The White House has given a peek behind what factors the federal government considers when deciding whether to disclose knowledge of computer vulnerabilities to the public.
According to a blog post by Michael Daniel, special assistant to the president and cybersecurity coordinator, the conversation has come up in response to Heartbleed, a widespread security vulnerability that Daniel said the government, FBI or NSA had zero prior knowledge of.
In the post published on Monday, Daniel argued that there are pros and cons to the decision to disclose.
“Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks,” he said.
On the other hand, “building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected” would not be in the government’s best interest, he said.
“Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area,” Daniel said.
These principles include whether the vulnerable system is core to the Internet infrastructure (as Heartbleed was), whether the vulnerability poses a significant risk if left unpatched, and the likelihood of someone else exploiting it. These are just a few of nine questions agencies are supposed to ask before determining the approach to a specific vulnerability – whether to disclose it or add it to the “stockpile.”
The Obama administration released a cybersecurity framework earlier this year to help protect critical infrastructure from cyberattacks. One of the central components of the framework is information-sharing between the public and private sectors.
A report from ThreatPost notes that the private sector could actually help the NSA and other agencies determine zero-day vulnerabilities.
“If the US government decided today to stop all of its internal vulnerability and exploit development, it would have little effect. The contractor community would be right there to fill the void,” according to ThreatPost. “The concerning thing about the government’s zero-day program isn’t that it has one; it would be worrisome if the US didn’t do this kind of research, because everyone else certainly is. The real issue is how the government handles the vulnerabilities it discovers. It’s not realistic to expect intelligence and defense agencies to spend millions of dollars and thousands of man-hours to find vulnerabilities and then disclose them immediately. That would defeat the purpose. But there needs to be a better process than the one we currently have, which is opaque but surely heavily influenced by intelligence agencies.”
While it would be nice to believe that the government operates with the greater good in mind when determining whether to disclose cybersecurity vulnerabilities, many US citizens and service providers likely won’t take what the NSA has to say about this issue at face value. With this in mind, many cloud users are actually taking security of their data into their own hands through new cloud encryption services.