Report on the Vulnerabilities Equities Process

I have written before on the vulnerabilities equities process (VEP): the system by which the US government decides whether to disclose and fix a computer vulnerability or keep it secret and use it offensively. Ari Schwartz and Rob Knake, both former Directors for Cybersecurity Policy at the White House National Security Council, have written a report describing the process as we know it, with policy recommendations for improving it.

Basically, their recommendations are focused on improving the transparency, oversight, and accountability (three things I repeatedly recommend) of the process. In summary:

  • The President should issue an Executive Order mandating government-wide compliance with the VEP.
  • Make the general criteria used to decide whether or not to disclose a vulnerability public.
  • Clearly define the VEP.
  • Make sure any undisclosed vulnerabilities are reviewed periodically.
  • Ensure that the government has the right to disclose any vulnerabilities it purchases.
  • Transfer oversight of the VEP from the NSA to the DHS.
  • Issue an annual report on the VEP.
  • Expand Congressional oversight of the VEP.
  • Mandate oversight by other independent bodies inside the Executive Branch.
  • Expand funding for both offensive and defensive vulnerability research.

These all seem like good ideas to me. This is a complex issue, one I wrote about in Data and Goliath (pages 146-50), and one that's only going to get more important in the Internet of Things.

News article.

Posted on July 11, 2016 at 12:15 PM • 25 Comments

Comments

ZdJuly 11, 2016 12:54 PM

>Ensure that the government has the right to disclose any vulnerabilities it purchases.

It there any situation where a government agency (and especially the NSA) would purchase a vulnerability on the market just to disclose it? Are private corporations doing this? (honest question - as I don't think they do)

MikeAJuly 11, 2016 1:33 PM

So, what happens when (purely hypothetically) the FBI has an iPhone where they screwed up and now need "help" to retrieve data from.

1) They are approached by a company that will _do_ the retrieval, but requires an agreement to not disclose the method or vendor? I would guess they would do that, at almost any price (because, it's just taxpayer money, and the reputation of the FBI as cyber-badasses is on the line).

2) So what if said company will sell the vulnerability it was planning to use (for a higher price, of course, since they won't be getting repeat business, and still with their identity hidden)? Still possible, right?

3) Now, what if that sale would be under an agreement to never divulge the basis of the vulnerability? I would assume that the price would be higher yet, since the vulnerability would thus be "burned".

I can definitely see (1), despite the problems with use of the evidence (chain of custody, right to cross examine). It's not like the FBI is inexperienced at parallel construction. Maybe (2), despite the risk to everybody who pisses off an FBI agent. But if (3) is off the table, (2) will definitely be their go-to option, to the detriment of security.

albertJuly 11, 2016 2:47 PM

On one side, we have the IC. They like to keep -everything- secret. On the other, we have us, who want everything public. Fixing vulnerabilities helps -everyone- be more secure.

I don't see this as a complex issue. I see it as a symptom of a deep systemic problem. It's a result of decades of failed US foreign policy, incompetence of the IC/LE community, and the gross disregard of the govt. for US quality of life.

Now the war is happening within our borders.

@MikeA,

Is your example a symptom of privatization of LE functions? I think so. Why can't the FBI have the same level of expertise as a tiny private company? Why not have a gov't agency to handle vulnerabilities? Why not make it illegal for any company to sell vulnerabilities? Why do we need private contractors(PCs) for all GOV/MIL/IC agencies? Why put up with the insecurity and the expense of PCs?

Cutting off few leaves won't bring down the tree.

. .. . .. --- ....

WmJuly 11, 2016 4:02 PM

Government. Government. Government. Lets us continue to look to and trust Government.

Jesse ThompsonJuly 11, 2016 4:19 PM

IF Our government either devises or learns of a vulnerability THEN the likelihood that an enemy either *also* knows about the same vulnerability, *or* any related vulnerability which would be either blocked or hampered by the appropriate patch to this one is basically 100%.

THUS, the strategy of working to fix and publicly broadcast the fixes for 100% of discovered exploits and vulnerabilities, and ONLY THEN keeping a database of them to use as weapons against whichever enemy targets cannot get their collective acts together quickly enough to either apply or port a patch is proven the ideal solution.

