WikiLeaks Offer to Help Secure Tech Products Fraught With Legal Risks

NEWS ANALYSIS: Tech companies have to decide whether accepting help from WikiLeaks to protect their products from intelligence agency cyber-exploits is a good idea, a trap or a criminal act.

julian assange

Now that the technology industry has had a chance to see the CIA files that showed up on WikiLeaks on March 7, founder Julian Assange is offering the companies affected a chance to see the complete dumps of the information that’s been revealed.

Until now the material posted on the WikiLeaks site in what’s called “Vault 7” has lacked some critical details. The complete information would provide a detailed look at the vulnerabilities that appear in the WikiLeaks data.

However, the tech companies need to think twice before taking Assange up on his offer. On one hand, the companies would get a detailed look at what the CIA data indicates are the weaknesses in their products. On the other hand, there are some specific downsides to accepting WikiLeaks' offer.

The biggest two potential problems are that the information is still legally classified, which could mean that possessing it could be considered a criminal act, even though it came from a public source.

A recent statement from White House press secretary Sean Spicer, that “any individual or entity using any piece of still-classified information” should seek legal counsel is clearly intimidating. According to SANS Institute board member and security researcher Jake Williams, some security professionals are afraid to even look at the WikiLeaks data.

Considering that cyber-attackers have no such limitations, the intimidation by the White House is effectively putting security workers at a disadvantage because they won’t know what threats to respond to. “Attackers can and will learn from the insights in the CIA leaks,” Williams said in a prepared statement. “To limit our defender's access to the same data through veiled threats is reckless and further harms U.S. national security.”

Complicating matters for companies is the issue of dealing with Assange. Does any company want to be seen as being dependent on him and on WikiLeaks for even part of their security? This is especially the case for someone who clearly deals in stolen secrets.

It’s also becoming obvious that the stolen CIA exploits, while deeply embarrassing to the agency, are apparently not particularly current. Many of the exploits revealed so far have long been fixed and most of the rest are apparently known.

Another issue facing tech companies as they ponder the Assange offer is that most of the hacking tools are already fairly well known, and the vulnerabilities are also known. For example the “Weeping Angel” tool that can provide access to Samsung televisions uses a very well-known security hole that’s been widely publicized. In fact the hole is so well known that Samsung now places a warning in the manual for those televisions.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...