Governments need to do more, and say more, on vulnerability handling

Modern warfare has moved online and the “fifth domain” of cyberspace is today a battlefield in its own right. But in many ways that is where the similarities to other domains end, as cyberweapons and the techniques used to develop and employ them are meaningfully distinct from the conventional weapons of modern warfare.  To create a cyberweapon, governments and sophisticated threat attackers exploit unintentional weaknesses or “vulnerabilities” found in mass-market hardware and software products or services and apply techniques developed to exploit those weaknesses.  The damaging effects of the resulting cyberweapons – especially when mishandled – can extend far beyond an intended target, potentially impacting millions of innocent users around the world.

In a further departure from conventional weaponry, cyberweapons can be recycled easily and indefinitely by third parties.  After being released “into the wild,” cyberweapons can be, wholly or in part, co-opted for ulterior purposes by nation states and cyber-criminals alike, as demonstrated in the WannaCry attack in May 2017 that downed computer systems in 150 countries.  And once in use by cyber-criminals, the security community continues to fight to eradicate a vulnerability for years, possibly for the entire lifecycle of the product, hardware, or service being exploited.

Governments are beginning to consider the risks associated with discovering or acquiring cybersecurity vulnerabilities and the wide-ranging scope of potential impact if they are exploited for use in a cyberweapon.  While there may be national security benefits from acquiring and retaining such vulnerabilities, these benefits must be weighed against the risks that those same vulnerabilities may be used against a government’s own computing infrastructure, all its citizens, and, potentially, interdependent organizations around the world.  The speed and ease with which cyberweapons can be recycled heighten these risks in ways that are incomparable to other domains of conflict and, at a certain point, become unacceptable.  Minimizing risk in developing these capabilities requires governments have deliberative processes in place that include relevant stakeholders, and the potential damage of such capabilities requires that such processes be made public.

At the end of 2017, the US government took a promising step towards greater transparency in this space, when it revised and, more importantly, publicly released significant portions of its Vulnerability Equities Process (VEP).   The VEP details when and how the US government will choose to disclose cyber vulnerabilities it either uncovers or purchases, and work on this process has spanned three years and two administrations. The 2017 update enhanced the transparency of the process, in part by identifying the respective departments and agencies represented on the vulnerability review committee (a mix of intelligence and civilian agencies), the criteria used for determining whether to disclose a vulnerability, and the mechanism for handling disagreements within the committee.  It also calls for annual reports on the program’s performance.

Yet areas for improvement remain, both in the United States and around the world.  The US government approach does not yet share its calculus for assessing the broader economic impact when it discovers or acquires a vulnerability, including not only how it measures direct impacts to consumers but also economic security issues related to the resilience and reliability of the global technology ecosystem.  The U.S. approach also does not seem to include in its analysis the “long tail” of cleanup when a vulnerability is released into the broader public, nor does it yet take into consideration how to address other forces seeking to leverage vulnerabilities at the State or local level, where law enforcement needs may call for the use of a vulnerability as part of an investigation.

While estimates of how many countries have cyber offensive capabilities vary widely, the lowest begin at forty.  The number of VEPs around the world is even more difficult to ascertain, with the United States being one of the few governments willing to openly discuss its process.  While it is rumored that other countries have put similar frameworks in place and that a few more, predominately European, countries are likely to adopt them soon, this remains an opaque area of government action that requires both transparency and input from the private sector companies that will need to mitigate the effects of those exploits in products around the world. This is especially concerning given the growing interest and willingness among various government departments to “hack” their way to accomplishing national security or law enforcement objectives.

To strike an appropriate balance between risks and benefits, governments should optimize investing in defensive rather than offensive technologies and develop policies that clearly define how they acquire, retain, and use vulnerability information. Central to this approach should be a presumption of private disclosure over the retention of vulnerabilities and principles underpinning this process should do the following:

  • Presume disclosure as the starting point;
  • Clearly consider the impact on the computing ecosystem if the vulnerability is released publicly and the costs associated with cleanup and mitigation;
  • Clearly define the process of making a disclosure decision and identify the stakeholders at the departmental level, ensuring that stakeholders represent not only national security and law enforcement but also economic, consumer, and diplomatic interests;
  • Make public the criteria used in determining whether to disclose a vulnerability or not. In addition to assessing the relevance of the vulnerability to national security, these criteria should also consider threat and impact, impact on international partners, and commercial concerns;
  • Mandate that all government-held vulnerabilities, irrespective of where or how they have been identified, go through an evaluation process leading to a decision to disclose or retain it;
  • Prohibit any vulnerability non-disclosure agreements between governments and contractors, resellers, or security researchers and limit any other exceptions, e.g., for sensitive issues;
  • Prohibit use of contractors or other third parties as a means of circumventing the disclosure process;
  • Ensure any decision to retain a vulnerability is subject to a six-month review;
  • Establish oversight through an independent body within the government with an annual public report on the body’s activities;
  • Expand funding for defensive vulnerability discovery and research;
  • Ensure disclosure procedures are in line with coordinated vulnerability disclosure, an industry best practice; and
  • Ensure that any retained vulnerabilities are secure from theft (or loss).

The signatories of the Tech Accord have always believed that protecting the public interest in cyberspace requires robust collaboration between the government and private sectors.  When the government approach to vulnerabilities favors stockpiling over disclosure, this critical collaboration is weakened, and we risk losing the public’s trust in cyberspace.  For technology companies and for technology developers, to be effective partners in protecting users, they must be active participants in the awareness and mitigation of new vulnerabilities.  In particular, it is incumbent upon developers to be transparent about how they receive vulnerability information, to use it in a timely, risk-based manner, and to communicate with affected customers and users about the existence of vulnerabilities and about the availability of mitigations. Finally, having a coordinated vulnerability disclosure policy in place demonstrates companies’ commitment to acting on vulnerability information received and to contributing concretely to the stability of cyberspace.