Published by The Lawfare Institute
in Cooperation With
As governments increasingly find themselves needing information from networked sources for law enforcement, intelligence, and military purposes, one of the most difficult dilemmas they face concerns the use of so-called zero day vulnerabilities—previously unknown flaws or bugs that can sometimes be exploited to gain access to servers that house information or control networks and infrastructure. Governments often have researchers looking for these flaws, and sometimes, governments purchase them on the open market. But when governments find such vulnerabilities, should they quickly disclose these flaws and thus allow them to be fixed, or should they keep the information a secret for other national security purposes?
Governments are simultaneously charged with helping protecting the public from exploits online, on the one hand, and with intelligence, law enforcement and military missions that may require the use of such vulnerabilities, on the other. A decision to retain a zero day vulnerability likely undercuts the cybersecurity of the public, enterprises and even government agencies. But disclosing information about a zero day vulnerability so vendors can patch it risks undercutting the ability of law enforcement to investigate crimes, intelligence agencies to gather intelligence, and the military to carry out offensive cyber operations. While these seem at first like competing goals they do not need to be. Governments have begun to create vulnerabilities-equities processes (VEP) to manage the use and disclosure of vulnerabilities that they find in order to serve the public interest in the discovery.
In this essay, we look at the history of the VEP and the growing number of countries creating new equities processes—in particular, the United Kingdom’s recent publication of information about its process and Germany’s move to set up and potentially even legislate its VEP. These steps set a new bar for how nations can and should use a VEP to improve cybersecurity, build transparency and encourage good governance and stewardship of resources.
Genesis of the Vulnerabilities Equities Process
In the early 2000s, the NSA began an internal dialogue about the use of such zero days, called the VEP. (The term “equities” refers to the fact that a single vulnerability and its use or exposure could impact several different internal departments, including others trying to exploit similar vulnerabilities as well as those who may need the information in order to defend the networks of the U.S. Department of Defense.) The process was successful in helping NSA make decisions about whether to keep vulnerabilities for intelligence gathering or disclose them to the vendor to fix. In 2008, deciding that this process would be useful for all U.S. government law enforcement and intelligence agencies to participate in, the Bush administration began to set up a government-wide process led by NSA. This work was never completed and the government-wide VEP did not get off the ground.
Following disclosures about the NSA’s uses of vulnerabilities in the Snowden revelations, President Obama created a President's Review Group on Intelligence and Communications Technologies to address, among a variety of things, any potential overreach by the NSA and other U.S. intelligence agencies. The group’s final report recommended reviving the government-wide VEP with a presumption toward disclosing vulnerabilities. Secretly, the U.S. government followed this recommendation, putting the National Security Council in charge of reviewing prospective zero days that came into the possession of U.S. government agencies.
VEP steps out of the shadows
Several months after the revitalization of the VEP, researchers at Codenomicon and Google announced the existence of Heartbleed, a vulnerability in the widely-used OpenSSL protocol that could allow an attacker to gain access to sensitive information including passwords. After rumors spread that Heartbleed had been known to the NSA prior to its announcement, White House Cybersecurity Coordinator Michael Daniel published a blog post explaining that the VEP would not allow NSA to take no action and going into detail about the functioning of the VEP. While many supported the idea of the VEP as described in Daniel’s blog post and the presumption to disclose vulnerabilities, in some ways the post raised as many questions as it answered. After the Electronic Frontier Foundation placed a Freedom of Information Act Request to find out more, it received back a number of highly redacted documents providing some detail on which agencies were participating in the VEP and confirming most of the details Daniel had written. But the FOIA response also generated even more confusion about the process and why so much of it was classified.
In early 2016, one of the present authors (Schwartz) and Rob Knake published a report providing a detailed history of the VEP and calling for increased transparency. Though the Obama administration ran out of time to make these changes, the Trump administration’s former cybersecurity coordinator, Rob Joyce, took VEP reform as a main issue and promised increased transparency on how the VEP operates—including a public VEP Charter describing the agencies involved and the rules under which they operate. At that same time, many countries, including the Netherlands, Australia and the United Kingdom confirmed they have a VEP-like process in place.
