The alleged CIA practice of deliberately keeping software exploits unpatched for potential access is like not giving sick people penicillin, said John McAfee, the creator of McAfee antivirus, on the latest WikiLeaks data trove.
The anti-secrecy website on Tuesday published a trove of classified documents related to the US arsenal of cyberweapons. Among other things, WikiLeaks alleged that the CIA failed to follow the Obama administration commitment not to hoard “zero day” exploits, vulnerabilities in software that the general IT community, including software producers, are unaware of. The White House pledged to promptly report such vulnerabilities to producers so that they could patch them.
The failure is akin to deliberately deny ill people medicine that government has, said John McAfee, the creator of McAfee antivirus, a decision that he called “horrific”.
“The CIA has confirmed that they knew of ‘zero day’ exploits years in advance of the manufacturers of the software finding out,” he said. “Basically, by not fixing those faults it puts customers of Google, Apple, Microsoft and many other American manufacturers at risk, it puts their reputation at risks, and it costs us all billions of dollars.”
The CIA reasoning may be less sinister than wishing to keep everyone vulnerable to its own hacking. For instance, they could believe that malicious actors could learn of ‘zero day’ exploits from the tech companies and use a window of opportunity before they are fixed for an attack, but McAfee said this was still troublesome.
“Seriously, aren’t we doing the same thing as having a bunch of ill people in our population, and the CIA has a boatload of penicillin, which could cure us, but they are not going to give it to us, because the enemy may get access to it. Do you see the horror of this?” he said.
McAfee believes that with practices like this, the CIA has failed its mandate to protect the American people.
“If John O. Brennan and Michael Hayden, the past CIA directors under Obama, were here, I would like to say: Shame! Shame on you!” he said.
The developer says the world needs a new paradigm on how to deal with cyberweapons, because they are potentially “many times more devastating” than nuclear weapons, but are by nature capable of being used stealthily or fall into the hands of non-government entities.
“That’s what happens. All cybertools are stolen; there are no secrets in this world. As sophisticated as the CIA is in developing weaponized software, they are just as ignorant of cybersecurity measures, just because we have none in this world,” he said. “They knew at some point they would be taken, and next time next year it’s going to be on the darkweb, and a 15-year-old kid could buy the entire set for a hundred dollars. This is the reality.”
WikiLeaks claims to have the CIA cyber arsenal at its disposal and has pledged to work with independent software researchers to analyze the tools and ensure that the exploits they use are patched. The site is believed to have received the data cache from a private contractor of the agency.
CIA Exposes 330M U.S. Citizens To Hackers