It’s Time for the International Community to Get Serious about Vulnerability Equities

The U.S. government took a long-needed step when it announced on Wednesday new details about its Vulnerability Equities Process (VEP), the interagency process used to determine whether to notify a software vendor about a previously unknown (“zero-day”) vulnerability, or to temporarily use the vulnerability for lawful, national security purposes. The public release of this charter is a positive step toward increasing transparency on this controversial process. This announcement is certain to prompt a new round of national debate as people continue to examine and question the specifics of the charter. But another key challenge is also beginning to surface: multiple countries around the world are likely discovering, retaining and exploiting zero-day vulnerabilities without a process to properly consider the trade-offs. This needs to change. It’s time for the international community to get serious about vulnerability equities.

As Offensive Cyber Capabilities Rise, Few Consider Vulnerability Equities

More nations are bearing the responsibility to make well-informed trade-offs regarding vulnerabilities. In early 2017, senior U.S. intelligence officials told Congress that more than 30 nations are adopting offensive cyber capabilities. Such programs are increasingly integrated into military operations and planning. The United States and United Kingdom speak openly about their use of offensive cyber operations against ISIS. Russia has publicly stated its intention to use offensive cyber operations before resorting to conventional military force.

To accomplish offensive cyber missions--including law enforcement, military and traditional intelligence missions--states look for flaws or weaknesses in hardware and software that allow them to remotely access and manipulate an adversary’s computer system. Zero-day vulnerabilities provide valuable access to targets; in fact, they played important roles in prominent malware such as Stuxnet and Flame, which was used to disrupt Iran’s nuclear program. In addition to these offensive interests, every nation also has defensive cyber interests, such as securing the systems upon which its government, businesses and citizens rely. Stronger defensive concerns relative to offensive ones, might induce a state to disclose a vulnerability to the vendor, which may then issue a patch or otherwise protect its users.

The U.S. government’s release of the VEP charter reversed a previous posture of secrecy and fulfilled an earlier commitment to transparency made by Rob Joyce, the White House cybersecurity coordinator. The new VEP charter reveals information on program participants, decision criteria, and justifications for decisions to disclose or retain zero-day vulnerabilities. There is no longer any reason to keep such a policy hidden in the shadows. Blanket secrecy about vulnerabilities is an antiquated approach. The recent momentum behind bug bounty and vulnerability-disclosure programs, in which organizations crowdsource the discovery of flaws in their information systems, shows that corporations and government agencies are both committed to taking vulnerabilities seriously, and capable of being more open.

Other than this recent U.S. disclosure, little is known publicly about how most states weigh these offensive and defensive implications of the zero-days they discover. The United Kingdom acknowledged that it discloses vulnerabilities, but has offered little information on its decision-making or whether it retains zero-days for offensive use. Robert Hannigan, then-head of the U.K.’s Government Communications Headquarters, said at a 2015 conference that his organization “has disclosed vulnerabilities in every major mobile and desktop platform, including the big names that underpin British business.” Furthermore, the organization reportedly disclosed over 20 vulnerabilities to vendors in 2016, including flaws in Firefox, iOS 9.3 and OS X El Capitan.

Canada has taken a similar approach. Its national cryptologic agency, the Communications Security Establishment, confirmed this year that it has “a rigorous process in place to review and assess software vulnerabilities” involving a panel of experts from across the agency. But as in the United Kingdom’s case, few other details about the process are available.

In Europe, vulnerability equities discussions are nascent. According to the Centre for European Studies think tank, European countries are beginning to call for the European Union to “outline specific principles for member states to follow in developing a European vulnerability equities process with clear priority given to reporting vulnerabilities to vendors.” At the same time, other states – the Netherlands, Hungary, France, Italy and Romania among them – appear to be pursuing vulnerability disclosure through forums like the Global Forum on Cyber Expertise. Such efforts, however, have focused for several years on industry disclosure processes and have yet to earnestly tackle government vulnerability equities.

An International Framework for Vulnerability Equities

An international conversation about vulnerability equities is sorely needed. We are not advocating that all nations adopt the U.S. model of vulnerability equities. Rather, we propose that every nation that uses zero-days could take three preliminary steps:

1. Openly acknowledge that decisions regarding retaining or releasing zero-days are not taken lightly, and that such decisions weigh both the national security gains and the cybersecurity benefit of disclosing the vulnerability to the vendor and subsequently the public.
2. Build a process to ensure that decisions about all zero-day vulnerabilities involve participants not just from the national security community, but also those who represent commercial, critical infrastructure, and public cybersecurity interests.
3. Pursue dialogue with external stakeholders, such as policy advocates, academics and security professionals, to ensure decisions about tradeoffs and processes are informed by a range of viewpoints.

