Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/16/2019
02:30 PM
Ricardo Arroyo
Ricardo Arroyo
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
0%
100%

How the US Chooses Which Zero-Day Vulnerabilities to Stockpile

When it comes to acceptable circumstances for government disclosure of zero-days, the new Vulnerabilities Equity Process might be the accountability practice security advocates have been waiting for.

Where do you stand in the debate over whether governments should stockpile vulnerabilities? Some believe that regardless of its utility, the practice of keeping software vulnerabilities secret affects all users and they should be disclosed no matter the circumstances. On the other side of the argument are those who believe zero-days are a matter of national security and that if a vulnerability gives us an edge in warfare or intelligence gathering, it should be kept secret.

And then there's a third group, to which I belong. This crowd understands both the benefits and consequences that can occur when governments find and conceal vulnerabilities. Ultimately, this group believes we need to take an approach that's less binary and more circumstantial, factoring in both the pros and cons of the practice and how they change based on the situation and conditions at hand.

Did you know the US government has a process in place to do exactly that? It's called the Vulnerabilities Equity Process (VEP), defined as "a process used by the U.S. federal government to determine on a case-by-case basis how it should treat zero-day computer security vulnerabilities, whether to disclose them to the public to help improve general computer security, or to keep them secret for offensive use against the government's adversaries." The VEP was developed in the late 2000s in response to a public outcry against the stockpiling of zero-day vulnerabilities. It was initially kept secret until the Electronic Frontier Foundation received redacted documentation through a Freedom of Information Act (FOIA) request in 2016. After the disclosure of the ShadowBrokers in mid-2017, the White House released an updated version of the VEP to the public in an attempt to improve transparency around the process. Let's explore how it works.

Today's VEP Process
The process is run with the authority of the White House and is led by both a representative from the National Security Agency (NSA), under the direction of the secretary of defense, as the executive secretariat, and the president's cybersecurity coordinator as the director. Other participants include representatives from 10 government agencies that comprise the Equities Review Board.

The process dictates an exchange between organizations that discover these vulnerabilities, the secretariat and the members of the Equities Review Board. During this exchange, vulnerabilities are disclosed to the group so each member can claim equity (for example, explaining "Here's how this vulnerability affects me"). This claim kicks off a round of discussion between the reporter and equity claimants to determine whether or not to recommend disclosing or restricting the vulnerability. The final decision to accept the recommendation or come up with alternatives is made by consensus of the Equities Review Board. Once a disclosure decision is made, the dissemination happens within seven days. Once you add up the time frames, the entire end-to-end process from discovery to dissemination can take anywhere from a week to one month, which is fast for a US government process.

The VEP also requires an annual report that includes statistical data on the process and its outcomes throughout the year. The report requires an unclassified executive summary at a minimum. The first reporting period closed on September 30, 2018, so we should expect an annual report soon.

Gaps and Exceptions
This process is by no means perfect. Between accommodations for the timetable, varying nondisclosure action options, and the complex back-and-forth between organizations, there is potential for our government to simply maintain the old status quo and fall short of the level of transparency for which the VEP was intended to deliver. A recent report outlined a solid list of issues associated with the process (you can read the original article here), which includes the following factors:

  1. NDAs and other agreements. The VEP is subject to legal restrictions against disclosing things such as nondisclosure agreements, memoranda of understanding, and other agreements between foreign or private sector partners. This opens up the possibility for both partners to hide behind these agreements in order to prevent disclosure.
  2. Lack of Risk Rating. The industry rates vulnerabilities by severity based on many factors. The VEP does not mandate any such rating. The absence of this kind of categorization or ranking process could result in false statistics at the end of the year. For example, the VEP could publicly state that it disclosed 100 vulnerabilities this year, but without context those could all be low-risk threats that have very little impact to the private sector.
  3. NSA Leadership. Considering the fact that the NSA is likely the greatest equity holder, as well as the most experienced in dealing with vulnerabilities, it comes as no surprise that a representative from the NSA was chosen as the secretariat. This position allows the largest equity holder the most power in this process.
  4. Alternative to Disclosure. While public disclosure is the default, other options include: disclosing mitigation information but not the vulnerability itself, limited use by our government, disclosing to US allies at a classified level, and indirect disclosure to the vendor. Many of these options keep the vulnerability a secret, negating the benefit that disclosure would bring.

Lack of Transparency
In addition to this list, there doesn't seem to be any private sector oversight built into the process. One of the issues I always find when arguing about zero-days is trust. The individual who believes vulnerabilities should always be disclosed for the betterment of security will rarely accept the response of an insider stating: "We can't because it's worth keeping secret." With the 10 agencies in the Equities Review Board including both the Department of Commerce and Department of Homeland Security, one could assume it is their responsibility to keep the private sector in mind. This does little to ease the mind of the security advocate, as these are positions appointed by the executive branch.

I believe the government should include a private sector review board of select industry representatives and cybersecurity experts who can hold a security clearance. These board members could review the outcomes of the VEP process on a monthly or quarterly basis. I believe that security advocates would be more willing to accept the response "We can't because it's worth keeping secret" if they hear it from a widely accepted industry expert as well as from the government.

Related Content:

 

Ricardo Arroyo, senior technical product manager and ThreatSync guru, is responsible for guiding the design and implementation of threat detection and response at WatchGuard Technologies.  Following a 15-year career at the NSA, where he worked as an analyst and cyber ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MelBrandle
50%
50%
MelBrandle,
User Rank: Apprentice
1/26/2019 | 2:33:26 AM
Selective disclosure
What I reckon is happening is that the government is keeping all these secrets in storage for fear that if the data got out, that the hackers would be able to replicate what's been going on. They would have to be very careful what  information to release if they're going to disclose any of it at all!
michaelmaloney
50%
50%
michaelmaloney,
User Rank: Apprentice
1/25/2019 | 2:27:16 AM
Staying neutral is best
I guess the I belong in the third group as well because every scenario would often come with its own pros and cons. It is not entirely up to us alone to weigh in on whether or not the vulnerabilities should indeed be kept in a secret storage or be let out in the open. Instead, we need to analyze on the given situation at that exact moment in time to see which solution suits best.
ConwayK9781
100%
0%
ConwayK9781,
User Rank: Strategist
1/17/2019 | 9:19:02 AM
Huh...
> "And then there's a third group, to which I belong. This crowd understands both the benefits and consequences that can occur when governments find and conceal vulnerabilities."
> implies only third group understand both
> proceeds to show that the third group clearly doesn't, as they support a government weaponizing zero-days at the expense of the citizens for its own personal gain


Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...