WikiLeaks help fixing CIA exploits illegal, but unlikely to be prosecuted

 WikiLeaks help fixing CIA exploits illegal, but unlikely to be prosecuted
© Getty Images

WikiLeaks says it has started contacting tech companies to warn them about security flaws being exploited by the CIA. But working with WikiLeaks on the classified information raises legal and ethical questions for companies in no rush to pick new fights with the government. 

The tips about the malware are based on files WikiLeaks hasn't yet released through its "CIA Leaks" publications.

“Companies and people with clearances have been instructed to treat anything labeled as or suspected to be classified material as still classified,” Stewart Baker, a partner at the firm Steptoe and Johnson and former assistant secretary for policy at the Department of Homeland Security, said via email.

“So viewing WikiLeaks’ material at least poses a risk to government contractors.”

On Tuesday, WikiLeaks' site tweeted that it had “contacted Apple, Microsoft, Google, Mozilla & MicroTik to help protect users against CIA malware.”

Microsoft and Mozilla both confirmed to The Hill that WikiLeaks had been in contact, but a source inside one of the listed companies described the contact as preliminary, with no information sent about potential vulnerabilities.

Mozilla indicated that it would patch any leaks flagged by WikiLeaks. 

ADVERTISEMENT
"When we receive information, regardless of the source, about anything that needs to be patched, we will take the necessary steps to remedy," said. Denelle Dixon-Thayer, Mozilla’s Chief Legal and Business Officer.

The CIA leaks included descriptions of a wide assortment of hacking techniques used by the agency. WikiLeaks made an effort not to release any source code that could be used to endanger systems. 

The companies in the tweet are not the only companies known to be in the leaked CIA documents. Tech giants Intel and Samsung have also already surfaced in the massive trove of files. 

“[Classification] poses a problem for those government contractors with clearances who want to review the material for defensive purposes, whether they do so with WikiLeaks’ cooperation or not,” said Baker, who added that “this is a really bad Obama-era policy that this administration should revisit.” 

Attackers won't wait for documents to be declassified.

“Saying ‘it’s still classified’ won’t keep the Russians or the North Koreans or a bunch of Eastern European credit card scammers from reviewing the material to find attacks they can use on Americans," Baker said.

Baker also pointed out that the issue could become even more complex if WikiLeaks uses the release as an opportunity to request donations, where it could appear manufacturers might be indirectly purchasing classified information. 

But even if tech companies break the law, it's not certain they'll be prosecuted. 

“Who is going to stop them? It would be a nightmare PR stunt,” said Bradley Moss, deputy executive director at the James Madison Project and a national security attorney at the Law Offices of Mark Zaid.

“Could the feds prosecute? Sure. But they probably won’t, for the same reasons the feds don’t prosecute people who read leaks in the New York Times.”