As all the world now knows, Wikileaks released the “Vault 7″ trove of secret information about the Central Intelligence Agency’s cyberwarfare and electronic surveillance activities. Among other things, the Vault 7 documents revealed hacking vulnerabilities in the code that operates Apple and Android devices and Windows, OSx, Linux, and internet servers. After the Edward Snowden National Security Agency mass surveillance revelations, the Obama administration promised to share with private vendors what the government learns about software vulnerabilities. To increase sharing, the Obama adminstration purportedly “reinvigorated” the Vulnerabilities Equities Process (VEP) in which the spooks at the NSA basically got to decide which exploitable software flaws to disclose to private companies.
Some critics of the VEP think it unreasonably disarms the U.S. intelligence community in the long twilight struggle with our international adversaries. For example, cybersecurity specialists Dave Aitel and Matt Tait assert:
Public protestations to the contrary, there should be no confusion: the VEP is, inherently, harmful to intelligence operators. The IC’s adversaries in Russia, China, Iran and North Korea are not—nor will they ever be—hamstrung by similar policies….So no matter how limited the VEP might be, it will always represent a strategic disadvantage against foreign adversaries, a window into the US government’s most sensitive operations. …
As problematic as the current VEP policy is, astoundingly plenty of US civil liberties groups and think tanks now clamour to make things significantly worse. Misunderstanding and discarding strategic interests, they offer policy proposals premised on an unexamined axiom that the US government should disclose essentially all vulnerabilities and do so at a much faster rate—there even appears to be some underlying uncertainty as to whether the government should be allowed to have an undisclosed vulnerability in the first place.
Herein lies the basic problem: US cyber operations already face a greater level of scrutiny and limitations than our competitors. But single-minded reformists seek still more restrictions. At the same time, US cyber capabilities grow increasingly critical and central to the basic function of democratic interests worldwide. Without a robust investment in these capabilities, the US will lack the ability to solve the “Going Dark” issue and our intelligence efforts will start to run into quicksand around the world.
Interestingly, if disclosing software vulnerabilities enhances the “Going Dark” problem for U.S. spooks, it would also tend to put Russian, Chinese, and Iranian cyberspies in the dark too. At a 2013 Cato Institute conference to discuss NSA spying, renowned cybersecurity guru and Harvard Berkman Center fellow Bruce Schneier persausively asserted, “A secure Internet is in everyone’s interests. We are all better off if no one can do this kind of bulk surveillance. Fundamentally, security is more important than surveillance.”
Today, Moxie Marlinspike, the developer of Signal the encrypted instant messaging and voice calling app, was on NPR’s Morning Edition to talk about the Wikileaks Vault 7 revelations. The NPR segment noted that Wikileaks founder Julian Assange has suggested that his group would work with tech companies to fix the vulnerabilities in their systems that the CIA has kept secret. Marlinspike was then asked about Assange’s offer by reporter David Greene:
Question: Is there an argument that Julian Assange is offering is something that the government should be doing; if they know about vulnerabilities in technology that they might tell you or Android about them and that’s not a role that Wikileaks should be playing?
Answer: Absolutely, I think certainly I agree that is irresponsible to hoard these vulnerabilities and say (A) that no one else has discovered these vulnerabilities or to (B) think that they can manage them securely because, you know, obviously they can’t. If what the CIA is interested in doing is protecting Americans, then I think it should be in the CIA’s interest to disclose these vulnerabilities to American companies so that they can fix them and protect their users.