Is government handling zero-days all wrong?
A former cybersecurity advisor to Bush and Obama thinks the Vulnerability Equities Process has its disclosure priorities backwards.
When determining whether or not to disclose discovered vulnerabilities, the implications for the American economy, not national security, should be the leading priority, a former cybersecurity advisor to Presidents George W. Bush and Barack Obama contends.
Currently, the Vulnerabilities Equities Process is an Obama administration national security policy that assesses whether the value of keeping newly discovered vulnerabilities as intelligence outweighs the security risk to the government and public of leaving them unpatched. However, the process often makes determinations "in the favor of intelligence and intelligence gathering for national security purposes," said Melissa Hathaway, now senior adviser for the Cyber Security Project at Harvard University's Kennedy School of Government.
During these reviews, "very rarely did we actually declassify and inform for defense, and we never actually, really, thought about the economic consequences if we didn't actually share it," she said, "[For] too long the vulnerability disclosure process has been weighted in one direction."
Hathaway argued that, as more and more cyberattacks target infrastructure and industry, these priorities should be inverted. She pointed to the growing trend of distributed denial of service attacks and hacking attempts aimed at businesses and core infrastructure.
"I think that it's really time, now, in the face of WannaCry, and in the face of some of the vulnerabilities that are being exploited in the core of our economies that we need to start to think about the [VEP] in reverse," she said. "We should start to think about if it's pervasive in our electric, in our telecommunications, in our financial systems, are we going to disclose in order to ensure .... economic survivability?"
Hathaway said that after the theft of NSA tools, government has "a responsibility to disclose," and added that she was worried the response has not been to work with vendors to close known vulnerabilities.
"Economic security is part and parcel of national security. We think of them as separate things, but… you can't have one at the expense of the other," she said. "They're all entangled."
She also said that with the explosion of internet of things devices, particularly those in the medical device arena, the United States can no longer afford to exist in a "built first, patch later" IT environment.
Sens. Brian Schatz (D-Hawaii), Ron Johnson (R-Wis.) and Cory Gardner (R-Colo.) have introduced the Protecting Our Ability to Counter Hacking Act of 2017, which would codify the VEP board, create a Vulnerabilities Equities Review Board led by the Department of Homeland Security and bring more agencies to the table.
Hathaway said that while she expects the PATCH Act "will go through some revisions," she was encouraged that the initial legislation formalizes the process, provides additional oversight and includes the Departments of Homeland Security, Commerce and Treasury and "not just the intelligence community."
She suggested the "gentlemen's agreement" that exists in industry, in which companies will agree to inform each other of vulnerabilities before going public with them, could serve as a model for vulnerability disclosure and product liability.
As for the posture taken so far by the Trump administration, Hathaway said she viewed the long-awaited cyber executive order "as, generally, a delay tactic," pointing to the "more than 14 cyberspace policy reviews" included in the order.
"We do not have the talent within the United States government to produce all of these reports," she said. "We need to actually get down to the business of actually executing the more than 100 recommendations that come out over the past 10 years and past the two presidents."
Hathaway said the American Technology Council, stood up by a separate executive order, needs to make sure that security is core to its government-wide IT modernization efforts and not "a secondary thought."
Security "has to be essential to the overall movement," she said. "Right now, I don't see that, necessarily, as part of the conversation."