Responsible vulnerability disclosure lacking by CIA and WikiLeaks

The Central Intelligence Agency and WikiLeaks have both come under fire concerning the lack of responsible vulnerability disclosure prior to the release of the CIA's Vault 7 documents.

While the CIA may not have known that WikiLeaks was planning to release close to 9,000 Vault 7 documents on Tuesday, including zero-day exploits for various systems, experts criticized the agency for ignoring the Vulnerability Equities Process (VEP). The VEP was designed to help government agencies decide whether to disclose a vulnerability or hold on to it, but experts have noted the process is currently voluntary and may need to be codified into law.

A new report from Reuters has claimed U.S. intelligence and law enforcement officials were aware of the CIA security breach that led to the Vault 7 release "since late last year." This report has led experts to further question why there was no responsible vulnerability disclosure from the CIA earlier.

Richard Henderson, global security strategist for endpoint security vendor Absolute Software in Vancouver, B.C., said he found it "disconcerting and incredibly unnerving that once again, it appears that our government agencies continue to engage in doublespeak when it comes to the stockpiling of these cyberweapons."

"There are exceptions in disclosing vulnerabilities in the stated policies when the exploit has a clear national security interest. I think it likely that all of these stockpiled vulnerabilities were kept secret using that justification," Henderson told SearchSecurity. "What the revelations say to me is that it is entirely likely that intelligence groups around the world are likely also stockpiling these vulnerabilities and exploits to use in their online activities. We really have entered a new era of state-sponsored cyber warfare, and I fear it will only get worse as time passes."

The Vault 7 exploits held by the CIA reportedly contained "a substantial library of attack techniques 'stolen' from malware produced in other states, including the Russian Federation," according to WikiLeaks.

Kevin Bankston, internet rights advocate and director of the Open Technology Institute at New America, based in Washington, D.C., said on Twitter that knowing these vulnerabilities are available or have been taken from other sources "mitigates strongly towards disclosure to vendors."

Key question: is CIA going to responsibly disclose any 0-day vulns so they can be patched, now that Wikileaks appears to possess them? https://t.co/fWnYkZa38i

— Kevin Bankston (@KevinBankston) March 7, 2017

Jason Healey, senior fellow for the Cyber Statecraft Initiative at the Atlantic Council, also in Washington, D.C., said on Twitter there would be a few reasons why the CIA might not disclose vulnerabilities through VEP.

CIA wouldn't have to submit 0days to VEP if:
- Trivial or outdated (eg WinNT)
- Predated 2010
- Not made/used in UShttps://t.co/0Ej4buuWXm

— Jason Healey (@Jason_Healey) March 7, 2017

Nathaniel Gleicher, former director of cybersecurity policy for the White House and current head of cybersecurity strategy at Illumio in Sunnyvale, Calif., said "a number of the vulnerabilities described were for fairly outdated handsets" that aren't widely used in the U.S., which changes how the VEP is put into action.

"The point of the VEP was never to ensure full disclosure of all vulnerabilities. The point of the VEP was to create bias toward disclosure and to disclose as many as possible, recognizing some of the challenges and complexities of national security concerns," Gleicher told SearchSecurity. "There's a calculation that has to go on, and the VEP lays out how to do these calculations to understand: What is the risk that this gets exploited, versus what is the benefit of having this? And, it's really hard to understand in the abstract what that calculation should be."

Heather West, senior policy manager and Americas principal at Mozilla, based in Mountain View, Calif., said the government may have "legitimate intelligence or law enforcement reasons" to delay responsible vulnerability disclosure, "but these same vulnerabilities can endanger the security of billions of people."

"These two interests must be balanced, and recent incidents demonstrate just how easily stockpiling vulnerabilities can go awry without proper policies and procedures in place," West wrote in a blog post. "Once governments become aware of a security vulnerability, they have a responsibility to consider how and when (not whether) to disclose the vulnerability to the affected company so they can fix the problem and protect users."

Edward Snowden said the CIA not disclosing the iOS vulnerabilities it had was "reckless beyond words."

Why is this dangerous? Because until closed, any hacker can use the security hole the CIA left open to break into any iPhone in the world. https://t.co/xK0aILAdFI

— Edward Snowden (@Snowden) March 7, 2017

Snowden's fears, however, may be lessened, as Apple said in a media statement that "initial analysis indicates that many of the issues leaked today were already patched in the latest OS."