When the Government Discloses Cyber Vulnerabilities

In 2014, the government published a public response to the unrest that followed the Heartbleed revelation. “Heartbleed” was what a glitch in SSL software came to be called, and it threatened the security of two-thirds of the internet’s websites as well as a huge portion of major internet infrastructure. Needless to say, people were upset to hear about the zero-day, particularly when two anonymous sources accused the US National Security Agency of having known about the vulnerability for two years prior. The NSA denied these claims, but many people refused to believe another narrative.

nsa2Accordingly, the US government released a rare explanation of how it deals with newly discovered vulnerabilities.

“While we had no prior knowledge of the existence of Heartbleed, this case has re-ignited debate about whether the federal government should ever withhold knowledge of a computer vulnerability from the public. As with so many national security issues, the answer may seem clear to some, but the reality is much more complicated,” it begins.

“One thing is clear: This administration takes seriously its commitment to an open and interoperable, secure and reliable internet, and in the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest. This has been and continues to be the case.”

The public announcement then addresses its efforts to revise and improve the Vulnerabilities Equity Process of VEP:

“This spring, we re-invigorated our efforts to implement existing policy with respect to disclosing vulnerabilities- so that everyone can have confidence in the integrity of the process we use to make these decisions. We rely on the internet and connected systems for much of our daily lives. Our economy would not function without them. Our ability to project power abroad would be crippled if we could not depend on them. For these reasons, disclosing vulnerabilities usually makes sense. We need these systems to be secure as much as, if not more so, than everyone else.”

The announcement then moves on to address times when it makes sense to keep a vulnerability secret:

michael daniel“…there are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. Disclosing a vulnerability an mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks,” it warns.

Given these trade-offs, the government then lists the questions that help it to decide whether to disclose a vulnerability:

“How much is the vulnerable system used in core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems? Does the vulnerability, if left unpatched, impose significant risk? How much harm could an adversary nation or criminal group do with knowledge of this vulnerability? How likely is it that we would know if someone else was exploiting it? How badly do we need the intelligence we think we can get from exploiting the vulnerability? Are there other ways we can get it? Could we utilize the vulnerability for a short period of time before we disclose it? How likely is it that someone else will discover the vulnerability? Can the vulnerability be patched or otherwise mitigated?”

Add a Comment

Your email address will not be published. Required fields are marked *