US & World

Government outlines when it will disclose or exploit software vulnerabilities

A laptop in the Netherlands was one of hundreds of thousands infected by ransomware in May. The malware reportedly originated with the NSA.
A laptop in the Netherlands was one of hundreds of thousands infected by ransomware in May. The malware reportedly originated with the NSA.
Rob Engelaar/AFP/Getty Images

Government agencies that deal with cybersecurity, like the National Security Agency, have two competing interests. On the one hand, they want to protect America's online infrastructure and economy from cyberattacks. On the other hand, government agencies want to harness tools to attack opponents in cyberspace.

These goals come into conflict when government agencies discover or buy flaws in software, called "zero day" exploits, that the software's makers don't know about. The government can inform the company so the flaw can be patched — or it can save the secret weakness in order to use it to launch attacks against enemies.

There's a catch to hoarding the software flaws though: That same exploit could end up being used against Americans if hackers discover the flaw on their own.

It's with this conflict in mind that the White House rolled out new guidelines on Wednesday for the process it will use to decide when to inform tech companies about vulnerabilities discovered in their software, and when agencies will decide to keep something classified.

There's a "tension between the government's need to sustain the means to pursue rogue actors in cyberspace through the use of cyber exploits, and its obligation to share its knowledge of flaws in software and hardware with responsible parties who can ensure digital infrastructure is upgraded and made stronger in the face of growing cyber threats," White House Cybersecurity Coordinator Rob Joyce wrote in announcing the guidelines.

The Vulnerabilities Equities Process Charter lays out what to do once a vulnerability is both "newly discovered and not publicly known" (emphasis theirs).

Representatives from several federal agencies, including the departments of Treasury, State, Justice, Homeland Security, Energy, Defense, Commerce and the CIA will be part of a board to consider the benefits and drawbacks of releasing or keeping a flaw secret.

Officials will consider factors like how widely a product is used, how likely hackers are to discover the flaw, how much damage it can do, and how easily it can be patched. They'll also weigh how valuable an exploit is for gathering intelligence or helping law enforcement, and its effect on the government's relationship with businesses.

The 14-page document also explains the process for resolving disputes when agencies disagree over what to do.

If the government ends up deciding to inform the manufacturer, "dissemination will be made in the most expeditious manner and when possible within 7 business days," the charter says.

The Electronic Frontier Foundation, a group advocating online privacy and civil liberties, called the guidelines "affirmative steps," but they "still have concerns over potential loopholes in the policy."

Former Defense Department officials Kate Charlet and Sasha Romanosky, along with Bert Thompson of the Carnegie Endowment for International Peace, called the announcement "a positive step toward increasing transparency on this controversial process" in a post on the Lawfare blog.

Recent hacks call into question just how well the government can actually keep its secrets, however.

A hacking group called the Shadow Brokers stole and leaked "sophisticated, very sensitive, high-end, really weapons-grade computer code" from the NSA, former NSA General Counsel Matthew Olsen told NPR this week.

"The agency regarded as the world's leader in breaking into adversaries' computer networks failed to protect its own," as The New York Times recently described it. "Created at huge expense to American taxpayers, those cyberweapons have now been picked up by hackers from North Korea to Russia and shot back at the United States and its allies."

Earlier this year, businesses across the world were hit by ransomware attacks, locking hundreds of thousands out of their data. The malware behind those attacks, which exploited a Microsoft vulnerability, was reportedly stolen from the NSA as well.

"Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage," Microsoft President Brad Smith wrote afterward.

The White House's Joyce pre-emptively pushed back, writing, "I also predict that articles will make breathless claims of 'massive stockpiles' of exploits while describing the issue. That simply isn't true."

At an event Wednesday, Joyce also said: "The kinds of vulnerabilities we use ... are rarely rediscovered by anyone else."

Copyright 2017 NPR. To see more, visit http://www.npr.org/.