US intelligence can’t break vulnerability hoarding habit

US intelligence agencies are, according to the White House, about to become more “transparent” about the process they follow in deciding what to do with software vulnerabilities they find.

That is, deciding whether to notify vendors so the vulnerabilities can be patched, or keep them secret so they can be used to probe or attack criminal or hostile nation-state systems.

In a blog post this past Wednesday, White House Cybersecurity Coordinator Rob Joyce disclosed a new version of the highly controversial Vulnerabilities Equities Process (VEP) – the method used to decide what the government does with the bugs.

Joyce acknowledged what he called “the tension,” – which is more of a ferocious debate – over letting vendors know about the vulnerabilities or hoarding them to be used against “extremely capable actors whose actions might otherwise go undiscovered and unchecked.”

The challenge is to find and sustain the capability to hold rogue cyber actors at risk without increasing the likelihood that known vulnerabilities will be exploited to harm legitimate, law-abiding users of cyberspace.

The new VEP charter, he said, will reduce that tension through more transparency and better representation of the interests of all “stakeholders.”

The document is getting mixed reviews. Heather West, senior policy manager, Americas principal at Mozilla, writing on the company blog, said, “we’re excited to see the White House make progress on this important issue.”

Kate Charlet, Sasha Romanosky and Bert Thompson, writing on the Lawfare blog, called it, “a long-needed step… toward increasing transparency on this controversial process.”

But Bruce Schneier, CTO of IBM Resilient Systems and a regular critic of government hoarding of software vulnerabilities, was much less impressed, calling it, “the same old policy with some new transparency measures – which I’m not sure I trust,” given that:

The devil is in the details, and we don’t know the details – and it has giant loopholes that pretty much anything can fall through.

He cited one of those giant loopholes in the language of the new VEP charter:

The United States Government’s decision to disclose or restrict vulnerability information could be subject to restrictions by partner agreements and sensitive operations. Vulnerabilities that fall within these categories will be cataloged by the originating Department/Agency internally and reported directly to the Chair of the ERB (Equities Review Board).

The details of these categories are outlined in Annex C, which is classified. Quantities of excepted vulnerabilities from each department and agency will be provided in ERB meetings to all members.

But Joyce contends that giving stakeholders a seat at the table, allowing more debate and making those who operate the VEP accountable will give citizens, “confidence in the integrity of the process that underpins decision making about discovered vulnerabilities.”

West called the White House’s move “similar” to what is proposed in the PATCH (Protecting our Ability to Counter Hacking) Act, a bipartisan bill pending in Congress that, among other things, calls for government to hold secret vulnerabilities for a much shorter time. She said the VEP charter ought to include that.

Joyce talked about a six month window for retaining a vulnerability (the charter itself says a year), and a quicker reconsideration for a particularly sensitive vulnerability or one that there isn’t broad agreement about retaining. This reconsideration is critical: just because something is useful today doesn’t make it useful in six months – and indeed, the longer that it is kept, the more likely that someone else has discovered it too.

But, all the discussion about how to decide what to keep secret and what to disclose is irrelevant if you can’t keep the secret flaws secret.

Over the last few years we’ve seen several high profile breaches of government agencies, the highest of which remains that of former National Security Agency (NSA) contractor Edward Snowden, who in 2013 released documents that proved the agency was spying on US citizens.

But, he’s not the only one. Since the summer of 2016, a hacker group called the Shadow Brokers has been releasing a cache of top-secret NSA spying capabilities – software bugs that that the agency, obviously, failed to keep secret.

And starting earlier this year, Wikileaks began releasing no-longer-secret tools used by the CIA to exploit not only foreign targets but also the technology of giants like Microsoft and Apple to enable surveillance.

Those exposed flaws have been used to damage millions of people and thousands of businesses, the WannaCry ransomware attack is just one example.

Joyce had little to say about all that, other than to acknowledge that government:

…also has an important responsibility to closely guard and protect vulnerabilities as carefully as our military services protect the traditional weapons retained to fight our nation’s wars.