It is no secret that we live in a dangerous world where espionage activity is increasingly reliant on state of the art tools to exploit flaws in software, hardware and even encryption protocols. The U.S. government in particular uses these tools to give them access to information that might otherwise not be available to the agencies that claim to be making the world a safer place. But while governments exploit these weaknesses they also by and large keep the knowledge of the vulnerability to themselves. But by failing to disclose a vulnerability the U.S. government is preventing companies and other players from attempting to address potential security issues. Product vendors, including some global players like Microsoft, have been vocal about their dissatisfaction. And in an attempt to address concerns, the White House has released their codified approach – the ‘Vulnerabilities Equities Process‘ that sets the high level parameters to which vulnerabilities they will reveal to industry.
The reluctance of U.S. authorities is (at least from their point of view) understandable – why provide information that could be used to plug potential leaks when vulnerabilities provide access to a wealth of data?
Double-edged sword in the hands of the U.S. government
But this is a double-edged sword – the very tools that exploit these software flaws are themselves subject to hacking – there have been instances where the tools have leaked into the real world and the effects have been disastrous. One the most well-known exploits of a leaked government agency tool is the WannaCry ransomware, which was based on a stolen NSA hacking tool. This resulted in financial institutions, telecommunications service providers and hospitals being subjected to malware attacks that locked down computers until the hackers were paid a hefty ransom. Industry leaders were not happy about the incident – and that is putting it mildly. Brad Smith, Microsoft’s Chief Counsel, criticized the U.S. government for keeping vulnerabilities a secret from companies that can patch them.
The WannaCry incident is only one example of hackers accessing tools used by U.S. agencies. In April of 2017, it was revealed that a hacker group by the name of ‘Shadow Brokers’ had been leaking highly classified material obtained from the NSA. Part of the information revealed that the NSA was hacking Middle Eastern financial services providers – and that this might only be the tip of the iceberg when it came to the NSA’s penetration of the global financial system. The leak revealed that the NSA had hacked into EastNets – a Dubai-based company that oversees payments via the SWIFT international system for clients across the Middle East. It was revealed that the NSA had penetrated systems from companies in Qatar, Dubai, Syria, Yemen, Abu Dhabi and the Palestinian territories. Not only did Shadow Brokers reveal that information – it also released a bundle of NSA hacking tools for use on Windows systems.
One of the issues that has faced the U.S. government is that there has – until now been no unified set of rules and regulations that would give guidance as to how to deal with the challenge of which vulnerabilities should be revealed without compromising ongoing espionage and covert data gathering efforts.
A code seeking balance – the Vulnerabilities Equities Process
In mid November 2017, the White House released information on exactly how the U.S. government balances the demands of law enforcement, espionage, and intelligence gathering. The unclassified information provides the charter and the decision making rules for the “Vulnerabilities Equities Process.” Revamped under the Obama administration, the Vulnerabilities Equities Process is a multi-agency arrangement involving (amongst others) the CIA, NSA and Homeland Security.