As governments increasingly find themselves needing information from networked sources for law enforcement, intelligence, and military purposes, one of the most difficult dilemmas they face concerns the use of so-called zero day vulnerabilities—previously unknown flaws or bugs that can sometimes be exploited to gain access to servers that house information or control networks and infrastructure. Governments often have researchers looking for these flaws, and sometimes, governments purchase them on the open market.
Latest in Vulnerabilities Equities Reform
When WikiLeaks shed light on the CIA’s stockpile of software vulnerabilities last week, it revived—but hardly clarified—the debate on whether the government hoards too many bugs. In principle, the interagency Vulnerability Equities Process (VEP) ensures that a flaw is disclosed when the interest in patching it exceeds other governmental interests in exploiting it. Privacy advocates have long suspected that, in practice, the deck is stacked against disclosure.
I believe that lawful hacking is a legitimate and necessary way for law enforcement to handle certain investigations in the Digital Age. But as Steve Bellovin, Matt Blaze, Sandy Clark, and I said in our paper, the default on using a vulnerability should be to report it.
The Lawfare Podcast: Dave Aitel and Matt Tait on How "Everything You Know About the Vulnerability Equities Process Is Wrong”
Dave Aitel and Matt Tait come on the podcast to chat with Benjamin Wittes about their recent Lawfare essay critiquing the current status of the Vulnerability Equities Process. Matt and Dave argue that the process by which the US government decides whether or not to disclose software vulnerabilities is fundamentally broken, and that now is the time to discuss how to fix it.
The vulnerability equities process (VEP) is broken. While it is designed to ensure the satisfaction of many equities, in reality it satisfies none—or at least, none visible to those beyond the participants of the insular process. Instead of meaningfully shaping best outcomes, the VEP provides thin public relations cover when the US government is questioned on its strategy around vulnerabilities.
“Lawful hacking” is an interesting and potentially very useful future path for law enforcement and the intelligence community. But lawyers and policymakers rushing to address potential problems are getting ahead of the technology.
National Security Council veterans Ari Schwartz and Rob Knake recently released a paper entitled Government’s Role in Vulnerability Disclosure. The paper, published by Harvard’s Belfer Center, catalogues the existing government mechanisms for determining whether to disclose a newly-discovered vulnerability in hardware and software products and make a series of recommendations for reform. The recommendations include both useful steps, and a few proposals I argue are ultimately counterproductive.