Discussion Paper - Cyber Security Project, Belfer Center
Government's Role in Vulnerability Disclosure: Creating a Permanent and Accountable Vulnerability Equities Process
When government agencies discover or purchase zero day vulnerabilities, they confront a dilemma: should the government disclose such vulnerabilities, and thus allow them to be fixed, or should the government retain them for national security purposes? This is a difficult question because the government is simultaneously charged with protecting the nation in cyberspace and with intelligence, law enforcement, and military missions that may require the use of such vulnerabilities. A decision by the government to retain a zero day vulnerability likely undercuts general cybersecurity, while disclosing information about a zero day vulnerability so vendors can patch it could undercut the ability of law enforcement to investigate crimes, intelligence agencies to gather intelligence, and the military to carry out offensive cyber operations.
The debate over this issue is complex. Some commentators take the position that the government should immediately release all zero day vulnerabilities, irrespective of their intelligence or national security value. At the same time, there are circumstances where retention of a zero day vulnerability by the government for law enforcement or national security purposes is justified, as long as there are clear limits on and adequate oversight of the decision to retain and use such a vulnerability. For example, if a law enforcement agency has an ongoing investigation on a suspect and the only information is coming through communications legally intercepted through a previously unknown vulnerability, the balance may very well be for the agency to keep the vulnerability, at least until the end of the investigation.
Only in recent years has the government created a Vulnerability Equities Process ("VEP"), and attempted to explain how the government determines whether to release or retain a zero day vulnerability. As explained by White House Cybersecurity Coordinator Michael Daniel,the existing VEP uses a "deliberate process that is biased toward responsibly disclosing [a] vulnerability. . . ." Daniel also explained, however, that there are "no hard and fast rules" governing the VEP, although he did outline a series of questions that he considers when presented with a zero day vulnerability disclosure issue.
While the current VEP functions as intended, the guidelines articulated in the Daniel blog post may be undercut in a future administration unless formalized now. Some individual VEP decisions must remain classified, but the high-level criteria that informs disclosure or retention decisions should be subject to public debate and scrutiny. Furthermore, certain information about the implementation of the VEP, particularly the aggregate numbers of zero day vulnerabilities discovered, the aggregate numbers of such vulnerabilities disclosed (as opposed to retained for government use), and the length of time that vulnerabilities are kept before disclosure, do not compromise sources and methods of how these vulnerabilities may have been discovered. Public and official release of information about the process with clear oversight would increase public confidence in the program, and in the government’s commitment to the core principles laid out by Administration to date, and could become a model for other nations around the world.
In the Spotlight
Paper - Belfer Center for Science and International Affairs, Harvard Kennedy School
Policy Brief - Environment and Natural Resources Program, Belfer Center