The Department of Homeland Security, not the NSA, should be in charge of deciding whether and when the U.S. government discloses new software vulnerabilities its researchers find, two former senior White House cybersecurity staffers wrote Friday.
In a study published by Harvard’s Belfer Center, Ari Schwartz and Rob Knake also recommend increased transparency for the decision-making, known inside the federal government as the Vulnerabilities Equity Process or VEP, and better funding for government research into newly discovered vulnerabilities — called zero-days. They also suggest a ban on the practice of agencies buying zero-days from private firms with non-disclosure agreements attached.
Their study, titled “Government’s Role in Vulnerability Disclosure,” proved controversial Friday, with several cybersecurity experts lashing out at their vision of how the federal government should handle the complex equities involved in disclosing zero-days found by the feds.
Outside of government, white-hat hackers who find zero-days generally operate according to a well-understood set of principles called responsible or coordinated disclosure. This entails alerting software manufacturers privately to the vulnerability, and giving them a reasonable amount of time — generally 90 days or more — to fix it, before publishing details.
But inside government, the guidelines have been less clear. Software vulnerabilities, especially those that allow a remote attacker to take control of a machine or an application, can be very useful for foreign intelligence gathering and — when deployed pursuant to a warrant — domestic criminal investigations.
The same vulnerabilities, however, can be exploited by hackers unaffiliated with U.S. agencies, including online criminal gangs or foreign cyberspies. Hence the question: what obligation, if any, do government hackers have to notify technology developers of flaws discovered in their software?
The question came up with particular force in April 2014 when the NSA was accused of holding back knowledge about Heartbleed — the mega bug that affected encryption services all across the internet.
In response to the charges, White House Cybersecurity Coordinator Michael Daniel disclosed the existence of the VEP for the first time in a blog post. The government, he wrote, uses a “deliberate process that is biased toward responsibly disclosing [a] vulnerability” but there are “no hard and fast rules” governing it.
‘Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest,’ Daniel wrote. ‘But that is not the same as arguing that we should completely forgo this tool [zero-days] as a way to conduct intelligence collection, and better protect our country in the long-run.’
Schwartz and Knake previously worked on the VEP under Daniel. In their study they argue for a bias toward disclosure, but only when the circumstances make sense — like after an investigation concludes or a criminal is apprehended.
Then, earlier this year, internal U.S. documents obtained through a Freedom of Information Act by the Electronic Frontier Foundation revealed that the NSA’s Information Assurance Directorate, or IAD, was effectively in charge of the process, serving as its ‘executive secretariat.’ IAD was the division of the agency charged with ensuring the security of U.S. computer systems.
But now, IAD is merging with the electronic eavesdropping element of NSA, the Signals Intelligence Directorate, which houses the hacking teams which make use of zero-days to spy on America’s adversaries. As a result, the study recommends that management of the VEP should be transferred to DHS. The merger, Schwartz and Knake note, throws into question whether the NSA can be a neutral arbiter.
Schwartz, currently a managing director of cybersecurity services at D.C. firm Venable LLP, and Knake, a Senior Fellow at the Council on Foreign Relations, also argue that there needs to be more transparency around the process, and advocate for independent oversight of it through Congress.
Reform is required, they write. And it is particularly necessary in relation to non-disclosure agreements signed between U.S. agencies and vulnerability resellers — like the one reportedly entered into by the FBI with Israeli mobile forensics firm Cellebrite.
Based on current statutes, they write, the FBI is not required to disclose the exploit they bought — which was reportedly used to hack into the iPhone used by the San Bernardino shooter.
Schwartz and Knake’s report is already receiving backlash from some in the privacy and technology community because it not only promotes the use of zero-day exploits, but recommends that additional zero-day disclosures should lead to increased funding — so government hackers can find more.
Christopher Soghoian, a prominent privacy advocate and security researcher, is critical of the paper, which he dubbed ‘absurd.’ He described one issue with the program this way on Twitter: “if US gov is to report 0-day exploits, they need more $$ to find new ones.”
In an email interview, Schwartz explained that scalable funding is important as more vulnerabilities are disclosed. “As the number of new technologies increase and the security of technology improves (in part because of greater disclosure), as the pace to find vulnerabilities speeds up, government researchers will clearly need more resources to do their jobs, no matter their mission.”
Soghoian believes that the report effectively “blesses” law enforcement’s use of zero-day hacking. “They just want a quick cycle of gov switching from one 0-day to the next,” he tweeted. Instead, Soghoian has advocated for direct curbs on the actual employment of zero-day hacking over time by the government.
Schwartz responded to Soghoian’s criticism by saying that “vulnerabilities exist whether government researchers find them or malicious hackers find them.”
“We are recommending greater research to find the vulnerabilities and report them so that they can be fixed. Also note that our position on this is consistent with many well know security experts,’ Schwartz told said.