Government hoarding of software vulnerabilities needs more transparency, tech firms say
Several major technology companies are calling for increased transparency from the U.S. government after WikiLeaks published CIA documents showing that the spy agency knew of vulnerabilities in software products but did not disclose them.
“We need to look at this like what is the probability that something will be found by other adversaries. There are many elements that need to go into that decision, and being transparent on what the criteria is” will help the government be more open while protecting classified material, said Intel Security’s Chief Technology Officer Steve Grobman during a hearing Wednesday by the Senate Committee on Commerce, Science, and Transportation.
“I think the key thing is transparency,” Grobman said, referring to the vulnerabilities equities process, or VEP.
The VEP is a secretive framework that essentially guides when and if a federal agency will notify an organization of a known software flaw that was discovered by the U.S. government. Because software and hardware vulnerabilities can be leveraged to conduct digital espionage operations, among other things, there are cases in which the government selectively chooses to keep this information secret.
Grobman and Caleb Barlow, IBM Security’s vice president for threat intelligence, told senators that the government needs to be more forthcoming about what it keeps and why it’s necessary.
The VEP has come under fire in recent years due in part to the exposure of classified material concerning government hacking operations. Exasperating this situation is the fact that the private sector remains largely in the dark with regard to the criteria, timeframe for disclosure and identity of individuals who sit on the review board overseeing the VEP.
“There are cases where the government needs to keep zero day vulnerabilities to ourselves for national security reasons. But I’ll caveat that by saying that if we can’t keep those secret — and they’re going to be a lot of insider disclosures as there has been — then we undermine our credibility by saying that we can’t disclosure vulnerabilities,” said Eric Rosenbach, the former chief of staff at the Office of the Secretary of Defense.
Rosenbach, who also served as an assistant secretary of Defense, testified alongside Grobman, Barlow and other private sector executives from cybersecurity firm Cylance and private venture capital firm Menlo Ventures.
WikiLeaks claims it acquired the aforementioned CIA documents from a disgruntled defense contractor. Last year, a mysterious actor known simply as the “Shadow Brokers” also stole headlines after publishing a trove of supposed NSA hacking tools. As a result, executable code for some of these exploits was posted in full online, prompting cybersecurity teams at targeted technology firms to rapidly develop updates and deploy software patches.
“Objectively did this start a conversation? The answer is yes,” Symantec Global Government Affairs and Policy Senior Director Jeff Greene told CyberScoop, regarding the leaked CIA documents.“I would say it has definitely renewed the conversation. This has been on going and it’s a conversation that we’ve been a part of.”
Washington’s relationship with Silicon Valley has recovered somewhat in recent years following a period of heightened tension triggered by the publication of classified NSA documents provided to newspapers by former defense contractor Edward Snowden. Even so, the recent dissemination of classified material is reigniting the debate regarding how the U.S. government balances privacy rights against national security needs.
The previous Defense secretary, Ash Carter, “took very, very seriously the need to rebuild bridges with Silicon Valley after the Snowden disclosures and part of that is transparency,” Rosenbach said, “And if we know that the greater good is to disclose some of those vulnerabilities to vendors and U.S. firms that’s good for the country because we want it to be the center of gravity for the economy. And if we don’t do that then we’re sort of shooting ourselves in the foot.”