Because without publishing the fix YOUR systems will not be protected against the attackers which we 100% know can attack YOU through these exploits. With publishing the fix, you at least know that your systems are proof against every attack you know (PLUS every related attack that relied on something your fix blocked), while at least some percentage of hostile systems are not since you are publishing the fixes but not necessarily the attack vectors those fixes defend against so they won't necessarily understand the stakes as well as you do, and because they are not bound by your update discipline.

TedJuly 11, 2016 5:44 PM

Human Factors and Information Security: Individual, Culture and Security Environment
Australian Government, Department of Defense (Bruce is sourced)

“The use of positive reinforcement could also assist to strengthen the security message. Psychological research has demonstrated that positive reinforcement, in which desired behaviours are rewarded, is an extremely effective tool in shaping behaviour (Skinner, 1953).” page 41

Is there additionally a way to recognize and encourage the desired behavior? I witness a lot of cooperation here on the blog. Also, great info. Thanks for sharing.

Rebecca HadronJuly 11, 2016 9:31 PM

somewhat within the parameters of this discussion:

what do folks think about the Alex Gibney film Zero Days recently released?


not that we need compare a work to previous ones, but:

His Wikilkeaks film was a lying fraudulent hack job

Scientology film was useful and quality

Nick PJuly 11, 2016 9:58 PM

@ Rebecca

There's some movie BS in it but first half I watched was pretty good and could appeal to laypeople. I was too tired so I fell asleep before I got further haha. Why you think the Wikileaks film was a hackjob? The negative stuff about Assange? I doubted those reports at first until more came out, esp his fight with Domsheit-Berg & the Engineer. It was clear he was psycho between that & the inside account of Collateral Murder. Every movie about these people has some bias & leaves off key details but it's usually more extreme. I liked the movie as it delved into the people involved, good and bad. Showed the human side of a few. I especially enjoyed watching Lamo choke up over what he did to Manning. Until that film, I didn't even know he went to an Army counterintelligence officer to "help" figure out what to do. What a piece of shit...

Rebecca HadronJuly 12, 2016 1:52 AM

@ Nick P thankyou for your response (and previously) I enjoy your articulate and intelligent writing.

BS is RE: negative stuff about Assange because
I believe his image and personality has been distorted to absolute maximum whereby he the narcissist etc is just accepted 'truth' and the version of truth we all have has followed a consistent narrative for some years now
that includes Domsheit-Berg situation (ever read his vanity press smear book? I suppose you have)
if one digs deep some obscure yet reputable articles here and there reveals he is far from the emotional monster we have been led (fed) to believe. One very objective piece by a publisher written for the Guardian comes to mind [although Guardian do their best to entirely discredit him also.] And of course the ample documentation revealing the absolute fraud that is the Swedish Kafkaesque Modus Operandi. But people like documentary film maker Laura Poitras see him more clearly . And, as usual, instead of focusing on his intelligence and brilliant achievements all the attention is on his apparent personality.

at risk of further digressing from thread, while there's absolutely no evidence Snowden is anything but who he publically says he is, one single unraveled bit of cotton thread I never understood is why the USG never unleashed the full force of their media machine against him 'he used to be a lesbian in a relationship with a pet monkey on marijuana that did michael jackson impressions'.

RE Zero Days which yes is very much related to Bruces post

here's a fairly over the top review by the single most reputable movie review group on the internet or anywhere

http://www.rogerebert.com/reviews/zero-days-2016


Rebecca HadronJuly 12, 2016 1:57 AM

@ Nick

RE: previous discussion about credit cards, I meant to tell you:

samy.pl

Samy Kamkar website,many wonderful projects


[ i always expect everyone here has already seen and read everything
already ]

Sancho_PJuly 12, 2016 3:31 AM

@albert ("I don't see this as a complex issue.")

So do I.
However, they (and @Bruce) make a living out of it :-)
The sad truth is you can't cure a dead horse.
Disengaging capitalism has killed the horse.

