US gov vulnerability disclosure requires oversight, says new report

A new report has called for greater accountability and oversight in the way the government reports the software vulnerabilities that it discovers.

The rules on government disclosure currently come without much oversight
The rules on government disclosure currently come without much oversight

The US government should overhaul its policies on vulnerability disclosure according to a new report. Authored by Ari Schwartz and Rob Knake, the paper seeks to cut a middle ground between those who say that the government has the right to collect and exploit vulnerabilities and those, like Bruce Schneier, who says it does not. 

It takes specific aim at the US governments disclosure mechanism.

Schwartz and Knake have both been cyber-security advisors to the government. Schwartz is currently Venable's managing director of cyber-security services but previously served on the White House National Security Council as special assistant to the President and senior director for cybersecurity. 

Robert Knake is a fellow at the Council on Foreign Relations who also served on the National Security Council, earning the title the “White House's Cyber Wizard” from Federal Computer Weekly.

It's with that experience that they take aim at US government's Vulnerability Equities Process (VEP), the means by which the government discloses or retains discovered software vulnerabilities. 

The VEP was set up in 2010, revealed to the world in 2014 and sets out no explicit rules for the disclosure of vulnerabilities found by the agencies of the US government. Once a vulnerability is found it goes through a review to figure out whether it is worth disclosing or not. This process and its outcomes are largely shrouded in a veil of national security.

Flavio Garcia, senior lecturer in computer security at the University of Birmingham, has had his own brushes with the dangers of responsible disclosure. He told SC that the government, being ‘biased' towards disclosure is one step in the right direction.

“Having more transparency and accountability in the whole process is also clearly needed although I am not sure whether simply revealing the amounts of vulnerabilities being kept secret and for how long will be very satisfactory - vulnerabilities are not apples, so the numbers do not really bear much meaning.” 

The authors of the report largely echo that sentiment. The VEP is good but it is not enough. To that end, Schwartz and Knake make a number of propositions for overhauling the process.

An executive order should be issued in order to formalise the process government-wide, say Schwartz and Knake. “There are few consequences for agencies that refuse to participate in the process,” write the authors. Any decision to retain a vulnerability should be subject to review and the criteria for disclosing should be made public as should an annual report on the status of the programme.

Importantly, the executive secretary, who oversees the process, should come from the Department of Homeland Security (DHS), not the National Security Agency (NSA), where the position currently sits. It is not a sure thing, write the authors, that the NSA can be a neutral party in the VEP. The DHS, however, has “developed a strong capability in vulnerability research and software assurance”, and can presumably handle the position in a way that could be considered neutral.

The recommendations extend to not allowing government agencies to enter into non-disclosure agreements with the bug brokers they buy off.

Under such a proposition, the FBI's recent clash with Apple over the unlocking of the San Bernardino shooter's iPhone would have turned out very differently.

The report notes that by de-classifying the process, the US government could help set up a model of disclosure for the world: “If all of the countries with capabilities to collect vulnerabilities had a policy of leaning toward disclosure, it would be valuable to the protection of critical infrastructure and consumers alike as well as US corporate interests.”