What Is Julian Assange's Game? Helping Putin, It Seems

03_17_Assange_Putin_01
WikiLeaks founder Julian Assange speaks at the Ecuadorian Embassy on February 5, 2016 in London. Herbert Lin writes that one has to wonder—if the actions of WikiLeaks could have had the effect of significantly weakening cybersecurity rather than strengthening it (as they criticize the CIA for not doing)—what are their real motives? Carl Court/Getty

The hypocrisy of WikiLeaks should now be transparent to all, even those who initially supported them.

Earlier this month, WikiLeaks posted a trove of documents, allegedly from the CIA, describing various hacking tools that the CIA has in its possession. Many of these tools are based on vulnerabilities in existing computer systems and computer-driven devices, such as televisions.

A vulnerability is a security flaw that is inadvertently introduced by a vendor into its product, and the WikiLeaks press release argued strongly that the CIA had compromised the cybersecurity of the nation and the world by not disclosing these vulnerabilities so that the vendors could fix them.

Nonsense. In fact, the party most immediately responsible for reducing the cybersecurity of the nation and the world is WikiLeaks itself.

The WikiLeaks argument is almost correct, but it fails in one critical way. Yes, disclosure improves security—but only when the vendor has a chance to fix the problem. In the cybersecurity community, disclosure is usually done by notifying the vendor of a problem—privately—and allowing them a certain amount of time to fix it. Public disclosure occurs when the discoverer of the problem feels that the vendor is dragging its heels in fixing it. This practice is known as responsible disclosure.

WikiLeaks received documents discussing the vulnerabilities on which many of the CIA hacking tools are based. But these documents were secret, and WikiLeaks chose to compromise their secrecy.

In other words, WikiLeaks also had the option of contacting vendors and notifying them privately so that they could patch the vulnerabilities—but there is no indication that WikiLeaks did anything with them except post them on its website, and in enough detail to be useful to would-be attackers.

The immediate result of the WikiLeaks post (and there may be more to come) is that a large number of vulnerabilities in commonly used computer systems are now available for all the world to see. And since WikiLeaks decided to surprise vendors (along with the rest of the world) without fixes for these vulnerabilities being available, our computer systems and devices are indeed all less secure.

As it turns out (no thanks to WikiLeaks), many of the vulnerabilities they disclosed had already been discovered by vendors and they have been fixed, at least in the most recent versions of their products. But devices running old software will continue to be vulnerable until their owners update them.

The idea that responsible disclosure entails private notification of vendors can't be unknown to WikiLeaks—indeed, their press release mentions it. So one has to wonder: If the actions of WikiLeaks could have had the effect of significantly weakening cybersecurity rather than strengthening it (as they criticize the CIA for not doing), what are their real motives?

I don't presume to speak for WikiLeaks, since only their members know their motives. But from where I stand, I see an organization whose actions enhanced Russian efforts to meddle in the November election, complicated U.S. diplomatic efforts through the release of the Manning documents and now make the entire world more vulnerable to being hacked.

I conclude that the actions of WikiLeaks are most consistent with those of an entity that wants to tear down U.S. and world institutions without much to offer to replace them.

If I were speculating, I might suspect that WikiLeaks was in bed with Russia.

Herbert Lin is a senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in cyber policy and security at the Hoover Institution, both at Stanford University.