Why governments should adopt a VEP-like policy
There are several reasons why countries may choose to create a vulnerabilities equities process. The most compelling of these include:
1. Oversight of government hacking
As more information becomes encrypted in transit, governments have a greater need to access information by hacking the end points of the communications. Yet, even with proper legal process, a government may need to utilize new exploits or try to hold on to otherwise unknown exploits in their hacking efforts. While it seems to be a common assumption in the media that more zero days are being used by governments and criminals every year, we should note that the NSA is actually publicly reporting that they are finding fewer zero days in their incident response work which suggests that more effort needs to be placed on patching known vulnerabilities. A VEP can help ensure that all sides of the issue are being considered even though the process is necessarily a classified effort. Governments will need to weigh how to protect the public, critical infrastructure and even government services online from attacks and breaches—but also how to ensure that one agency is not accidentally interfering with the work of another. For example, if an intelligence agency discloses a vulnerability currently being exploited by a law enforcement agency on a case, this could lead to the unintentional exposure of an investigation or the end of a productive means of gathering information.
2. Increase in leaked government information
The dramatic increase in leaks of government hacking information is another compelling reason to create a VEP. Consider the vulnerabilities that enabled the creation of the WannaCry and NotPetya Ransomware, leading to billions of dollars of losses in companies. If these vulnerabilities had been adequately disclosed to vendors further in advance, perhaps some of these losses could have been prevented.
3. Increase in parallel discovery
Another consideration is the marked increase in the number of vulnerabilities found simultaneously by different researchers. While studies on this subject are mixed, there are some clear cases—not the least of which are the Spectre and Meltdown chip vulnerabilities found in 2017—demonstrating that parallel discovery is indeed a real phenomenon. Government agencies that uncover a vulnerability should assume that other governments have found or will find similar vulnerabilities, leaving consumers and organizations, even their own agencies, at risk that the vulnerability could be exploited.
In summary, these all lead to a serious moral consideration. Governments that seek to hoard vulnerabilities risk holding onto information that could potentially cause harm—in some cases physical harm—if it fell into the wrong hands. If a government knew about a potential physical flaw in an electric turbine that put lives at risk, it would have a moral obligation to, at the very least, have a process by which it determined whether and how to tell the vendor about the flaw so that it could be fixed. Why should a software vulnerability be any different? Why not at least have in place a process to weigh all sides and determine if disclosure is a good idea?
The international community is getting serious about government vulnerability disclosure
In their November 2017 Lawfare piece entitled "It’s Time for the International Community to Get Serious about Vulnerability Equities", Kate Charlet, Sasha Romanosky and Bert Thompson argued that more countries should follow the United States in establishing and being transparent about their government vulnerability disclosure process. Some states are now doing just that. The U.K., for example, just recently published information about the British vulnerabilities equities process, very similar to the U.S. government’s transparency initiative last year surrounding its vulnerabilities equities policy and process.
Even on the supranational level, this topic has received quite some attention. The Centre for European Policy Studies (CEPS) task force chaired by Marietje Schaake, a member of the European Parliament, produced a comprehensive report on recommendations for coordinated vulnerability disclosure to vendors (CVD) and government disclosure decision process (GPPD)—apparently the European umbrella term for VEP. While the report gave less attention to GPPD than CVD, this is definitely a step forward. Additionally, major stakeholders such as Mozilla and Microsoft have been making their rounds to promote this idea. On Dec. 5, the Carnegie Endowment for International Peace held a high-level conference to further promote GPPD on the EU level.
In Germany, government representatives have confirmed that they do not have such a process in place but are currently developing one. Major parts of the process, if not all of it, are expected to become public—possibly setting a new benchmark for transparency in this area and informing governments and nongovernment actors alike. Additionally, the German policy process might establish new standards when it comes to cooperation with academia, private sector and civil society. Government representatives have attended events such as Carnegie’s International Policy Conference on Government Vulnerability Management to gather ideas and the ministry has established an information exchange with the Berlin technology think tank Stiftung Neue Verantwortung (SNV).
The Transatlantic Cyber Forum (TCF), a project run by SNV's International Cyber Security Policy division—which is headed by one of the authors of this piece (Sven Herpig)—recently brought together German and American experts from academia, the private sector and civil society to draft a best-practice model for a governmental vulnerability assessment and management process. The model has been received well by relevant national stakeholders in Germany, including civil society, private sector, academia and the Ministry in charge.
