Smarting from speculation that the U.S. intelligence community hoarded knowledge about the Heartbleed bug that’s placed millions of servers and devices that access the Internet at risk, the White House Tuesday gave the public some insight into how it decides to release information about vulnerabilities in computer software and hardware.
“This administration takes seriously its commitment to an open and interoperable, secure and reliable Internet, and in the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest,” the President’s Cybersecurity Coordinator Michael Daniel wrote in The White House blog.
“This has been and continues to be the case,” he added.
Nevertheless, the decision to disclose a vulnerability can be complex, Daniel noted, because such disclosures may result in a missed opportunity to collect intelligence to thwart a terrorist attack, stop the theft of intellectual property, or discover even more dangerous vulnerabilities being used by hackers or other adversaries of the United States.
On the other hand, “building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest,” Daniel wrote. “But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run.”
Rules of Disclosure
Although the government doesn’t have any hard-and-fast rules about the release of vulnerabilities, Daniel cited a series of questions that he asks before keeping a vulnerability secret. They include the following:
- How much is the vulnerable system used in the core Internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
- Does the vulnerability, if left unpatched, impose significant risk?
- How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
- How likely is it that we would know if someone else was exploiting it?
- How badly do we need the intelligence we think we can get from exploiting the vulnerability?
- Are there other ways we can get it?
- Could we utilize the vulnerability for a short period of time before we disclose it?
- How likely is it that someone else will discover the vulnerability?
- Can the vulnerability be patched or otherwise mitigated?
Daniel’s blog post reveals some of the angst generated in intelligence circles when a vulnerability is discovered.
“This is a constant debate in the intelligence community,” former Navy Rear Admiral James Barnett, head of the cybersecurity practice at Venable, told TechNewsWorld.
“It has to be looked at from a national security standpoint,” he said. “It’s a balancing decision. The pros have to be weighed with the cons.”
Credibility via Credit
“I think that Michael Daniel did a very good job of disclosing the pros and cons that must be weighed in determining whether a vulnerability should be disclosed or not,” Jeffrey Carr, CEO of Taia Global and author of Inside Cyber Warfare: Mapping the Cyber Underworld, told TechNewsWorld.
“However, he failed to address a serious conflict of interest that exists with the NSA’s dual missions,” Carr added. “It cannot defend military networks that rely on U.S. products, while at the same time be looking for vulnerabilities to exploit in those products, which are also used by many of the countries that the NSA is interested in spying on.”
The most revealing disclosure in Daniel’s blog may be the admission that the government sits on vulnerabilities when it suits its purposes.
“Everybody knew they didn’t disclose those kinds of vulnerabilities — but in the past, the intelligence community has stonewalled questions like that,” Jeff Davis, vice president of engineering at Quarri Technologies, told TechNewsWorld.
Other than that, Daniel “doesn’t say much,” Davis maintained.
“He acknowledged that they sometimes don’t disclose vulnerabilities, and he talked about a decision-making framework for deciding when to disclose vulnerabilities, but he did not give any indication about how often they disclose and how often they don’t,” he pointed out.
“In the end, it’s all very abstract,” observed Davis. “We have this decision-making framework. Here are some of the kinds of things we consider. Very little concrete information is given, such as in the last six months, we’ve looked at 600 vulnerabilities and made this decision X number of times.”
If the framework outlined by Daniel is to have any credibility, then the government must be credited with the vulnerabilities they make known, maintained Timo Hirvonen, a senior researcher at F-Secure.
“Government agencies should get credit for exposing vulnerabilities,” he told TechNewsWorld. “Google and Adobe, when they publish their security advisories, always tell who reported the vulnerability to them. Until we see the NSA on those security advisories, there’s probably not much credibility to this framework.”
One-Way Information Highway
In the past, the government’s attitude toward information sharing of vulnerabilities or anything else has been criticized as a one-way street with intelligence flowing into Washington but very little flowing out. That’s changed in recent times, according to Matt Standart, director of threat intelligence at HBGary.
“The whole one-way street thing is going away,” he told TechNewsWorld. “I’ve experienced that working with government agencies for well over eight years. At first, it was very rare to find a government agency who would partner as opposed to take. Now you see it leveling out so there’s much more bidirectional flow of information.”
Despite the government’s newfound attitude to play better with others, the revelations about the intelligence community and NSA by Edward Snowden have significantly degraded the government’s credibility in the eyes of many, and made it the target of suspicion for many more.
“People now assume that if something bad happens on the Internet, it must be the NSA’s fault,” James Lewis, a senior fellow at the Center for Strategic and International Studies, told TechNewsWorld.
That distrust likely will continue until there’s a resident change in the White House.
“As Nietzsche said, ‘I’m not upset that you lied to me’ — the NSA has been lying forever about its activities — ‘I’m upset that I can never trust you again,’ which is what happens when lies are discovered and exposed,” Richard Stiennon, chief research analyst at IT-Harvest, told TechNewsWorld. “It will be at least until the next administration before the government can start rebuilding trust.”