It is no secret that we live in a dangerous world where espionage activity is increasingly reliant on state of the art tools to exploit flaws in software, hardware and even encryption protocols. The U.S. government in particular uses these tools to give them access to information that might otherwise not be available to the agencies that claim to be making the world a safer place. But while governments exploit these weaknesses they also by and large keep the knowledge of the vulnerability to themselves. But by failing to disclose a vulnerability the U.S. government is preventing companies and other players from attempting to address potential security issues. Product vendors, including some global players like Microsoft, have been vocal about their dissatisfaction. And in an attempt to address concerns, the White House has released their codified approach – the ‘Vulnerabilities Equities Process‘ that sets the high level parameters to which vulnerabilities they will reveal to industry.
The reluctance of U.S. authorities is (at least from their point of view) understandable – why provide information that could be used to plug potential leaks when vulnerabilities provide access to a wealth of data?
Double-edged sword in the hands of the U.S. government
But this is a double-edged sword – the very tools that exploit these software flaws are themselves subject to hacking – there have been instances where the tools have leaked into the real world and the effects have been disastrous. One the most well-known exploits of a leaked government agency tool is the WannaCry ransomware, which was based on a stolen NSA hacking tool. This resulted in financial institutions, telecommunications service providers and hospitals being subjected to malware attacks that locked down computers until the hackers were paid a hefty ransom. Industry leaders were not happy about the incident – and that is putting it mildly. Brad Smith, Microsoft’s Chief Counsel, criticized the U.S. government for keeping vulnerabilities a secret from companies that can patch them.
The WannaCry incident is only one example of hackers accessing tools used by U.S. agencies. In April of 2017, it was revealed that a hacker group by the name of ‘Shadow Brokers’ had been leaking highly classified material obtained from the NSA. Part of the information revealed that the NSA was hacking Middle Eastern financial services providers – and that this might only be the tip of the iceberg when it came to the NSA’s penetration of the global financial system. The leak revealed that the NSA had hacked into EastNets – a Dubai-based company that oversees payments via the SWIFT international system for clients across the Middle East. It was revealed that the NSA had penetrated systems from companies in Qatar, Dubai, Syria, Yemen, Abu Dhabi and the Palestinian territories. Not only did Shadow Brokers reveal that information – it also released a bundle of NSA hacking tools for use on Windows systems.
One of the issues that has faced the U.S. government is that there has – until now been no unified set of rules and regulations that would give guidance as to how to deal with the challenge of which vulnerabilities should be revealed without compromising ongoing espionage and covert data gathering efforts.
A code seeking balance – the Vulnerabilities Equities Process
In mid November 2017, the White House released information on exactly how the U.S. government balances the demands of law enforcement, espionage, and intelligence gathering. The unclassified information provides the charter and the decision making rules for the “Vulnerabilities Equities Process.” Revamped under the Obama administration, the Vulnerabilities Equities Process is a multi-agency arrangement involving (amongst others) the CIA, NSA and Homeland Security.
The Vulnerabilities Equities Process provides some transparency on just how the U.S. government weighs up which vulnerabilities it will alert companies to – and which it will not. The danger is of course that it may very well be a case of ‘the fox guarding the henhouse’. If the U.S. government and its agencies make the decisions, will the temptation be to release lesser vulnerabilities while still playing its cards close to its chest when it comes to releasing glaring and potentially devastating vulnerabilities that nonetheless allow agencies involved in clandestine data gathering exercise to continue their operations under the radar.
Brad Smith from Microsoft seemingly hit the nail on the head when he was commenting on the Wannacry incident, where a Windows vulnerability was stolen from the NSA and exploited. Smith had this to say; ‘an equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today — nation-state action and organized criminal action.”
“The governments of the world should treat this attack as a wake-up call. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
But is the Vulnerabilities Equities Process enough?
The effectiveness of the Vulnerabilities Equities Process is still being tested. The question of whether or not it will in fact allow companies to plug flaws in software and hardware in a meaningful manner is still open to debate. Without a full disclosure of all vulnerabilities it seems, at least on the face of it, that the U.S. government is applying a band aid to what is in effect a haemorrhaging wound as far as security vulnerability is concerned. Clandestine operations and espionage rely on secrecy – that’s a given – however, balancing the needs of companies and those who develop hardware and software with national security interest is an incredibly difficult balancing act and one that the U.S. government continues to grapple with.