Julian Assange has offered to help make your product more secure. Julian Assange has offered to make you a felon.
WikiLeaks founder Julian Assange has released information about the CIA’s “Vault 7” Swiss Army knife toolkit for rooting and hacking into computers, phones, routers, networks, and IoT devices. These include a wealth of theoretical, known, and “zero day” vulnerabilities and exploits – many of which have been floating around in the research community, but some of which are genuinely new.
To date, WikiLeaks has only released the description of these exploits – how they work, what they target, what is vulnerable. But Assange has assured the IT community that he will soon release the actual code and exploits – not to the public — but to them, so they can fix the vulnerabilities.
So, you are a product manager at Apple. Or Cisco. Or Intel. Or Microsoft. In fact, it has been reported that WikiLeaks has already reached out to Microsoft through its vulnerability disclosure email address. Do you take Assange up on his offer? As always, the lawyer consults his magic 8-ball. “Situation hazy. Try again later.”
First, of course, any source code downloaded from the Internet has to be considered – well, source code downloaded from the Internet. Duh. But from a legal perspective, do you download the CIA’s sensitive (and classified) data, knowing that it is classified? Obviously, consult your own legal counsel. People who get their legal advice from the Internet are only one step removed from those who download executables from the Internet. Amirite?
Espionage Novel – Novel Espionage
The problem lies with the Espionage Act of 1917. 100 yearss ago, with the experience of German immigrants theoretically working as a “Fifth Column” against the U.S. and for the Kaiser, Congress passed a series of laws to deal with the treatment of classified information.
18 USC 793(e) makes is a criminal offense to have “unauthorized possession of, access to, or control over any … information relating to the national defense which information the possessor has reason to believe could be used to the injury of the United States or to the advantage of any foreign nation, [and] willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it.”
In short, keeping, or transmitting classified information that you have reason to believe could be used to injure the U.S.A. That’s just one of the laws relating to the willful possession of classified information.
In fact, the Congressman who represents much of Silicon Valley has urged his high-tech constituents NOT to accept the gift from the WikiLeaks gods. Ro Khanna, who represents California’s 17th District (including Fremont, San Jose and Cupertino) tells his constituents that:
“No company should be abetting or aiding in the dissemination of classified information. I’m all for robust public debate and information being in the public sphere, but not information that can compromise lives of military – not just our military, but the lives of civilians in other countries, who may be aiding us, or who we may be trying to protect. So, you have to have a basic decency and respect for human life.”
Just as a note, the high-tech companies are not seeking to disseminate the information about their vulnerabilities, but rather are seeking to USE the information disseminated by Assange to close the vulnerabilities. But even that might impact national security.
So, if you accept Assange’s offer of classified information, are you committing a crime? Shuffles feet, looks down. Maybe. But only if the government wants to prosecute you. And, they probably don’t. At least in theory.
You see, the government theoretically WANTS you to have that information. That’s what the Cybersecurity Information Sharing Act of 2015 was all about. That law “requires the Director of National Intelligence and the Departments of Homeland Security (DHS), Defense, and Justice to develop procedures to share cybersecurity threat information with private entities, … the public, and entities under threats.”
Note that it requires a procedure, not the actual sharing, and still permits the Intelligence Community (IC) to keep such threat information classified. Moreover, as Jonathan Pollard, the man convicted of spying for Israel learned, it is no defense to an espionage prosecution to argue that you were entitled to that information by law or other agreement. The fact that you have received classified information that some part of the government doesn’t want you to have at least exposes you to potential criminal liability.
On the other hand, it’s really doubtful that, at this stage, the government really wants to incarcerate executives at Samsung, Apple, or Microsoft for making their products more secure. Especially since the cat is out of the bag. Sure, the CIA would like to keep the vulnerabilities secret, and have their exploits continue to work, but at this point, the “bad guys” would already have either fixed the vulnerabilities, or moved to a different technology to counteract the potential for surveillance.
So not allowing the tech companies to “fix” the product would mostly serve the purpose of keeping the general public at risk of exploit, while protecting those against whom the CIA would most want to surveille. Many of the vulnerabilities and exploits exist in older versions of hardware or software – bad guys (and good guys) alike might simply update in the hopes of a patch – at least one to the specific vulnerability mentioned in the Vault 7 archive.
So here’s the dilemma. If you ASK the Department of Justice for immunity from prosecution for willfully accepting the Assange documents, they will likely take one of several courses – few of them good for you.
First, they might just say, “sure, take the Assange materials, use them to update your product, and may the force be with you.” Maybe. Second, they may simply acknowledge your request and ignore you. That may come with a response reminding you of the espionage laws. Third, they may allow you to accept the information (or even provide it directly) with a “request” that you delay any update, or that you NOT update certain products or products in certain countries, or belonging to certain subscribers. Tough situation then. Finally, they may take an aggressive stand on the espionage laws, and decide to open a grand jury investigation based on the request itself. No good deed goes unpunished.
Alternatively, IT executives could request from the IC or DHS the vulnerability information under CISA, and cross their fingers that it is both produced and accurate. That information could be provided to the vendors either in a classified or unclassified manner. If classified, then downloading the Assange documents remains problematic. If unclassified, then there’s the potential that the Assange documents have then been de-classified, making it OK to use them. That is, if they are the same documents.
Aint law fun?
As a former DOJ espionage prosecutor, I can tell you from personal experience that this is a legal and political thicket. Perhaps the best thing to do at the outset is to use what has been publicly reported to stress test your product for vulnerabilities. (Yes, I know that even the public reports are classified). And after that, I highly recommend you take your lawyer’s advice. Whatever that might be.
Oh… one more thing. Now that you have reason to believe that there are vulnerabilities in your product or code, your failure to fix them is likely to be considered to be an “unfair” or “deceptive” trade practice by the FTC. No reason the government needs to speak with one voice, right? A foolish consistency is the hobgoblin of little minds. As F. Scott Fitzgerald noted, “the test of a first-rate intelligence is the ability to hold two opposed ideas in mind at the same time and still retain the ability to function.” That’s also the test of a first-rate CISO.