There are some obvious implications of Wikileaks's publication of documents revealing CIA hacking methods:
- Potential targets of CIA hacking (terrorists, enemy states, etc.) may adjust their defenses.
- If (when) hackers duplicate the CIA's methods, companies in the private sector may need to adjust their own defenses.
- IT companies will almost certainly need to consider whether the security of their products are now compromised.
But there are some less-obvious legal implications, too:
- Can Wikileaks or others involved in the disclosure be held liable for the commercial costs that this disclosure may create?
- Is there risk in accessing and downloading the disclosures, given that the documents' leakage certainly violates a slew of federal laws? (Some companies categorically refuse to let their employees and agents search for information on Wikileaks due to this risk, and sometimes just out of principle.)
- Do companies have an obligation to their employees, customers, and other stakeholders to review and assess the Wikileaks disclosures? And would this obligation be in tension with the risks of accessing the disclosures?
- In particular, do IT companies have an obligation to review the disclosures and patch any vulnerabilities disclosed about their products? (In the past, the US FTC has dinged companies for failing to issue security updates for known flaws. But does this impose a further duty to go out and discover flaws?)
These aren't easy questions, but they're questions that people are going to have to grapple with quickly.
Anti-secrecy group WikiLeaks on Tuesday said it had obtained a secret trove of hacking tools used by the CIA to break into or circumvent the security of phones, communication apps and other devices, and published confidential documents describing those programs.