Responsible vulnerability disclosure is becoming an international norm
More and more countries are joining the United States in adopting a policy of weighing the pros and cons of responsible vulnerability disclosure, as the public calls for more clarity regarding intelligence agencies and their supposed hoarding of previously undiscovered software flaws.
The U.S. started using its own Vulnerability Equities Process in 2010, according to declassified documents, although it didn’t reveal the VEP publicly until 2014 — to help allay suspicions that the National Security Agency might have secretly known about the massive HeartBleed vulnerability.
Now, other democracies are following suit, but it’s not clear if this will put pressure on “bad actor” nations to follow other countries’ lead.
Just this month, the Canadian national broadcaster CBC reported for the first time that the country’s equivalent of the NSA, the Communications Security Establishment (CSE), had a comparable process to the VEP — although it is not public and the agency wouldn’t even say what it’s called.
“CSE has a rigorous process in place to review and assess software vulnerabilities,” agency spokesman Ryan Foreman told CBC. “This longstanding assessment process is carried out by a panel of experts from across CSE.”
The Canadian news outlet reported that “the panel meets ‘regularly,’ according to Foreman, though he declined to say how often or how many times they have met in recent years.”
The Netherlands Ministry of Security and Justice, through its support of the Global Forum on Cyber Expertise in Holland, is promoting a Coordinated Vulnerability Disclosure Initiative for European governments, according to its website.
At a Center for European Policy Studies workshop over the summer, an official from the ministry outlined the initiative. “The Dutch government is leading the way,” according to a report of the workshop from CEPS. “The French agency ASSI is also actively participating. Other countries like Italy are catching up in this process … There is a real need for better harmonization of vulnerabilities disclosure and handling the process at the national level.”
Robert Hannigan, director of Government Communications Headquarters, the U.K. equivalent to the NSA, said last year his agency had “disclosed vulnerabilities in every major mobile and desktop platform, including the big names that underpin British business.”
That last point underlines one of the ways in which the U.S. government might be differently incentivized from its allies, noted Jason Healey a scholar at Columbia University’s School for International and Public Affairs.
“The U.S. is in a somewhat unique position because so many of those companies” — which make the software products that have become ubiquitous in the Internet age — “are based here,” Healey told CyberScoop. “They are stakeholders in the U.S. economy with a seat at the table … That’s less true for the Dutch for instance.”
“Every government has different considerations,” said Heather West, a senior policy manager at Mozilla. However she pointed out that, in Europe, the Dutch government is actually “a bit ahead” of others.
Governments, including the U.S., have a responsibility to help safeguard the interests of all stakeholders in the internet ecosystem, said West.
“Creating these [VEP-type] processes is an important part of that responsibility … They need to be working with us to keep our products secure, if for no other reason than that they use them too,” she told CyberScoop.
Under the VEP, U.S. officials weigh the benefits of disclosing a newly discovered software flaw to the manufacturer or have the government retain it for spying on foreign adversaries. The problem is, in a globalized IT marketplace, everyone is relying on the same software. Hoarding vulnerabilities might boost the capabilities of intelligence services to eavesdrop; but it arguably makes the internet ecosystem as a whole less secure — leaving unpatched holes in widely used software that can be discovered by other hackers.
Healey, a former White House cybersecurity official, says just as a company is required to stand up an email address to which vulnerability reports can be sent to, so governments need a disclosure process.
“It’s a kind of government equivalent of the expectation on a large company that they’ll have a Coordinated Vulnerability Disclosure process,” Healey said. “You have to a have a process, with some degree of transparency, some degree of political control and oversight.”
“Just as [CVD] processes get more mature,” graduating from that email address to a full-fledged program, so VEPs should become “more transparent as they become more mature … with a greater bias towards disclosure,” said Healey, who has written a study of the U.S. VEP.
While countries continue to explore responsible disclosure, some U.S. officials aren’t holding their breath for VEP-like processes to become a part of international norms, especially among notorious “bad actor” nations in cyberspace, like Russia or China.
Setting and enforcing universal norms in cyberspace “is hard to do in a big multinational forum,” said White House Cybersecurity Rob Joyce at a recent event. “We’re going to be working with like-minded countries to start to enforce the norms that we’ve talked about.”
“I don’t think they’d even go so far as to admit that they were looking for vulnerabilities,” said one senior U.S. cybersecurity official who worked this issue. “These [VEP-style] processes require transparency, they require some degree of [legal and political] accountability and oversight. There is none of that in those countries.”
The official was granted anonymity in order to speak freely about a process that has been very sensitive at the highest levels of U.S. cybersecurity policy.
The U.S. was leading by example, the official said, “The U.S. is in the forefront of thinking about this and understanding the risks and benefits.”
The U.S. never promoted a VEP-type process as an international norm, because, according to the official, “the norms we promoted [through the G20 for example] were the most critical ones related to state-on-state actions … It wasn’t intended to be an exhaustive list … They were not the full set of norms you’d hope that every state would follow.”
The official also acknowledged that “There is value in having other countries do this … It helps make the ecosystem more secure,” but added, “There are some countries that will just never do it [VEP]. They don’t have transparency [in regard to their intelligence services], they don’t value the ecosystem and they don’t respect other stakeholders.”
Nonetheless, there would be value to those countries signing on, even if they were paying lip-service, the official said, “Countries that are bad actors have signed on [to the G20 norms] … If the bad guys agree, that’s a bonus … You have something to make them accountable for.”
Besides, if only U.S. allies sign up, “That is exactly in line with what this administration has said they want to do,” noted Healey. “We have a good chance to get agreement from our allies and other democracies.”