TheSupe87 - Fotolia

Responsible vulnerability disclosure lacking by CIA and WikiLeaks

Experts criticize both WikiLeaks and the CIA for failing responsible vulnerability disclosure around the Vault 7 documents, and question the CIA's use of the VEP.

The Central Intelligence Agency and WikiLeaks have both come under fire concerning the lack of responsible vulnerability disclosure prior to the release of the CIA's Vault 7 documents.

While the CIA may not have known that WikiLeaks was planning to release close to 9,000 Vault 7 documents on Tuesday, including zero-day exploits for various systems, experts criticized the agency for ignoring the Vulnerability Equities Process (VEP). The VEP was designed to help government agencies decide whether to disclose a vulnerability or hold on to it, but experts have noted the process is currently voluntary and may need to be codified into law.

A new report from Reuters has claimed U.S. intelligence and law enforcement officials were aware of the CIA security breach that led to the Vault 7 release "since late last year." This report has led experts to further question why there was no responsible vulnerability disclosure from the CIA earlier.

Richard Henderson, global security strategist for endpoint security vendor Absolute Software in Vancouver, B.C., said he found it "disconcerting and incredibly unnerving that once again, it appears that our government agencies continue to engage in doublespeak when it comes to the stockpiling of these cyberweapons."

"There are exceptions in disclosing vulnerabilities in the stated policies when the exploit has a clear national security interest. I think it likely that all of these stockpiled vulnerabilities were kept secret using that justification," Henderson told SearchSecurity. "What the revelations say to me is that it is entirely likely that intelligence groups around the world are likely also stockpiling these vulnerabilities and exploits to use in their online activities. We really have entered a new era of state-sponsored cyber warfare, and I fear it will only get worse as time passes."

The Vault 7 exploits held by the CIA reportedly contained "a substantial library of attack techniques 'stolen' from malware produced in other states, including the Russian Federation," according to WikiLeaks.

Kevin Bankston, internet rights advocate and director of the Open Technology Institute at New America, based in Washington, D.C., said on Twitter that knowing these vulnerabilities are available or have been taken from other sources "mitigates strongly towards disclosure to vendors."

Jason Healey, senior fellow for the Cyber Statecraft Initiative at the Atlantic Council, also in Washington, D.C., said on Twitter there would be a few reasons why the CIA might not disclose vulnerabilities through VEP.

Nathaniel Gleicher, former director of cybersecurity policy for the White House and current head of cybersecurity strategy at Illumio in Sunnyvale, Calif., said "a number of the vulnerabilities described were for fairly outdated handsets" that aren't widely used in the U.S., which changes how the VEP is put into action.

"The point of the VEP was never to ensure full disclosure of all vulnerabilities. The point of the VEP was to create bias toward disclosure and to disclose as many as possible, recognizing some of the challenges and complexities of national security concerns," Gleicher told SearchSecurity. "There's a calculation that has to go on, and the VEP lays out how to do these calculations to understand: What is the risk that this gets exploited, versus what is the benefit of having this? And, it's really hard to understand in the abstract what that calculation should be."

Heather West, senior policy manager and Americas principal at Mozilla, based in Mountain View, Calif., said the government may have "legitimate intelligence or law enforcement reasons" to delay responsible vulnerability disclosure, "but these same vulnerabilities can endanger the security of billions of people."

"These two interests must be balanced, and recent incidents demonstrate just how easily stockpiling vulnerabilities can go awry without proper policies and procedures in place," West wrote in a blog post. "Once governments become aware of a security vulnerability, they have a responsibility to consider how and when (not whether) to disclose the vulnerability to the affected company so they can fix the problem and protect users."

Edward Snowden said the CIA not disclosing the iOS vulnerabilities it had was "reckless beyond words."

Snowden's fears, however, may be lessened, as Apple said in a media statement that "initial analysis indicates that many of the issues leaked today were already patched in the latest OS."

WikiLeaks' responsibility

Gleicher said the questions of authenticity and relevance of the vulnerabilities "really throws up into the air this question" of responsible vulnerability disclosure, because WikiLeaks has not yet released any code -- just descriptions.

"Whenever you're disclosing vulnerabilities to devices, what this does is it radically focuses both malicious actors, and hopefully legitimate actors, at these problems. And the best outcome is when it's not a race between the good guys and the bad guys," Gleicher told SearchSecurity. "I think in the future, if we see the release of actual code, that radically changes the situation, and then it is much more clearly providing vulnerabilities that can be used."

Henderson noted although many in the security industry would prefer all organizations follow the tenets of responsible vulnerability disclosure, he wasn't surprised that WikiLeaks ignored that process, given that "part of their modus operandi is to make waves and cause discussion."

"Even though WikiLeaks did release some basic vulnerability information, no significant technical details have been made public yet, and I hope that is to allow the targeted vendors time to respond and issue emergency patches before more technical information is dumped in the coming weeks and months," Henderson said. "We should also keep in mind that it appears that a significant number of these vulnerabilities were not developed in-house, but purchased on the open market from research firms."

West said the focus may be on the CIA's lack of responsible vulnerability disclosure, but added that if the Vault 7 leak is real, "it proves the CIA is undermining the security of the internet -- and so is WikiLeaks."

"Cybersecurity is a shared responsibility, and this is true in this example, regarding the disclosure of security vulnerabilities," West wrote. "It appears that neither the CIA nor WikiLeaks are living up to that standard -- the CIA seems to be stockpiling vulnerabilities, and WikiLeaks seems to be using that trove for shock value, rather than coordinating disclosure to the affected companies to give them a chance to fix it and protect users."

Next Steps

Learn more about the continued crypto war following the Apple-FBI suit being dropped.

Find out why the FBI was questioned about its use of the VEP in the Playpen case.

Get info on what concerns CIOs with the coming IoT explosion.

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing