For those who have spent the last month under a big stone:
Wikileaks recently published a lot of information about a set of malware, created by FBI and nicknamed “Vault 7”. There were specimens in it, able to break into and take control over mostly any kind of CPU-based device – smartphones running iOS or Android, PCs running Windows, MacOS or Linux, etc. FBI declared that this publication is a breach of the national security, and that this exposure made USA less secure.
I beg to differ.
What makes USA less secure is the existence of this trove. More specifically, the fact that FBI knew about the software vulnerabilities its malware exploits, but never notified the software manufacturers about these. Consequently, the disclosure of these vulnerabilities makes USA more secure. In this particular case, what is bad for FBI might be good for USA.
First, let’s put a big question aside. Let’s assume that FBI would absolutely never use these tools to spy, unless that spying is benevolent and only protects USA. Further, let’s assume that FBI will never collect any information other than what it needs to protect USA. Also, that it will never use this information to any other goal than protecting USA. (For example, that a Watergate-style spying is impossible in principle.) And that every single FBI member is a white knight who will never betray their agency and never use its activities for personal gain. (If you have more ideas how to make FBI even more benevolent, use them here.)
Even this all will not change the fact that hiding these vulnerabilities was a harm to USA, bigger than any gain FBI could have made by exploiting them.
There are no FBI-specific software vulnerabilities. Every vulnerability is open for exploiting by anyone who knows about it. The mentality “we are the best, only we will know about it” is one of the most tested and proven nonsenses to exist. The entities who make a living from constantly seeking for software vulnerabilities are probably in the hundreds. All big intelligence services are into this, including these of most countries that are usually up to no good. And hundreds of cybercriminal gangs are into it too. Those two kinds of players together employ far more people and consequently far more talent than FBI. It would be a miracle if they don’t find most, if not all of the vulnerabilities FBI has found.
The similarity ends here. Even if not perfect, FBI is still a generally benevolent entity, trying to mostly limit their activities to protecting their country. They have a mostly responsible approach to acquiring information and protecting that information. These things however are true neither for the intelligence services of the authoritarian and aggressive countries, nor for the cyber criminals. Neither of these is benevolent or responsible to any degree, at least towards USA. Both kinds will happily eavesdrop on, or attack any American – the first because of the principle enmity of the dictators for the democracies, the second because the Americans tend to be richer than most other peoples.
By not telling the software manufacturers about these vulnerabilities, FBI exposed the American citizens at the mercy of tens of the intelligence services of authoritarian governments who hate USA, and of hundreds of cyber criminals who would happily empty the Americans’ pockets, blackmail them or even disrupt important activities for fun and power demonstration. It is true that in this way FBI also gives itself the opportunity to obtain info that can protect the Americans to some extent. However, the losses are bigger than the gains by magnitudes.
To sum it all: in this particular case FBI exposed America to harm, and Wikileaks helped prevent that harm for the future.
Whether FBI or Wikileaks are happy with the roles they played in that is another topic.