A leak of sensitive computer code is spurring calls for the government to be more transparent about its handling of a secret stockpile of network intrusion tactics.
The leaked code, believed to be written by an NSA operation, contained new techniques to hack widely used hardware from Cisco, Fortinet and Juniper Networks.
The leaks left countless computer networks vulnerable to hackers — something security professionals and government officials alike acknowledge is a risk of stockpiling these kinds of techniques.
The government has a program in place to minimize that risk, called the Vulnerability Equities Process (VEP), which requires agencies to justify keeping a security vulnerability and report all other vulnerabilities to manufacturers so they can be repaired. While the VEP receives praise from civil libertarians as a considerable step up from countries making no similar effort, many are seizing on the NSA leaks to push for changes to the program.
“One of the better things the Obama administration did was to create a presumption of disclosure,” said Gabe Rottman, deputy director of the Freedom, Security and Technology Project at the Center for Democracy and technology. “But being more open on the policy would be a good start.”
The administration has revealed very little about the inner workings of the VEP. A White House board makes the ultimate decision of which vulnerabilities are kept by weighing investigative necessity against the harm that would be caused by the vulnerability going unfixed.
The administration has not, however, revealed important contingency information that Rottman believes would be very valuable.
“Are they required to notify manufacturers in unreleased Shadow Broker files that they have vulnerabilities?” asked Rottman. Knowing in advance would give companies a head start to fix vulnerabilities before they were leaked.
Analysts say there are other important things that have not been disclosed about the program, including who makes the decisions. It's also unclear why the FBI did not have to disclose a vulnerability it purchased to break into Apple phone.
“Is there a periodic review to determine if vulnerabilities they decided to keep should ever be disclosed?” asked Denelle Dixon-Thayer, chief legal and business officer at Mozilla.
Most members of the security community are pragmatic enough to know that the government will never disclose everything — “Unrealistic,” said Dixon-Thayer — but even slightly more information could help tech firms prepare.
Transparency would be immediately helpful, but there is no guarantee that the Obama program will taken up by the next commander in chief.
“It may be important to codify this into law,” said Dixon-Thayer. “I don’t think the software industry or any person in the USA should be okay with this policy not continuing in the next administration.”