Hey CIA, You Held On To Security Flaw Information -- But Now It's Out. That's Not How It Should Work

Cindy Cohn, writing for EFF: The dark side of this story is that the documents confirm that the CIA holds on to security vulnerabilities in software and devices -- including Android phones, iPhones, and Samsung televisions -- that millions of people around the world rely on. The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process. As these leaks show, we're all made less safe by the CIA's decision to keep -- rather than ensure the patching of -- vulnerabilities. Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

Who's Responsibility?

[ISoldat53]

Is it the CIA's responsibility to point these out? How many "flaws" are intentional?

Re:Who's Responsibility?

Did you not read the summary?

Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

It's their job.

Re:Who's Responsibility?

[goombah99]

It's like how when the CIA discovers a Russian General has a secret to hide they never black mail him but immediately notify the Russian Authorities of their vulnerability.

Re:Who's Responsibility?

[Opportunist]

It's the CIAs job to protect Americans and keep them safe. Its job also includes protecting the US' trade secrets and commercial interests. And that by definition entails making sure that enemies of the US, be it military or economic, cannot abuse security problems that may affect US interests.

In other words, yes, pointing those security flaws out to manufacturers and making sure that these flaws cannot be abused by enemies of the US and its assets is pretty much the definition of the CIA mandate.

Re:Who's Responsibility?

[Archtech]

It's like how when the CIA discovers a Russian General has a secret to hide they never black mail him but immediately notify the Russian Authorities of their vulnerability.

That's logical, because Russia - like the USA - is the CIA's enemy.

Re: Who's Responsibility?

[Impy+the+Impiuos+Imp]

Thb they would probably argue they are protecting the safety of US citizens by maintaining a spy capability. That is their job, not turning over those same vulnerabilities.

Re: Who's Responsibility?

The problem with not having this released by Wikileaks is that until now, the people who claimed this capability existed were labeled as paranoid conspiracy theorists. Same thing with Snowden's leaks. I saw a column in the USA Today just now that said Americans don't need to worry because the CIA doesn't spy on Americans. Utter crap. They give the tools to European agencies to spy on us in the USA and we spy on their citizens for them.
National security does not justify whatever they want to do. They no longer fear prosecution because no one faced consequences after the Snowden leaks.
Basically, if nothing happens now except a manhunt for the whistleblower, we are all freaking doomed.

Re:I don't agree

[Fire_Wraith]

You are incorrect. The NSA does have an explicit Information Assurance mission, but it also has an intelligence collection mission. Also, while the CIA does not have an explicit IA mission, its ultimate goal is the defense of the nation, which does not preclude issuing warnings about uncovered vulnerabilities.

The problem is that they both have two conflicting goals when it comes to a discovered vulnerability, which can be used both by others to attack us, but also can be used by those agencies to gather intelligence. The term for it in the Intelligence Community is the "Equities Problem." This wasn't an issue in the past, because in the days of the Cold War for instance, the systems/codes/etc the Soviets were using were entirely different from American ones. Discovering a vulnerability in a Soviet cryptography system was only useful for intelligence gathering, whereas patching a vulnerability in an American cryptography system would not imperil our foreign intelligence collection activities.

In today's world however, everyone basically uses the same systems. This presents a quandary for the three-letter-agency folks. Do we patch everything and shut off our ability to gain information, possibly missing key information about a future attack? Do we keep the vulnerabilities secret to enable more collection, knowing that one of those vulnerabilities will someday be used to attack us and that we could have prevented it? Do we somehow try and muddle through, knowing that we may wind up with the worst of both?

This is why people fear Artificial Intelligence

[SharpFang]

So obsessed with the letter of the mission statement, that you forget its spirit. Subjects you were meant to serve become means, and disposable resources in achieving goals that no longer serve their purpose, as the cost outweighs benefits by way too much.

CIA was created to protect safety of USA citizens. It got specific goals and means by which it would serve in that mission, and focused on them so much the mission went entirely out of focus. Collateral damage is no longer considered an issue. No matter how much CIA hurts and weakens the USA, it considers the actions a success if the "enemy" (actual or potential) is weakened in the process.

It's silly to expect a spy agency to obey the law and play always fair. But whatever it does, no matter how nefarious and slimy, it should always put the good of its citizens first. And it's ridiculous to expect whatever they might have gained through holding to these exploits outweighs the losses of the public caused by the non-disclosure. CIA no longer serves USA. CIA just serves goals of CIA, and if means to these goals conflict with the good of USA, so be it, USA be damned.

I disagree

[Weaselmancer]

It is the job of the CIA to collect intelligence. Central Intelligence Agency, right there in the name. It's not their job to post software patches.

I think what Cindy Cohn meant was "it would sure be nice if the CIA had let us know about the problems rather than keep them secret", and I agree that would have been awfully nice of them - but wanting the CIA to reveal tactical information that helps it do its job is silly.

They're a spy agency, folks. This is what spies do.

Re:I don't agree

[tinkerton]

Seems there is another problem. Suppose you start from agencies with well defined responsibilities with their matching checks to control them(well, hypothetically, let's say 'better defined') The FBI is domestic but has its constraints. The NSA does hacking but has its constraints . The CIA does spying.
Then if the CIA expands into the domestic front and into the hacking front without the constraints, (and the foreign intervention front as well, it could be said), you have a problem with unchecked power. The common response though is 'the CIA is defending us they don't need to be constrained.' Yeah right. The whole security apparatus has gotten completely out of hand.

That is nice. Now what?

[houghi]

So they are guilty. The NSA are guilty. The FBI are guilty. The whole government is guilty. And all I see is a lot of people discussing it and no action taken.

If I as a kid stole a cookie and my mom told me of and I stole another one and still nothing happened, why would I stop stealing the cookies? They are great tasting cookies.

As long as there are no consequences, except for some whining, why would they NOT do it? You can discuss it among yourselves, but they do not care.