These proposed steps will not necessarily be easy for all governments to pursue, especially for those governments whose intelligence or cyber operations programs remain tightly compartmentalized or shrouded in secrecy. Some nations, such as Russia and North Korea, may not be concerned with public cybersecurity and will not conduct open dialogue about trade-offs. But nations that pursue these steps are likely to see significant benefits.

The exercise of building a process—such as articulating a charter, identifying agency participation, voting structure and decision criteria—forces much-needed governmental introspection about the technical, procedural and cultural equities at stake. The exercise helps identify and engage key stakeholders, both inside and outside government, and foster trust among them. Furthermore, it forces governments to uncover, understand, and enforce the core values and standards by which they want to operate in the digital domain.

Building an equities process at the interagency or national level may also help mature a nation’s broader vulnerability management capabilities. For example, it might help governments assess the risk that any given vulnerability poses to its agencies, businesses and citizens. Implementing an equities process also forces agencies to mature their broader practices for fixing vulnerabilities in their own networks. While straightforward to design, a successful vulnerability management program is notoriously difficult to implement. A commitment by agencies to such a national effort will likely help keep them on track.

Private-sector stakeholders will have their own obligations. Software and hardware vendors should work hard to minimize software flaws from the outset. They should also publicly commit to quickly developing and issuing fixes or providing mitigation instructions for disclosed vulnerabilities. And end-users would need to comply in order to apply these patches and protect their systems appropriately.

The third step, dialogue with external stakeholders, will help other countries avoid the controversy and misunderstanding that has surrounded the U.S. vulnerability equities process. Given the inherent need for secrecy underlying operations in cyberspace, full transparency is neither realistic nor required. However, dialogue on high-level principles and process details--like which agencies are involved in decisions and how often retained vulnerabilities are reviewed-- has the potential to reduce friction and create common ground.

One tricky topic with which each nation will have to contend is that equities processes appear focused on the vulnerability itself, while some observers express a desire to understand broader issues such as how governments acquire knowledge of those flaws; what tools they use to exploit them and for how long; and how they protect such tools from exposure to malicious third parties, which may repurpose them. Governments are unlikely to reveal detail about such “life cycle” issues due to classification. But cybersecurity professionals view these issues as important matters of trust and stability in the digital domain. Both groups would benefit if cybersecurity professionals were able to express their concerns directly but constructively, and if governments listen and consider such concerns in good faith.

As nations develop these equities processes, they become empowered to share vulnerability information with like-minded countries, thereby strengthening trust and bilateral partnerships. And with a growing reliance on the global software and hardware monoculture (which may also include military weapon and defensive technologies), these partnerships may become a crucial component of military alliances. At heart is the need to work together to responsibly promote trust, stability and security in the functioning of the global digital economy while also acknowledging legitimate national security needs. Countries that have a vulnerability equities process will be better positioned to create and contribute to this new international dialogue, demonstrate leadership, and deepen relationships with partner nations and industry.

Next Steps

What practical steps can international stakeholders take to encourage progress?

Private sector companies, especially large information technology companies, can use their global positions to advocate for more transparent vulnerability disclosure. Companies should raise their concerns, ideas and information needs with governments, even if those governments haven’t yet acknowledged the use of zero-day vulnerabilities. However, companies should be willing to accept that their corporate interests are only one voice in a concert of equities.

Government officials from countries with equities processes should urge international counterparts to take these three steps described above (i.e. acknowledge that disparate equities are considered, develop a formal process, and engage stakeholders). Raising the issue in bilateral meetings could trigger other governments to reexamine their policies. Such engagement could take place through agencies that focus on cybersecurity and commercial interests, such as Ministries of Interior or Ministries of Commerce, in order to raise awareness among counterparts who may not be involved in decision-making about zero-day vulnerabilities. But engagement should also take place in military and intelligence channels, informing those who are most likely to find and retain zero-day vulnerabilities.

Finally, we need more vulnerability management and disclosure forums created by international policy advocates, academics and security professionals. Initiatives over the last eighteen months--like government bug bounties, vulnerability disclosure programs, and open discussion about vulnerabilities equities--have represented a material evolution in government ownership of vulnerability management.

In light of this trend, the Carnegie Endowment will aim to advance forums structured to attract policymakers, not just cybersecurity and information technology professionals, to expand constructive dialogue and build support for better vulnerability management. Such dialogue, if well structured, can reduce divides between stakeholders, help ensure more secure governments and citizens, and promote greater stability in cyberspace.

The views expressed here are those of the authors and do not represent those of the U.S. Government, Department of Defense, or other organization.