A company produces and sells a product.
The product repeatedly fails, hurts the customers and / or damages their property.
The company would be liabel for their product,
even if there is software involved (I've produced and sold safety systems with SW).

Not in the IT.
This was capitalism.
Bill Gates (?) has killed the horse.

blakeJuly 12, 2016 6:50 AM

So does the VEP create obligations for software vendors to fix disclosed vulnerabilities? Because there's a significant gap between "we have a nice process for deciding when to raise security flaws" and "hey now our systems are secure".

Public disclosure of vulnerabilities does not immediately equal safer platforms. Those holes have to be patched, and then those patches have to be applied. Without those quite important steps, the VEP feels like a discussion of when to close the barn doors while ignoring the horses. Having a fair and transparent policy is important, but of questionable value if the barn doors don't actually close.

@Wm

> Lets us continue to look to and trust Government.

This process still hands off fixing the holes to the Corporations, so we have to trust both Government *and* Corporations.

DroneJuly 12, 2016 7:09 AM

You want THIS Government to be trusted with policing itself?

* THIS Government that abused citizens with the IRS for political gain and got away with it?

* THIS Government that allowed our citizens to die in Libya for political gain and got away with it?

* THIS Government who gets away with intentionally releasing illegal alien criminals into our cities where they kill innocent defenseless citizens?

* THIS government who borrows then spends more money than all governments that came before it combined just to buy votes, then complains when Congress tries to stop them from spending even more?

* THIS Government who's Secretary of State committed obvious Felonies by compromising national security for personal, political and monetary gain, then lied about it, then got away with it?

TedJuly 12, 2016 10:18 AM

@ Rebecca Hadron

Great ‘Zero Days’ summary provided by Godfrey Cheshire.

“… In a way, Gibney has given us a “Dr. Strangelove” for the generation of warfare beyond the nuclear era. My suggestion is that, after the upcoming political conventions are finished, the film be shown on national TV and the candidates devote their first debate to its implications. That would be a start.”

Although Zero Days is not preserved in the National Film Registry yet (25 films are selected each year), Dr. Strangelove is.

Dr. Strangelove (1964):"The edgy satire (as written by director Stanley Kubrick, Peter George, and Terry Southern) and outrageously funny performances (including three from Peter Sellers) have kept “Dr. Strangelove” fresh and entertaining for decades… the former Nazi Dr. Strangelove (Sellers yet again) has an ingenious plan for surviving a potential nuclear holocaust… "

Got to wondering, out of sheer curiosity...

Factors Prompting De-Escalation in the Cold War" from International Conflict Resolution
http://www.beyondintractability.org/artsum/kriesberg-factors

“Kriesberg argues that this context facilitated peace and de-escalation initiatives in at least three ways. First, there were more independent or unaligned nations available to act as intermediaries in the U.S.- Soviet conflict. Second, the need to recruit these nations as allies encouraged the U.S. and the U.S.S.R. to be more accommodating. Kriesberg notes that "demonstrating reasonableness and willingness to be accommodating is an important form of appeal."[p. 70] Third, the loosening of the bipolar international situation also loosed the UN from American dominance, and allowed the UN to play more significant role as an independent intermediary in conflicts.”

albertJuly 12, 2016 11:17 AM

@Ted, Godfrey Cheshire,

"...for the generation of warfare beyond the nuclear era..."

We're -far- from being 'beyond the nuclear era'.

The world-wide levels of fear, hysteria, anxiety, and psychosis are increase yearly, with no signs of slowing down.

Even if all nuclear weapons were destroyed (as likely as the proverbial porcine aviators), we would -still- be living in the nuclear age.

RE: Kriesberg wrote that paper in 1992. It may have had some truth then, bit it's irrelevant today.

The best insight into political 'science' is:

https://www.youtube.com/watch?v=PGO42gvCSPI

From the iconic American songwriter, Randy Newman (1972)

. .. . .. --- ....

