Should Your General Counsel Worry About Wikileaks?

Whether the CIA's alleged hacking of consumer devices is justified or dangerous can be dealt with elsewhere. What is of immediate interest for members of the bar is how such data dumps will impact their businesses and how they should prepare for similar revelations in the future.

Indeed there are some key questions that require serious thought on the part of in-house counsel everywhere as a result of the hacking revelations. They include:

• Why is the newest batch of Wikileaks bad news? And do we need a formal process for learning about government created vulnerabilities?
• How should users of compromised devices react to this story (assume everything compromised - have enterprise defenses in place)?

These are not idle questions – already one Wikileaks-exposed manufacturer identified is facing litigation related to the alleged hacking. It is thus more prudent than ever for in-house counsel to understand the risks they face from governments and others hacking their devices.

To truly understand the threat exposed by the Wikileaks revelations, we should revisit a basic assumption about software: approximately 5 percent of code contains errors. Considering that each new generation of software contains more code than before, that means that there is much more opportunity for hackers to “crack the code.”

Look at it this way: the American space shuttle contained approximately 420,000 lines of custom created software. In contrast, the average 2017 smartphone has approximately 10,000,000 lines of custom software. That translates into 500,000 potential errors that hackers can rummage through to find exploitable vulnerabilities. It is easy to see from that number alone why software hacks are not going away.

Turning back to Wikileaks, the alleged vulnerabilities pose a unique conundrum for the impacted developers, namely the specifics of the vulnerability may be classified due to the fact that they were revealed via stolen CIA material. That handcuffs companies who want learn more about their unique hack, as accepting vulnerability information from Wikileaks about the hack may constitute a crime under U.S. law. At the same time, if developers know there is a problem with a device but don't seek details, they could face potential civil litigation or even shareholder suits.

While there is no perfect response to this situation, there definitely are steps companies can be taking. First and foremost, if a developer sees that their product has been allegedly compromised by whatever source - including via Wikileaks - they need to be in contact with federal law enforcement. There are information sharing mechanisms in place that allows for the government to share such information with impacted companies (including the mysterious Vulnerabilities Equities Process or “VEP”). [Period here was not included in the final version.] More on that later.

Second, this also is a good reminder to companies that the era of just accepting coding errors as part of the overall design process is coming to an end. We have already seen companies forced to settle claims over undisclosed software vulnerabilities, and the universe of viable claims regarding allegedly deficient software is likely to grow.

A related but equally important challenge for developers is whether they should have a formal method for demanding information about government created vulnerabilities. To a certain degree that capability exists under the previously mentioned VEP. The VEP created a process for internal government debate on whether to release software vulnerability information.

But is the VEP process enough? In-house counsel and C-suite executives may want to ask themselves the following questions:

• Should the VEP be formally memorialized by statute?
• If so, should the decision-making criteria for revealing government created vulnerabilities be adjusted?
• Should a company have the right to be automatically informed of a US government created vulnerability if it comes to light that a foreign government is exploiting the same vulnerability?
• Should there be a compensation process if a company is financially harmed as a result of government created vulnerabilities?
• Do non-US software and hardware developers deserve the same consideration regarding vulnerability creation and disclosure as US companies?
• At a higher level, do we need “rules of the road” for when US government agencies create or use vulnerabilities associated with commercial software?

There are undoubtedly more questions here, but the same underlying issue remains the same – is there enough visibility into how the US is creating vulnerabilities, and what responsibilities does it carry related to that?  

Moving on from questions about what developers need to do regarding Wikileaks revelations, the big question for every other in house counsel is how should they react to the discovery of so many common vulnerabilities? With a shrug? Or perhaps they toss exploited smartphones, go back to tube televisions, and act as if every wall has eyes and ears?

In short there is no need for in-house counsel to panic, but they do need to worry about the security threat posed by every connected device. If anything, the Wikileaks revelations reinforces the lesson that there are innumerable ways modern connected devices can rapidly be turned into electronic listening posts. And more to the point if the CIA is doing this, you can be darn sure foreign spy agencies and criminal gangs are looking for and using similar vulnerabilities to conduct espionage, crime, and general mayhem.

Given that, it seems incumbent on in-house counsel, information security staff, and others in charge of mitigating these risks to let the Wikileaks story serve as the final push needed to implement an enterprise wide device management strategy. In other words, if companies are not doing so already they now need to make it a top priority to know what devices are connected to their systems and what they are doing.

The good part about such a strategy is that there are already a variety of tools available from companies that can perform such tasks. Indeed, companies like ForeScout even offer tools that can automatically identify the security capabilities of a device such as a connected camera and then determine whether its software needs to be updated or if the device should be isolated in order to minimize security risks.

At the end of the day, in-house counsel should view the Wikileaks story as a blessing in disguise. These kinds of moments help shape future policies, and with some bold thinking and clear-headed advocacy, companies can put themselves in a much better position to react to news of government developed software vulnerabilities. Ignoring this story is fraught with danger, as sadly, software vulnerabilities are one of the few certainties left in the 21^st century.  

Reprinted with permission form the March 21, 2017 edition of Corporate Counsel. ©2017 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited.