Having a clearly-defined vulnerability equities process bound by an executive order would build public trust and improve accountability, according to Ari Schwartz and Rob Knake
A dearth of public information on the U.S. government's framework for disclosing software vulnerabilities has led to an "unnecessary lack of public confidence" in a process with big implications for internet security, two former White House cybersecurity officials argue in a new paper.
The interagency Vulnerability Equities Process assesses whether the government should reveal or hoard a previously unknown, or zero-day, software flaws. Disclosing a zero day allows companies to issue software patches, plugging holes in internet security. Retaining the bugs can give the government a powerful intelligence-gathering tool.
The two former officials, Ari Schwartz and Rob Knake, are calling on the White House to more clearly articulate the government's criteria for retaining or releasing zero-day vulnerabilities. Doing so would build public confidence in the program, Schwartz and Knake write in a paper for the Harvard Kennedy School's Belfer Center.
Michael Daniel, the White House cybersecurity coordinator who chairs the VEP, has said there are "no hard and fast rules" for the process but instead general principles for assessing the tradeoffs between disclosure and retention.
The VEP gained greater attention in April when the FBI chose not to submit the method it used to unlock the iPhone of one of the San Bernardino, Calif., shooters to the process. Critics said the episode illustrated an opaque process given to manipulation by agencies.
Jason Healey, another former White House cybersecurity official, told FCW then that "it certainly seems possible, if not, likely" that the FBI wrote the contract for the iPhone flaw specifically to bypass the VEP.
FBI officials said they did not know enough about the iPhone vulnerability to submit it to the VEP. Schwartz and Knake want to avoid that situation in the future by prohibiting agencies from entering into non-disclosure agreements with zero-day salesmen.
Without exclusive rights over the zero-day, there is a "risk that it could be sold or shared with other actors working against the national security interest of the United States," Schwartz and Knake argue.
The former White House officials also want the president to issue an executive order that makes compliance to a zero-day policy mandatory.
Transfer of oversight
For Schwartz and Knake, the National Security Agency's recent reorganization, which included a push to better integrate the agency's signals intelligence and information assurance directorates, makes reforming the VEP all the more important.
The NSA's Information Assurance Directorate currently serves as the Executive Secretary for the VEP, according to Schwartz and Knake, but the agency's fusing of its directorates "throws into question whether NSA can serve as the neutral manager of the process," they write. That duty should shift to the Department of Homeland Security, they say.
Christopher Soghoian, principal technologist with the American Civil Liberties Union's Speech, Privacy, and Technology Project, noted a tension in the paper's call for more funding of zero-day research and any policy that would favor more disclosure of vulnerabilities.
Schwartz and Knake "want a quick cycle of [government] switching from one 0-day to the next," Soghoian tweeted.