MINIPRIJuly 12, 2016 1:44 PM

Notably, the only mention of rights here is the IP rights of corporations. In that legal vacuum, as if CALEA's stipulated right to encryption and your right to privacy did not exist, these tools want to create some toothless paper-pushing exercise for a totalitarian state that actively attacks privacy and its advocates,

http://themerkle.com/nsa-labels-privacy-centric-internet-users-as-extremists/

run by this Stasi,

https://epic.org/privacy/dhs-cpo.html (Big spoiler: "The Chief Privacy Office has not done the work that Congress set out for it to do.")

Once again Harvard disgraces itself as a bunch of heel-clicking Speers.*

* http://crookedtimber.org/2016/07/12/we-can-get-rid-of-the-hitlers-and-the-himmlers-but-not-the-speers/

MikeJuly 13, 2016 6:46 AM

I was OK with the recommendations until the part about transferring oversight from the NSA to the DHS. Certainly there is some other agency besides DHS - one that isn't so heavily politicized - that could perform the oversight role.

ianfJuly 13, 2016 7:22 AM


@ Rebecca Hadron

[…] “One very objective piece by a publisher written for the Guardian comes to mind [although Guardian do their best to entirely discredit him also.]

Given sheer volume of the Guardian's coverage on Assange, hundreds of articles over ~8 years, you could have researched that v. piece (that only you know which one you meant), and posted its URL (I know that I'd have, but then I'm not you. Yes, equal opportunity gender oppressor here.)


[…] “ and the ample documentation revealing the absolute fraud that is the Swedish Kafkaesque MO.

Again, documentation, WHERE. "Ample" is a vague quantifier, not precise pointer. And the MO is anything but Kafkaesque: he's been told up front what he's suspected of.


[…] “instead of focusing on [Assange's] intelligence and brilliant achievements all the attention is on his apparent personality.

Oh, he's intelligent, all right, so ethereal in fact that he forgot what his mission was about. When you're an iconoclast, and living under the cloud of investigation, rule #1 is never give your "lawful" adversaries a pretext to catch you for whatever reason. Especially by saving up on hotels in foreign territories known for vigorous prosecution and conviction of THEHORROR THEHORROR #TPB keepers; never mind the risk of falling into a honey trap (presently absent here Clive Robinson thinks it unethical of the Israelis to have sprung such on Mordechai Vanunu in Rome, rather than ex-filtrating him solo from London Eichmann-in-Buenos-Aires-style).

Back to Assange, the nicest that can be said about him is that he's an obsessive. Then it's all downhill from there to Andrew O'Hagan's decisive [longform 140 kB] diagnostic essay in the LRB, yours to keep and cherish.


[…] “never understood why the USG never unleashed the full force of the media machine against Snowden.

Two possible reasons: first they didn't know the extent to which Snowden has been through the files (and then surely appropriated some, if only for future rainy days "death-man's-grip" self-defensive purposes – which he may well have done ;-)); secondly, because, in terms of suitability for tabloid exploitation, Snowden is the opposite of Assange, a Dreamboat SIL, well-spoken Mr. Clean. Except for him ending up permanently in better mousetrap Russia (which outcome he must've calculated with in advance), so far he has not made one false "sticky media dirt" move. No wonder Michael Hayden feels emasculated to his rotten NSA/CIA core.

TedJuly 13, 2016 10:57 AM

@albert

We're -far- from being 'beyond the nuclear era'.

If there's hope for taxes, there may still be possibilities. Whadda think on this?

IRS Initiates Tax Design Competition

“The Internal Revenue Service is offering up to $10,000 to the winner of a new competition to make its online tax information more understandable to taxpayers.The IRS issued a notice Tuesday outlining the requirements and procedures for the Tax Design Challenge, a crowdsourcing competition with cash prizes that the IRS is hosting to begin reimagining the taxpayer experience of the future.”

