Sapsiwai - Fotolia
WikiLeaks founder Julian Assange says technology firms will get the first look at alleged CIA hacking tools before they are published.
The initial tranche of published documents from a leaked archive of US Central Intelligence Agency (CIA) hacking tools that exploit zero-day vulnerabilities in most desktop and mobile operating systems put affected tech firms on the back foot and racing to release fixes and contain the damage.
WikiLeaks came under fire for publishing details of the hacking tools and the vulnerabilities they exploit without first disclosing the information to software and hardware makers to enable them to prepare patches to protect users of affected products.
In a live streamed news conference, Assange said the CIA could potentially cause the tech industry “billions of dollars of damage” and that after some thought, he had decided to give the tech community further leaks first.
“We have decided to work with them, to give them exclusive access to some of the technical details we have,” he said.
“Once the material is effectively disarmed, we will publish additional details,” said Assange, adding that WikiLeaks wanted to “secure communications technology because, without it, journalists are not able to hold the state to account”.
According to Assange, WikiLeaks has “a lot more information on the [CIA’s] cyber weapons programme”.
Apple, Google and the Linux Foundation were among the first to say they were working on security updates where necessary, while Comodo and Kaspersky Lab said the vulnerabilities in their software mentioned in leaked documents were obsolete and had been fixed, and Avira said it had already rushed out a fix.
Read more about surveillance
- In a digital era, the information security community has a key role in helping to make the world a safer place, according to former MI5 boss Stella Rimington.
- Former GCHQ head David Omand says the UK will be the first country in Europe to legislate to regulate digital intelligence and put it under judicial supervision with judicial review.
- The government welcomes a review of the controversial Investigatory Powers Bill that found there is no viable alternative to the bulk data collection powers proposed by the bill.
Microsoft, which has long been a leading campaigner for responsible disclosure of security vulnerabilties, said in a statement that its preferred method for anyone with knowledge of security issues was to submit details to email@example.com so the firm could take any necessary steps to protect customers.
Security industry commentators said individuals and companies that discovered they were using vulnerable products would have to assess their own risks and decide what course of action to take to mitigate it.
“This may involve temporarily disabling or disallowing some products until vulnerabilities are patched, or even switching to new products,” said Shuman Ghosemajumder, CTO of Shape Security.
Assange used the news conference to highlight the Umbrage programme, which was revealed in the first set of leaked documents.
The programme is allegedly aimed at collecting malware from other nation states, such as Russia, to help hide the origin of the hacking tools developed by the CIA and its allies.
Read more about responsible disclosure
- Security researchers have praised Facebook’s WhatsApp cross-platform messenger service for its quick response to a vulnerability disclosure.
- Microsoft says it continues to support responsible disclosure of security vulnerabilities after a researcher went public with a zero-day vulnerability.
- Is 90 days enough time for software suppliers to address vulnerabilities?
“The technology is designed to be unaccountable,” said Assange, claiming that a malware expert had told WikiLeaks he suspected that malware previously attributed to Iran, Russian and China could have been developed by the CIA.
China has already asked the US to stop spying on and hacking other countries, according to Reuters. “We urge the US side to stop listening in, monitoring, stealing secrets and internet hacking against China and other countries,” Chinese foreign ministry spokesman Geng Shuang said at a news briefing on 9 March.
The statement comes just days after China called for greater international collaboration in cyber space, saying it was committed to working with other countries to combat cyber crime and cyber terrorism
“It is in the shared interests and also the responsibility of the international community to safeguard peace and security, promote openness and co-operation and foster a community of shared future in cyber space,” China’s president Xi Jinping was quoted as saying in the preface to the International strategy of co-operation on cyber space.
Publication of the strategy comes nearly 18 months after the Chinese premier and US president Barack Obama agreed that neither government would support the cyber theft of intellectual property in an attempt to quell rising tensions between the two nations on the issue.