Cybersecurity

Ex-White House officials call for reform of zero-day disclosures

Shutterstock image.

A dearth of public information on the U.S. government's framework for disclosing software vulnerabilities has led to an "unnecessary lack of public confidence" in a process with big implications for internet security, two former White House cybersecurity officials argue in a new paper.

The interagency Vulnerability Equities Process assesses whether the government should reveal or hoard a previously unknown, or zero-day, software flaws. Disclosing a zero day allows companies to issue software patches, plugging holes in internet security. Retaining the bugs can give the government a powerful intelligence-gathering tool.

The two former officials, Ari Schwartz and Rob Knake, are calling on the White House to more clearly articulate the government's criteria for retaining or releasing zero-day vulnerabilities. Doing so would build public confidence in the program, Schwartz and Knake write in a paper for the Harvard Kennedy School's Belfer Center.

Michael Daniel, the White House cybersecurity coordinator who chairs the VEP, has said there are "no hard and fast rules" for the process but instead general principles for assessing the tradeoffs between disclosure and retention.

The VEP gained greater attention in April when the FBI chose not to submit the method it used to unlock the iPhone of one of the San Bernardino, Calif., shooters to the process. Critics said the episode illustrated an opaque process given to manipulation by agencies.

Jason Healey, another former White House cybersecurity official, told FCW then that "it certainly seems possible, if not, likely" that the FBI wrote the contract for the iPhone flaw specifically to bypass the VEP.

FBI officials said they did not know enough about the iPhone vulnerability to submit it to the VEP. Schwartz and Knake want to avoid that situation in the future by prohibiting agencies from entering into non-disclosure agreements with zero-day salesmen.

Without exclusive rights over the zero-day, there is a "risk that it could be sold or shared with other actors working against the national security interest of the United States," Schwartz and Knake argue.

The former White House officials also want the president to issue an executive order that makes compliance to a zero-day policy mandatory.

Transfer of oversight

For Schwartz and Knake, the National Security Agency's recent reorganization, which included a push to better integrate the agency's signals intelligence and information assurance directorates, makes reforming the VEP all the more important.

The NSA's Information Assurance Directorate currently serves as the Executive Secretary for the VEP, according to Schwartz and Knake, but the agency's fusing of its directorates "throws into question whether NSA can serve as the neutral manager of the process," they write. That duty should shift to the Department of Homeland Security, they say.

Christopher Soghoian, principal technologist with the American Civil Liberties Union's Speech, Privacy, and Technology Project, noted a tension in the paper's call for more funding of zero-day research and any policy that would favor more disclosure of vulnerabilities.

Schwartz and Knake "want a quick cycle of [government] switching from one 0-day to the next," Soghoian tweeted.

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.