And a few more challenges here:
https://www.challenge.gov/list/

Rebecca HadronJuly 13, 2016 9:56 PM

@ianf

I enjoy how your write. Further, I thank you for your love, it is reciprocated. I do wish you'd be nicer to Clive though. We're all friends here, I thought. Also I apologise in advance (and in retrospect) for my english it is not my native language.

here is the Guardian article about Assange that came to mind.

https://www.theguardian.com/books/2014/mar/06/julian-assange-publisher-defence-wikileaks


RE: Sweden etc

this is the most definitive. You will find it provides detail contrary to your assertions

https://justice4assange.com/extraditing-assange.html

There are a few articles on this site, here is one

http://johnpilger.com/articles/the-siege-of-julian-assange-is-a-farce-a-special-investigation

With love xxo

Rebecca HadronJuly 13, 2016 10:12 PM

@ianf

i thank you for your love. I reciprocate. I do wish you'd be nicer to Clive though, We're all friends here, I thought. I also apologise in advance (and retrospectively) for my english. I am aware many here are academics and have the literacy to prove it.

not sure why you believe Snowden planned Russia in advance, everything on the public record, which I imagine you have read, points in the opposite direction.
Read Greenwalds 'No Place To Hide' it provides full story.

i am going to give up trying to convince you of anything as so far I am led to believe it is not possible


Here is the Guardian article I referred to

https://www.theguardian.com/books/2014/mar/06/julian-assange-publisher-defence-wikileaks

re: Sweden etc

the first two are the best. you will find these provide facts contrary to your assertions

https://justice4assange.com/extraditing-assange.html

http://assangeinsweden.com/book/

http://rixstep.com/1/20110204,04.shtml

https://daily99998271.blogspot.ie/2016/02/un-ruling-on-assange-exposes-uk.html?m=1


John Pilger has written some very thorough examinations, here is but one but the rest are on his website:

http://johnpilger.com/articles/the-siege-of-julian-assange-is-a-farce-a-special-investigation

rJuly 14, 2016 8:41 AM

@Rebecca Hadron

"[ i always expect everyone here has already seen and read everything already ]"

Then why contribute/participate?

Many eyes theory speaking here: our eyes and ears are the mouths and lips to our voracious souls, to not feed them is tantamount to neglect and starvation.

You may get a splinter in your foot while traversing the net, if you're not careful it could've between the needle in the haystack we all watch for.

ianfJuly 14, 2016 10:42 AM


@ Rebecca Hadron

I piped the 2 versions of your latest through diff, there are small, but telling changes (and I trust that you're aware of that you may be mistaking ordinary human—i.e. my—civility for "Rebecca love." Which it wasn't, whatever then love is).

(1.) I am as nice to Clive Robinson as I am to everybody. You seem to equate my occasional piqued critique of ways and means (never of his obvious tech expertise) with nastiness. Not so, and Clive, who's older than most of us, knows and appreciates it too. Also he already has/ had a mother, and I'm sure one is/ was enough.

(2.) We're not friends here, we're forum posters. Friends are in the real world, this is a make-believe one, where we can experiment with other than always-PC, kissy-kissy behaviour. You've already tried reciprocal "love;" and there's also "hurt feelings," and "tears" to explore ;-))

(3.) Re: Assange's libertarian oeuvre and legacy… I read everything as it comes in, but here merely pointed out the absence of a link for background/ corroboration of your opinion. After O'Hagan's exposé, Julian Assange lost my uncritical sympathy.

(4.) “provides detail contrary to my assertions” – which specific assertion(s) did you have in mind? I don't have the time for reading everything and then painstakingly decoding what you could have been meaning. Also, as a professional curtesy to a fellow poster, I blankly refuse to open the brain-diode gate[*] and read your thoughts (never secure-hash-checksummed anyway).

(5a.) “not sure why you believe Snowden planned Russia in advance” […]

That's not what I said/ wrote; tenses and conditional subclauses are important. As far as I can ascertain, ES planned his ex-filtration from the maw of the USG for quite some time. His nominal (disclosed) intention was to seek permanent shelter in Cuba[%].

    So take a look at the map, because Ed must've done it aplenty: it's far easier to reach that destination from Hawaii, than from Hong-Kong—which, however, he needed to visit first presumably to arrange his finances (in some bank that HE KNEW FOR NSA-SURE IN ADVANCE would not bend to USG pressure to freeze his $Million+ deposit there). He's politically savvy enough to realize that he couldn't stay put in China, and that flying out via Russia was his next-best option (the other then remaining: North Korea; surrendering to US Marshals to be put away for life in a stockade somewhere; self-termination to stave off risk of #2.

