The U.S. government took the first steps toward codifying the Vulnerabilities Equities Process into law yesterday through the introduction of the Protecting Our Ability to Counter Hacking (PATCH) Act of 2017.
The VEP is the internal process by which the government decides which software vulnerabilities in its possession it will disclose to vendors, and which it will hold on to and exploit for the purposes of intelligence gathering and supporting national security operations.
The bipartisan act, sponsored by U.S. Senators Brian Schatz (D-Hawaii), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.) and U.S. Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas), calls for the establishment of a VEP Review Board that would consist of the highest-ranking members of the intelligence community. The board mandate would be to formalize the process rather than have it be an ad hoc activity within the Executive Branch.
“It would codify what the White House claims it has had all along: a rigorous process, with all the key government stakeholders involved, that carefully considers the pros and cons of withholding the information and is strongly weighted in favor of disclosing it,” said Kevin Bankston, director of the Open Technology Institute at New America.
While the process may have existed, it may not have been put into practice very often. A 2014 suit filed by the Electronic Frontier Foundation sought the VEP’s release, and after a year, a redacted version was turned over by the government. Among the redactions were specific steps that agencies go through when evaluating whether to release information about a newly discovered vulnerability.
Andrew Crocker, staff attorney at the EFF, filed a Freedom of Information Act (FOIA) request for the VEP after reports surfaced that the NSA had been exploiting the Heartbleed vulnerability in OpenSSL for intelligence gathering. The Office of the Director of National Intelligence and the White House denied this, and revealed the government had the VEP policy in place to govern its use and disclosure of zero days.
“We filed a FOIA, got the policy and learned they were not really using it,” Crocker said. “It was written down, but not implemented.”
Crocker cited Apple vs. FBI as one high-profile example of the VEP falling down where the government allegedly may have purchased an iOS exploit and vulnerability and has yet to disclose it to Apple.
“This is a controversial area around what the government’s responsibilities and duties should be in these cases, especially given the dual mission of offensive and defensive operations [of the NSA],” Crocker said. “We agree that there needs to be more transparency around it and more formalization of the process. That’s the impetus behind the bill and it’s really a positive thing.”
Sen. Schatz said the bill brings a semblance of balance between national security and cybersecurity.
“Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security,” Schatz said.
The act is proposed with the sting of WannaCry still fresh. Last Friday’s global ransomware outbreak was enabled by a stolen NSA exploit that was leaked in April by the ShadowBrokers, one month after it was patched by Microsoft. Microsoft, the Washington Post reported, was tipped off by the NSA in advance of the leak, giving Microsoft the opportunity to make a patch available to its users. The Washington Post also claims the NSA had the Windows SMBv1 vulnerability, EternalBlue exploit and DoublePulsar rootkit in its possession for years and feared what might happen should it escape the NSA’s control.
Despite urgent warnings to patch, WannaCry and EternalBlue still blasted their way through thousands of unpatched Windows servers and caused downtime to many critical businesses.
Microsoft responded with harsh words for the U.S. government, criticizing its stockpiling of vulnerabilities. President and chief legal officer Brad Smith had plenty of ammunition with which to slam the government, reminding everyone of not only the ShadowBrokers’ leaks, but also WikiLeaks, which has now on three separate occasions made public offensive hacking tools developed by the CIA.
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” Smith said. “And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today–nation-state action and organized criminal action.”
The proposed law would require the review board to establish a process that determines whether a vulnerability is disclosed, when, how, to whom and to what degree. The process would include consideration of the impact of the flaw to core internet infrastructure and critical infrastructure in the U.S., risks of leaving it unpatched, possible harm should an outsider find and exploit the bug and how disclosure would impact ongoing intelligence or national security operations.
Crocker said he hopes that as the bill goes through revisions that more attention is paid to the government’s operational security in protecting its exploits to keep entities such as the ShadowBrokers from leaking powerful weaponized attacks that are relatively simple to use.
“I do have some reservations that it might not take on that problem of bad op sec as squarely as we’d like,” Crocker said. “We can’t lose sight that [the NSA] lost control over it. How powerful a vulnerability is and the ease with which it can be exploited should play into weighing the equities around it.”