Thoughts on the vault7 CIA/Wikileaks disclosures

Wikileaks’ release of thousands of confidential CIA documents today is yet another demonstration of our just how vulnerable the cybersecurity domain is. Unless we do a better job identifying our vulnerabilities, attackers – be they criminals, hacktivists, hobbyist, or nation state agencies – can and will take advantage of them. What’s uncertain is when.

Before today, it’s fairly safe to assume that the exploits data released and due to be released by Wikileaks was only known to a small number of government agencies, and to the people who discovered the vulnerabilities and wrote them. With this release, those exploits are now in the hands of anyone who wants them, including malicious attackers who will no doubt use them for their own purposes over the coming weeks.

In this mix there are the targeted vendors who, before today, were likely unaware of the specific vulnerabilities these exploits were targeting. Right now, the security teams are pulling apart the Wikileaks dump, performing technical analysis, assessing and prioritizing the risk to their products and the people who use them, and instructing the engineering teams towards creating patches. The net outcome over the long-term is actually a good thing for Internet security – the vulnerabilities that were exploited by these tools will be patched, and the risk to consumers reduced as a result – but for now we are entering yet another Shadow Brokers, Stuxnet, Flame, Duqu, etc., a period of actively exploitable 0-day bouncing around in the wild.

In an ironic way, you could say that Wikileaks, the CIA, and the original exploit authors have combined to provide the same knowledge as the “good old days” of full disclosure – but with far less control and a great many more side-effects than if the vendors were to take the initiative themselves. This, in part, is why the full disclosure approach evolved into the coordinated disclosure and bug bounty models becoming commonplace today

We can address this uncertainty and remove fear, however, by taking a hard look at our applications and systems and not being afraid to find out where we’re vulnerable. We can’t protect what we can see. Stories like that of Wikileaks today are less and less surprising and to some extent are starting to be normalized. It’s only when the pain of doing nothing exceeds the pain of change that the majority of organizations will shift to an proactive vulnerability discovery strategy and the vulnerabilities exploited by these toolkits – and the risk those vulnerabilities create for the Internet – will become less and less common.