Hence, of course, he must have calculated with potential unforeseen, prolonged stay in Russia—in which, due to political acrimony with the West, TPTB would find it inconvenient to expel him. He's better off as a by-all-counts hostage there, than elsewhere.


(5b.) “Read Greenwald 'No Place To Hide' it provides full story.

Alas, I only have time for certain books, the content of which cannot be found somewhere else/ online. Nothing against Greenwald, mind, but it's too soon, am waiting for a more decisive treatment of "The Snowden Saga;" something (formally by analogy) akin to Alston Chase's pretty definitive “Harvard and The UNABOMBER: The Education of An American Terrorist,” written 6 years after Ted's capture; or the 2006 “The Looming Tower: Al Qaida and The Road To 9/11” by Lawrence Wright, previously a long-time lecturer at the American Uni in Cairo.


(5c.) “i am going to give up trying to convince you of anything as so far I am led to believe it is not possible

    This is a self-serving, cowardly CYA [cover-your-ass] statement meant to provide a blanket alibi for why your opinions here are not as universally "loved," as you'd love them to be. Gloves off, I'd say you expect us all to be Pollyannaish Mr. Blobbys – are you?


[^*] Clive has the brain-diodetails and will gladly explain them to you in a ~7kb parable.

[^%] Snowden might not have been as safe in Cuba, as he is in Moscow… could have become an obstacle on the Cubans' road to rapprochement (and who could blame them). Not that they'd shop him to the Yanks, but perhaps "nudge towards" voluntary move to the perpetually lawless… Venezuela? Also, I keep thinking of a German movie from the last decade—help me with the title—about a once GDR-trained femme RAF terrorist, who is resettled as a factory worker there to live a quiet, uneventful life with a new ID. And then The Wall comes down, Germany is reunited, and she becomes a quarry for a posse of former Stasi etc. bounty hunters. This could have become Snowden's fate in Latin America, too.

Rebecca HadronJuly 14, 2016 11:24 PM

@ r
thanks for that. i was stretching it but I was being self deprecating, in the sense that folks here have been around the block 5 times compared to my half a time, so not feeling very novel in my 'contribution'

@ianf

you are right and i deserve some of that
i wrote two replies because the first one didn't appear for some time and i rewrote the second from scratch hence the additional sites - only to discover the first comment had appeared

thanking you for your love is my OTT and possibly humorous way of pretending any rough edges are not there, real or imagined, and indeed why not simply decide that everyone is love and is expressing love. beats the alternative.
especially when things online from strangers mostly anonymous can be misconstrued, especially when we are writing on subjects that either inspire paranoia, criticism, or an us and them experience. this isn't exactly light reading here. and thats why we love it.
i have regular 'wow' moments reading this comments section and your comments have been included in such a moment. some of the older hands may forget how inspiring the brains here are, to an newbie

i said I was going to give up trying to convince you of something. no ass covering affixed on to that statement. Quite simply an observation that 1. i had internally felt a fiery or reactive desire to convince you of things 2. it appeared you weren't someone easily convinced as an M.O. 3. it was better for me to simply read and share and not feel any misappropriated sense of trying to influence you (or anyone else)
Which goes the other (not actually expressed) direction of not needing to defend my own position so seriously - i should be more open to being wrong. fortunately everyone here is mostly very adult


fair enough re: waiting for treatment of Snowden saga although Greenwalds is indeed decisive: there is something to be said for things being captured at the time by someone 1. intimately involved 2. with the capacity and integrity to do so (a journalist, whats more) .

Nonetheless he only found himself in the transit zone of the russian airport after his plane was forced to land not by concious choice.

I agree it's ironically one of the safest place he could have received asylum
if you were suggesting maybe I know the name of the film you were explaining - nice light touch - I do not but it sounds great
It did remind me of two (excellent) german films set in the GDR The Lives of Others also Barbara however
Do watch Ex Machina if you can - even if you think I was reduced to crawling hi end tech blogs to advertise it in an last ditch attempt recover my stock investment ;-)


Thank you for taking the time to respond in detail

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.