WikiLeaks will work with technology companies to help defend them against the CIA’s hacking tools, founder Julian Assange said Thursday. The move sets up a potential conflict between Silicon Valley firms eager to protect their products and an intelligence agency stung by the radical transparency group’s disclosures.
In an online news conference, Assange said some companies had asked for more details about the CIA cyberespionage toolkit that he purportedly revealed in a massive disclosure on Tuesday.
“We have decided to work with them, to give them some exclusive access to the additional technical details we have, so that fixes can be developed and pushed out,” Assange said. The digital blueprints for what he described as “cyberweapons” would be published to the world “once this material is effectively disarmed by us.”
The CIA did not respond directly to Assange’s offer, but it appeared to take a dim view of the announcement.
“As we’ve said previously, Julian Assange is not exactly a bastion of truth and integrity,” CIA spokeswoman Heather Fritz Horniak said, adding that the CIA’s work would continue “despite the efforts of Assange and his ilk.”
Assange had plenty of criticism for the agency himself, blasting it for having lost control of its “entire cyberweapons arsenal,” something he described as “a historic act of devastating incompetence.”
The fate of the arsenal is not completely clear. WikiLeaks has not released the actual digital espionage tools themselves, just documentation related to them which describe in various levels of detail how the CIA bypasses anti-viruses, hacks into smartphones and even hijacks smart TVs. Assange has not explicitly said how he knows that the arsenal is circulating or even that he has a full copy.
Assange did offer some hints, suggesting that spies, former intelligence officials and contractors had been sharing the cyberespionage tools behind the CIA’s back — potentially to feed the for-profit market in spy software.
“WikiLeaks discovered the material as a result of it being passed around a number of different members of the U.S. intelligence community, out of control, in an unauthorized fashion,” Assange said. “It looks like not only is that material being spread around contractors and former American computer hackers for hire, but now may be in the black market.”
If true, that would be a serious concern for ordinary internet users. There are already signs that international law enforcement is worried.
Europol’s chief Rob Wainwright said that the CIA breach could provide “a handy how-to-do hacking manual” for nefarious actors of all stripes.
“There is a potential here for a much more widespread impact in the way that it might fuel an increase in cybercriminal activity,” he said.
Assange said the CIA breach showed that this kind of technology was nearly impossible to keep under wraps — or under control.
“The technology is designed to be unaccountable, untraceable; it’s designed to remove traces of its activity,” he said.
The probability of Assange being taken up on his offer is uncertain. Some of the alleged CIA cyberespionage tools disclosed by WikiLeaks are obsolete, meaning that his help may not be needed in many cases.
Even in the case of live vulnerabilities it’s not clear how Assange’s offer would be seen by American companies or how the mechanics of such a collaboration might work given the CIA’s hostility. Even under normal circumstances, the process of flagging software flaws to technology companies can be fraught.
“When vendors receive information about a vulnerability, they look at it from a political perspective,” said Adriel T. Desautels, the chief executive at Netragard LLC. “Especially with highly complex ones, they can sit in the hands of a vendor for years, two to three years, until they receive external pressure to move on something.”
Assange appeared to nod to those concerns in his conference, saying it was up to the public to demand that companies moved quickly on WikiLeaks’ offer.
“It is important to put pressure on those companies,” he said.