’s decision to keep — rather than ensure the patching of — vulnerabilities. Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans,” Cindy Cohn, executive director of the EFF, said in a post.
The leak puts technology companies in the position of needing to analyze vulnerabilities revealed in the documents and assess the effect on their products and customers. Apple said in a statement that it appears many of the bugs in iOS revealed in the Wikileaks documents already have been fixed. But the documents are a couple of years old, so it’s possible, and even likely, that CIA and other agencies have newer bugs that have not yet seen the light of day.