The CIA and other United States intelligence and law enforcement agencies have valid cause to research and exploit digital security vulnerabilities to further the national interest and the public welfare. But when it comes to the hoarding of undisclosed vulnerabilities, they’ve recently made choices that undermine both.<\/p>\n
https:\/\/www.nytimes.com\/2017\/03\/07\/world\/europe\/wikileaks-cia-hacking.html<\/a><\/p>\n \nBut Ben Wizner, the director of the American Civil Liberties Union\u2019s Speech, Privacy, and Technology Project, said the documents suggest that the government has deliberately allowed vulnerabilities in phones and other devices to persist to make spying easier.<\/p>\n \u201cThose vulnerabilities will be exploited not just by our security agencies, but by hackers and governments around the world,\u201d Mr. Wizner said. \u201cPatching security holes immediately, not stockpiling them, is the best way to make everyone\u2019s digital life safer.\u201d<\/p><\/blockquote>\n Disclosure is both ethical and pragmatic. It protects citizens and companies from criminals and foreign powers. And the CIA is aware of these trade offs and has even a standard Vulnerabilities Equities Process. However, they appear to have failed to follow this procedure in the latest leak.<\/p>\n https:\/\/www.eff.org\/deeplinks\/2017\/03\/hey-cia-you-held-security-flaw-information-now-its-out-thats-not-how-it-should<\/a><\/p>\n The dark side of this story is that the documents confirm that the CIA holds on to security vulnerabilities in software and devices\u2014including Android phones, iPhones, and Samsung televisions\u2014that millions of people around the world rely on. The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process. As these leaks show, we’re all made less safe by the CIA’s decision to keep — rather than ensure the patching of — vulnerabilities. Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans. <\/p><\/blockquote>\n Security experts have long rallied to the call for disclosure, seeing it as a necessary part of maintaining digital security and by extension U.S. dominance of the computer and web services market. Failure to protect, and furthermore active undermining of trust in U.S. technology companies could be disastrous for our economy, and therefore both our bread and our bullets.<\/p>\n https:\/\/www.schneier.com\/essays\/archives\/2007\/01\/schneier_full_disclo.html<\/a><\/p>\n The moral here doesn’t just apply to software; it’s very general. Public scrutiny is how security improves, whether we’re talking about software or airport security or government counterterrorism measures. Yes, there are trade-offs. Full disclosure means that the bad guys learn about the vulnerability at the same time as the rest of us — unless, of course, they knew about it beforehand — but most of the time the benefits far outweigh the disadvantages.<\/p>\n Secrecy prevents people from accurately assessing their own risk. Secrecy precludes public debate about security, and inhibits security education that leads to improvements. Secrecy doesn’t improve security; it stifles it.<\/p><\/blockquote>\n Beyond this there is a question of integrity. If the government paid researchers to find discoveries in health or environmental science, would we accept their failure to disclose issues that posed a severe cost to the nation’s health, even if their were military or law enforcement applications if those discoveries were kept secret? Of course not. Why would you consider digital security researchers exempt from the same academic ethics requirements?<\/p>\n Have we forgotten so quickly that our nation’s democratic process was tampered with via a failure in digital security?<\/p>\n Or the risk of ransomware has for business, the true cost only hinted at by the ransoms paid that are reported.<\/p>\n https:\/\/www.fbi.gov\/contact-us\/field-offices\/cleveland\/news\/press-releases\/ransomware-latest-cyber-extortion-tool<\/a><\/p>\n Ransomware has become a significant threat to U.S. businesses and individuals. In 2014, over 1,800 complaints were filed regarding ransomware, resulting in a loss of more than $23 million. In 2015, that number grew to more than 2,400 complaints with a reported loss of more than $24 million.<\/p><\/blockquote>\n These aren’t just numbers, they affect real businesses, real people, real lives. Not those of just of employees and customers. Doctors and patients.<\/p>\n http:\/\/www.beckershospitalreview.com\/healthcare-information-technology\/12-healthcare-ransomware-attacks-of-2016.html<\/a><\/p>\n Henderson, Ky.-based Methodist Hospital was hit with a ransomware virus that limited its use of electronic web-based services and prompted it to declare an internal state of emergency.<\/p>\n After five days, Methodist Hospital emerged from the state of emergency and regained control of its computer systems.<\/p><\/blockquote>\n From the same article.<\/p>\n After being hit with a ransomware attack, a failed backup system caused Marin General Healthcare District and Prima Medical Group to lose clinical information collected in a two-week window at the Greenbrae, Calif.-based district’s nine medical centers. The incident affected 2,292 patients of Marin Healthcare District and 2,934 patients of physicians with Prima Medical Group who work with Marin General Hospital.<\/p><\/blockquote>\n I’ve heard arguments that disclosure is not required, because the abundance of vulnerabilities and lack of patching makes it ineffective. But that argument cuts both ways. There is no reason not to disclose because the government can used disclosed vulnerabilities just as easily in most situations. The difference that disclosure doesn’t come with a cost to our digital security or our integrity. In particular when the CIA is not following it’s own rules and the administration and public media are clashing over Twitter posts, we need to force disclosure as a part of strong democratic oversight.<\/p>\n I’ve also heard arguments that boil down to a dismissal of web security at all, saying privacy is dead. Of course doctors losing weeks of their patients’ data or causing a hospital to declare a state of emergency should make you understand privacy is not the only thing at stake. But privacy matters too.<\/p>\n