WikiLeaks’ release of a massive cache of data describing CIA hacking tools has renewed a debate over how well the U.S. government balances the protection of Americans’ cybersecurity against the need to protect national security, reports the Washington Post. Some of the tools, WikiLeaks says, are based on “zero-day” flaws — or previously unknown software bugs — for targeting iPhone and Android devices. “At a time of increasingly damaging hacking by cybercriminals and governments, it’s essential that U.S. agencies not undermine the security of our digital systems,” said Ben Wizner of the American Civil Liberties Union’s Speech, Privacy and Technology Project. “These documents, which appear to be authentic, show that the intelligence community has deliberately maintained vulnerabilities in the most common devices used by hundreds of millions of people.” He added, “Patching security holes immediately, not stockpiling them, is the best way to make everyone’s digital life safer.”
Former Obama administration cyber officials take a more tempered view. “The idea that there’s an operational need for the CIA to target Apple and Google overseas shouldn’t surprise anybody, given the pervasiveness of the Android and iPhone,” said Rob Knake, who left the administration in 2015. Obama officials established a policy in early 2014 that called for agencies including the CIA, the National Security Agency, the FBI and the Secret Service to submit software flaws they discovered or purchased for review by all the agencies with an interest in their use or disclosure. The policy is called the “Vulnerabilities Equities Process,” and it is not designed “to disclose all vulnerabilities,” Knake said. “The policy is not unilateral disarmament of the United States.” Michael Daniel, the former top cybersecurity adviser to President Obama, said that while officials would “weigh very heavily toward disclosure” a software flaw found in an Apple or Microsoft or other widely-used product, “there’s no hard-and-fast rule that says because this is in an Apple system, we must disclose it.”