WikiLeaks founder Julian Assange pledged Thursday to provide technology companies with the technical details needed to fix product flaws that were exposed when his organization published documents that apparently show how the Central Intelligence Agency hacks into phones and other devices.
The 8,761 documents that WikiLeaks posted on its website Tuesday described malware and other tools used to exploit a wide range of commercial products including smartphones, software and equipment from Apple, Alphabet’s Google, Samsung, and Microsoft.
The documents sent companies scrambling to uncover what specific security flaws the attacks might be exploiting. And Mr. Assange’s offer on Thursday created a fresh set of complications for the companies dealing with the leak.
White House press secretary Sean Spicer warned companies on Thursday that accepting classified material from WikiLeaks could be violating the law. They should check with the Justice Department in advance, he said.
When WikiLeaks released the information the antisecrecy organization said it obtained from the CIA files, the organization had put tech companies in the position of knowing they might have security vulnerabilities but not knowing how to address the flaws and protect their customers.
“After considering what we think is the best way to proceed and hearing the calls from some of the manufacturers, we have decided to work with them to give them some exclusive access to the additional technical details we have so that fixes can be developed and pushed out,” Mr Assange said during a news conference broadcast online.
The CIA lashed out Thursday at Mr. Assange and WikiLeaks for disclosures that the group has said represents an overreach by US intelligence officials. Neither the CIA nor the White House has commented on the authenticity of the documents.
“Julian Assange is not exactly a bastion of truth and integrity,” CIA spokesman Jonathan Liu said. “Despite the efforts of Assange and his ilk, [the] CIA continues to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states, and other adversaries.”
The tech companies must now decide whether they’re willing to accept WikiLeaks’ offer. Having in hand the actual code used in the purported CIA hacking tools would enable the companies to understand the exact holes in their products. But the prospect of working with an organization that publishes stolen government secrets also raises delicate ethical, legal and public-relations issues.
Although it would be “unheard of” for the federal government to prosecute a company for using leaked classified information to improve its products, there “are some issues with the fact that the information is classified,” said Jennifer Granick, director of civil liberties at Stanford Law School’s Center for internet and Society.
Given uncertainty about the views of the Justice Department, “I can see why legal counsel at big companies might hesitate to reach out to Julian Assange to negotiate access to classified information,” she said.
Apple and Samsung didn’t respond to requests for comment Thursday. Google declined to comment on whether it would work with WikiLeaks.
“We’ve seen Julian Assange’s statement and have not yet been contacted,” a Microsoft spokesman said Thursday.
The spokesman said that Microsoft’s initial review of the WikiLeaks documents showed that most of the issues are dated and likely have been addressed in its latest software.
Several other companies named in the documents, including Apple and Google, said Wednesday that their initial reviews indicated that existing software updates had already addressed many of the vulnerabilities described in the WikiLeaks document. Still, they said, the reviews were continuing.
In a blog post Wednesday, Cisco Systems said that its ability to address issues the documents raised was limited without more detail, but once the code was released the company would be able to analyze it and produce updates if necessary. Most of the companies whose products are mentioned in the WikiLeaks documents face the same situation, security experts said.
Cisco declined to comment Thursday on whether it is willing to work with WikiLeaks. The company said it has a protocol for investigating and fixing bugs if it receives a report of a vulnerability.
WikiLeaks plans to release more of the documents and files that the organization obtained.
“Once this material is effectively disarmed by us by removing critical components, we will publish additional details of what has been occurring,” Mr. Assange said.
Mr. Assange said that the need to fix these flaws is pressing, given that others might be in possession of the tools.
“It is impossible to keep effective control of cyberweapons,” he said. “If you build them, you will lose them.”
In a statement Wednesday, the CIA gave what appeared to be a justification for amassing an arsenal of hi-tech hacking tools.
“It is the CIA’s job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad,” the agency said. “America deserves nothing less.”
The agency also said it is legally prohibited from conducting electronic surveillance targeting Americans at home in the US and doesn’t do so. The CIA said Americans should be troubled by any WikiLeaks disclosure designed to damage the US intelligence community’s ability to protect America from adversaries.
“Such disclosures not only jeopardize US personnel and operations but also equip our adversaries with tools and information to do us harm,” the CIA said.
WikiLeaks said it had disclosed the information to inspire a debate about what limits should be placed on the CIA’s ability to hack computers and electronic devices.