Criminal Justice & the Rule of Law Cybersecurity & Tech

Schneier on Hoarding v. Patching Vulnerabilities

Jack Goldsmith
Tuesday, May 20, 2014, 12:11 PM
Bruce Schneier has a very good piece on whether the USG should “stockpile Internet vulnerabilities or disclose and fix them.”  Part of his  answer:
If vulnerabilities are sparse, then it's obvious that every vulnerability we find and fix improves security. We render a vulnerability unusable, even if the Chinese government already knows about it. We make it impossible for criminals to find and use it.

Published by The Lawfare Institute
in Cooperation With
Brookings

Bruce Schneier has a very good piece on whether the USG should “stockpile Internet vulnerabilities or disclose and fix them.”  Part of his  answer:
If vulnerabilities are sparse, then it's obvious that every vulnerability we find and fix improves security. We render a vulnerability unusable, even if the Chinese government already knows about it. We make it impossible for criminals to find and use it. We improve the general security of our software, because we can find and fix most of the vulnerabilities. If vulnerabilities are plentiful—and this seems to be true—the ones the U.S. finds and the ones the Chinese find will largely be different. This means that patching the vulnerabilities we find won’t make it appreciably harder for criminals to find the next one. We don’t really improve general software security by disclosing and patching unknown vulnerabilities, because the percentage we find and fix is small compared to the total number that are out there. But while vulnerabilities are plentiful, they’re not uniformly distributed. There are easier-to-find ones, and harder-to-find ones. Tools that automatically find and fix entire classes of vulnerabilities, and coding practices that eliminate many easy-to-find ones, greatly improve software security.  And when person finds a vulnerability, it is likely that another person soon will, or recently has, found the same vulnerability.  Heartbleed, for example, remained undiscovered for two years, and then two independent researchers discovered it within two days of each other.  This is why it is important for the government to err on the side of disclosing and fixing.
Lots more of interest in this essay.

Jack Goldsmith is the Learned Hand Professor at Harvard Law School, co-founder of Lawfare, and a Non-Resident Senior Fellow at the American Enterprise Institute. Before coming to Harvard, Professor Goldsmith served as Assistant Attorney General, Office of Legal Counsel from 2003-2004, and Special Counsel to the Department of Defense from 2002-2003.

Subscribe to Lawfare