Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Connectivity

Should the Government Keep Stockpiling Software Bugs?

Last week’s massive WannaCry cyberattack has resurfaced touchy questions about a shadowy government process.

The top brass in the U.S. intelligence community are keeping their mouths shut about software vulnerabilities.

As the dust settles from the global ransomware attack that has crippled systems in more than 150 countries since Friday, the U.S. government’s shadowy process for collecting and disclosing software vulnerabilities is again under scrutiny.

There is plenty of blame to go around for the scale and effectiveness of the attack, in which a ransomware virus called WannaCry—as well as “WannaCrypt” and “Wanna Decryptor”—exploited a vulnerability in Windows XP. For one thing, Microsoft stopped supporting that version of its operating system in 2014, so anyone using the outdated software was taking a risk. (Once Microsoft was aware the vulnerability was being exploited, it quickly released a fix for the bug—an unusual step for such old software.)

Brad Smith, Microsoft’s president and chief legal advisor, said the government was also to blame, since it appears the attackers used an exploit that was stolen from the NSA by a group called Shadow Brokers. In a blog post, he criticized the practice of stockpiling vulnerabilities. “We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits,” he wrote.  

The U.S. government does have a system in place for weighing the risks of either disclosing a critical software vulnerability or keeping it secret. But very little is understood publicly about how the so-called Vulnerabilities Equities Process (VEP) works. Privacy advocates have long called for greater transparency, with only modest success.  

The VEP is believed to have existed since 2010, but remained a secret until 2014, when the White House and Director of National Intelligence each released statements denying a Bloomberg report that the NSA had for years known about and used a widespread vulnerability in the way communication over the Internet is encrypted called Heartbleed. Michael Daniel, President Obama’s cybersecurity coordinator, claimed the administration had “established a disciplined, rigorous, and high-level decision-making process for vulnerability disclosure.”

Whether or not the federal government should withhold knowledge of such vulnerabilities “may seem clear to some,” Daniel said at the time, but “the reality is much more complicated.” Revealing a vulnerability could cause the U.S. to “forgo an opportunity to collect crucial intelligence that could thwart a terrorist attack,” he said. Nonetheless, the government’s decision-making process was “biased toward responsibly disclosing the vulnerability.”

In January 2016, thanks to a Freedom of Information Act lawsuit by the Electronic Frontier Foundation, the government released a partially redacted document explaining the VEP. It left unclear exactly how a decision is made, who makes it, and how many secret vulnerabilities the government has in its possession. Jason Healey, a researcher at Columbia University and senior fellow at the Atlantic Council, recently estimated that the number is in the dozens.

Recent events have raised doubts that the system is indeed biased toward disclosure, as Daniel asserted. In a recent research paper, Healey concluded, based on interviews and public statements by the government about the VEP,  that the NSA “almost certainly” should have disclosed the vulnerabilities in a previous leak by Shadow Brokers to affected companies, including Cisco, Juniper, and Fortinet. The FBI should also have told Apple about the vulnerability it used to access the iPhone of one of the shooters in the San Bernardino terrorist attacks last year, Healey wrote.

Unfortunately, the prospect of better transparency—and the accountability that would bring with it—doesn’t appear to be forthcoming. The VEP is controlled by the executive branch of the federal government, with no public oversight. Unless the Trump administration decides to change that, we’re likely to remain in the dark. Until the next big cyberattack, that is.

Want to go ad free? No ad blockers needed.

Become an Insider
Already an Insider? Log in.
The top brass in the U.S. intelligence community are keeping their mouths shut about software vulnerabilities.
More from Connectivity

What it means to be constantly connected with each other and vast sources of information.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

    Bimonthly digital/PDF edition

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special interest publications

    Discount to MIT Technology Review events

    Special discounts to select partner offerings

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.