Op-Ed: The Wikileaks Documents Show the CIA’s Hacking Operations Cause More Harm Than Good

Posted on March 19, 2017

With barely a week having passed since Wikileaks released a formidable cache of documents on CIA hacking techniques, observers are already frantically assessing their impact. Media and expert reactions vary widely, spanning anywhere from Leonid Bershidsky’s dismissal of the revelations as ultimately inconsequential in affecting what is a given in intelligence work, to Fred Kaplan’s sharp condemnation of a brazen assault on the national security apparatus.

Beyond that which will surely accompany Wikileaks’s planned future publication, we are sure to see more thorough and (hopefully) nuanced analysis in the coming weeks, but I wanted to contribute to the present debate by emphasizing an underrepresented, and underappreciated, view. Regardless of how one may feel about the legitimacy of the intelligence community’s work or the methods it chooses to employ toward those ends, the fact that developers of indispensable programs, services, and operating systems are now able to patch the critical security vulnerabilities uncovered in the disclosures is an unquestionable and significant good for citizens and consumers in the US and around the world.

There is a common misconception surrounding the practice of disseminating software vulnerabilities or malware on the internet–that the intent is malicious, constituting an attempt to proliferate hacking tools to sow discord. However, such a practice is antithetical to a malicious hacker, as it is hard enough to contend with computer security programs without also having to compete with other black hats for the same pool of targets. Any bad actor of basic competence would much rather choose to keep exploits, or knowledge of how to craft them, to themselves.

More importantly, releasing vulnerabilities gives the developers of the affected programs the opportunity to close the holes in their defenses. This is usually the reason why those who publicize software vulnerabilities choose to do so. Many companies will refuse to take action when notified privately of the existence of critical bugs–perhaps the rationale is that there is little to be gained, monetarily, from fixing a bug that users don’t even know exists–so the only recourse is to set it loose and force their hand.

The latest dispatch from Wikileaks performed exactly this function, if with the principal aim of accomplishing other ends. In fact, Wikileaks’ editor-in-chief, Julian Assange, has stated that he intends to do precisely that, sharing the CIA’s exploit code with the developers of targeted products in order to facilitate the development of security patches.

Critics focus on the fact that the CIA can no longer deploy these techniques against traditional, unobjectionable espionage targets, but even so, this does not in itself justify the CIA in knowingly withholding information that could better protect the sensitive data of millions of people. By helping developers close vulnerabilities, Wikileaks may have burned a potential weapon against America’s adversaries, but it took such techniques off the table for all the world’s other intelligence agencies and rogue actors, too. Not only is it likely that such adversaries would have eventually discovered these vulnerabilities on their own, as a recent study by the Rand Corporation corroborates, but had the CIA continued to deploy them, they would have ultimately been cataloged, examined, and reproduced and turned on Americans. This is exactly what happened with Stuxnet, which was intended to attack an off-the-grid Iranian nuclear facility but has since leaked onto the internet and been modified for even more alarming purposes.

Moreover, though not to the extent Edward Snowden’s did, the documents provided by Wikileaks shined a light on questionable practices which the public had a right to know. To start with, they show that the Vulnerabilities Equities Process, established by President Obama to balance the intelligence community’s interest in stockpiling hacking weapons with the need to protect consumers by reporting dangerous bugs, was essentially ignored by the CIA. Additionally, analysis of the trove confirms that the CIA spent part of its budget purchasing zero-day vulnerabilities, security holes which developers are unaware of, from black market vendors in higher numbers than previously estimated, and then hoarding them instead of disclosing them. Taken together, these notable gains in our understanding of the agency’s hacking operations clearly demonstrate that in the face of sound end-to-end encryption software such as Signal and WhatsApp, they have opted to aggressively attack the “ends,” the devices transmitting the encrypted content, by actively preserving as many security vulnerabilities as possible, in spite of dire security implications. In other words, in order to spy on a few, they have opted to wittingly make the many less safe. 

The allegations of harm caused by the leak which critics like Kaplan raise should not be dismissed out of hand–the CIA provides invaluable service to the interests of national security–but to insist that because of this it offers no benefit to the fabric of American society is an unfounded contention, and precludes the possibility that it might confer greater benefit than if it had remained secret. If we are to meaningfully and fruitfully debate what is best for civil society, such considerations as this should be fairly weighed on their merit.

This post was adapted from my original blog post “Regardless of where one stands, the CIA disclosures achieve unquestionable good” on Cymatic Scanning.

Jonathan Terrasi has been a Research Assistant with the Chicago Committee to Defend the Bill of Rights since January 2017. His interests include computer security, encryption, history, and philosophy. In his writing, he regularly covers topics on current affairs and political developments, as well as technical analyses and guides on security issues, published on his blog, Cymatic Scanning, and Linux Insider.