After NSA leaks, a renewed interest in vulnerability disclosure
Code leaked by the Shadow Brokers group has set off calls from security researchers and tech groups for a national conversation about vulnerability disclosure policy.
The code leaked by the Shadow Brokers group last week has set off calls from security researchers and tech groups for a national conversation about vulnerability disclosure policy.
The code contains about a dozen vulnerabilities affecting firewall manufacturers that many industry professionals believe to be exploits used by the National Security Agency (NSA).
While the Obama administration's Vulnerability Equities Process (VEP) calls on intelligence agencies to disclose security vulnerabilities by default, tech companies and security pros are concerned by the prospect of an unknown number of zero-day vulnerabilities possessed by intelligence agencies.
The Shadow Brokers leak highlights the need for transparency in the government's disclosure process, according to Mozilla senior policy manager Heather West. “If the government chooses to engage in lawful hacking, it must also support responsible disclosure,” she wrote in an email to SCMagazine.com.
This sentiment is echoed by security and policy pros. The government should release all of the 0-days that they believe were stolen by Shadow Brokers, according to Steve McGregory, senior director of Ixia's ATI team. “That should be a no-brainer, but nobody is talking about that right now,” he told SCMagazine.com. “The fact that these 0-days may now be in this other group's hands, I find that even more dangerous.”
Robyn Greene, policy counsel and government affairs lead at New America's Open Technology Institute, told SCMagazine.com that the leaked code has made it clear that vulnerability disclosure policy needs reform. “The leaks are further evidence that the policy is not working,” she said. “There are not the transparency and oversight mechanisms in place to effectively weigh the equities involved in disclosing a vulnerability or keeping it secret.”
Greene noted that legislators “have been more interested in VEP than they have been in the past.”
Last month, the Open Tech Institute and New America's Cybersecurity Initiative published a policy report last month that explored vulnerability policy. The paper, entitled, “Bugs in the System: A Primer on the Software Vulnerability Ecosystem and its Policy Implications,” suggested that the U.S. government “minimize its participation in the vulnerability market, since it is the largest buyer in a market that discourages researchers from disclosing [vulnerabilities] to be patched.”
Another paper published a month earlier, “Government's Role in Vulnerability Disclosure: Creating a Permanent and Accountable Vulnerability Equities Process,” offered similar suggestions. The report, co-written by former White House senior director for cybersecurity Ari Schwartz and former director for Cybersecurity policy at the National Security Council Rob Knake, called on the Obama administration to issue an executive order to formalize and require government-wide compliance with the VEP, publish the criteria that would be used in determining whether a zero day vulnerability will be disclosed, require that decisions about using zero day vulnerabilities for government use be subject to periodic review, and prohibit agencies from entering into non-disclosure agreements with vulnerability researchers.
McGregory added that Ixia confirmed 11 exploits affecting Cisco, Fortinet, and TopSec firewalls in the leaked Shadow Brokers code. The majority of the attacks affect the Chinese firewall manufacturer TopSec.
It is “almost certain that there are more undisclosed vulnerabilities - that's the reality of the software industry,” according to Heather West at Mozilla. “Code is never perfectly secure,” she wrote.
On Tuesday, a spokesman for Rep. Bennie Thompson (D-MS), Ranking Member of the U.S. House Committee on Homeland Security, announced a cybersecurity hearing scheduled for next month. The spokesman told Politico that the hearing may examine the Shadow Brokers leak and vulnerability disclosure policy.The U.S. has not yet had “an open conversation about whether the government is hacking and how it hacks,” New America's Robyn Greene said. “I can only imagine that these Shadow Brokers leaks will heighten the sense of urgency in addressing these issues.”