{"id":1012,"date":"2016-09-19T02:47:07","date_gmt":"2016-09-19T10:47:07","guid":{"rendered":"https:\/\/blog.mozilla.org\/netpolicy\/?p=1012"},"modified":"2016-09-19T11:55:44","modified_gmt":"2016-09-19T19:55:44","slug":"improving-government-disclosure-of-security-vulnerabilities","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/netpolicy\/2016\/09\/19\/improving-government-disclosure-of-security-vulnerabilities\/","title":{"rendered":"Improving Government Disclosure of Security Vulnerabilities"},"content":{"rendered":"

Last week, we wrote about the shared responsibility<\/a> of protecting Internet security. Today, we want to dive deeper into this issue and focus on one very important obligation governments have: proper disclosure of security vulnerabilities.<\/p>\n

Software vulnerabilities are at the root of so much of today\u2019s cyber insecurity. The revelations of recent attacks on the DNC, the state electoral systems, the iPhone, and more, have all stemmed from software vulnerabilities. Security vulnerabilities can be created inadvertently by the original developers, or they can be developed or discovered by third parties. Sometimes governments acquire, develop, or discover vulnerabilities and use them in hacking operations (\u201clawful hacking\u201d). Either way, once governments become aware of a security vulnerability, they have a responsibility to consider how and when (not whether) to disclose the vulnerability to the affected company so that developer can fix the problem and protect their users. We need to work with governments on how they handle vulnerabilities to ensure they are responsible partners in making this a reality today.<\/p>\n

In the U.S., the government\u2019s process for reviewing and coordinating the disclosure of vulnerabilities that it learns about or creates is called the Vulnerabilities Equities Process (VEP). The VEP was established in 2010, but not operationalized until the Heartbleed vulnerability in 2014 that reportedly affected two thirds of the Internet. At that time, White House Cybersecurity Coordinator Michael Daniel wrote in a blog post<\/a> that the Obama Administration has a presumption in favor of disclosing vulnerabilities. But, policy by blog post is not particularly binding on the government, and as Daniel even admits, \u201cthere are no hard and fast rules\u201d to govern the VEP.<\/p>\n

It has now been two years since Heartbleed and the U.S. government\u2019s blog post, but we haven\u2019t seen improvement in the way that vulnerabilities disclosure is being handled. Just one example is the alleged hack of the NSA by the Shadow Brokers, which resulted in the public release of NSA \u201ccyberweapons\u201d, including \u201czero day\u201d vulnerabilities that the government knew about and apparently had been exploiting for years. Companies like Cisco and Fortinet whose products were affected by these zero day vulnerabilities had just that, zero days to develop fixes to protect users before the vulnerabilities were possibly exploited by hackers.<\/p>\n

The government may have legitimate intelligence or law enforcement reasons for delaying disclosure of vulnerabilities (for example, to enable lawful hacking<\/a>), but these same vulnerabilities can endanger the security of billions of people. These two interests must be balanced, and recent incidents demonstrate just how easily stockpiling vulnerabilities can go awry without proper policies and procedures in place.<\/p>\n

Cybersecurity is a shared responsibility, and that means we all must do our part – technology companies, users, and governments. The U.S. government could go a long way in doing its part by putting transparent and accountable policies in place to ensure it is handling vulnerabilities appropriately and disclosing them to affected companies. We aren\u2019t seeing this happen today. Still, with some reforms, the VEP can be a strong mechanism for ensuring the government is striking the right balance.<\/p>\n

More specifically, we recommend five important reforms to the VEP:<\/p>\n