Governmental Vulnerability Assessment and Management
The TCF model covers all the aspects of the process, from “acquisition” of a vulnerability until its disclosure. The entire process focuses on ensuring sufficient oversight and transparency, as well as the ability of agencies to secure the vulnerabilities they are retaining. All these aspects are lessons-learned from the development and implementation of the U.S. VEP.
Outline of the vulnerability management workflow.
The entire model is built on nine principles, which form the basis of any government adoption of a VEP-like process:
- If a government wants to retain vulnerabilities, it needs to establish a VEP-like process.
- The process should be enshrined in law, with independent legislative review of its effectiveness and proportionality.
- The process needs to be applied to all zero days, including those boxed in hacking tools or services procured or rented by government agencies.
- Retention of vulnerabilities should be only temporary.
- There should be a strong presumption that disclosure of vulnerabilities is in the best interest of commerce, civil liberties, public safety and IT security.
- A government that wants to retain vulnerabilities must demonstrate a critical need that outweighs the security benefits of disclosure to the “maintainer,” along with a plan to minimize harm.
- Governments that have implemented such a process should work toward promoting it as an international norm.
- Research on the likelihood that two or more researchers find the same zero day independent from each other (collision rates) needs to be fostered.
- A better understanding of acquisition and disclosure of vulnerabilities needs to be developed.
The model also suggests a detailed institutional setup and assessment process, including crucial aspects to be considered in decision-making about the disclosure of a vulnerability.
Outline of the institutional setup and vulnerability assessment workflow.
Best Practice Model: Blueprint or Cookie Cutter?
The establishment of VEPs around the world is a crucial first step. It is, however, similarly important that governments go public with parts or the entirety of their process. Transparency does not only help to independently assess the process by non-governmental experts and thereby possibly increase its effectiveness but also enables states with fewer resources to spend on cyber security in developing their own version of the VEP.
The approaches of the United States, Germany and the United Kingdom should be applauded. Smaller states will be able to take a good look at these established processes to evaluate what might work in their case and what might not—and all of that without classified government-to-government meetings. The best-practice model presented by the TCF is an additional source that should be taken into consideration, especially because it offers a more interdisciplinary and less state-specific perspective.
The inherent danger of simply adopting approaches from other countries is that they might not work well, for example, due to different institutional setups or legal frameworks. It is therefore vital to adapt existing best practices to the country's specifics before implementing them. This presents another aspect where the frontrunners of VEP can be of assistance, by helping other states to understand and adapt their VEPs.
The more that countries that leverage zero-day vulnerabilities choose to adopt a VEP, the more beneficial it will be for the overall internet ecosystem. With an increasing number of those countries going at least partially public with their policies, the overall quality and usability of various VEP models might improve as well, as the VEP becomes a possible topic for public research. At the same time, transparency provides a good starting point for those countries that have not yet developed a VEP. Countries that have already implemented a VEP should spread the word and help others to do the same.
Within the European Union, the task of promoting vulnerability disclosure—both government vulnerability disclosure and private sector coordinated vulnerability disclosure—could be facilitated by guidance from the European Union Agency for Network and Information Security (ENISA). Indeed, one of ENISA's tasks as the EU’s cybersecurity agency is to share information such as best practices and standards across European Union countries. Such a process could also leverage existing knowledge from private sector stakeholders with long experience in handling and disclosing vulnerabilities. On an international level, NATO could facilitate this process by providing assistance to its member states and supporting them in all matters vulnerability disclosure.
Some critics will argue that having a VEP is naive and will hurt the “good guys” more than the “bad guys,” or that developing such a process is a shallow public relations stunt. But the main goal of vulnerability disclosure processes is to improve overall national security by weighing all equities and providing oversight for a taxpayer investment. If a country’s VEP does not do that, than the process needs to be adjusted and improved. A dysfunctional VEP should not be abandoned altogether under the false assumption that any VEP is inherently doomed to fail—for the absence of such a process would decrease national security and possibly enable government waste and abuse. It’s just a question of doing it right.