[ISN] Obama Policy on Zero Days Craps Out

http://www.forbes.com/sites/jennifergranick/2014/04/29/obama-policy-on-zero-days-crap/ By Jennifer Granick Forbes.com 4/29/2014 Yesterday afternoon, the White House put out a statement describing its vulnerability disclosure policies: the contentious issue of whether and when government agencies should disclose their knowledge of computer vulnerabilities. The statement falls far short of a commitment to network security for all and fails to provide the reassurance the global public needs in the midst of the NSA’s security scandal. It basically says the White House plays a well-intentioned guessing game with our online safety. The National Security Agency (NSA) is a single agency with a dual mission—protecting the security of U.S. communications while also eavesdropping on our enemies. In furtherance of its surveillance goals, we recently learned about some of NSA’s top secret efforts to hack the Internet. For example, the NSA runs a network of Internet routers that it surveils all traffic going through. It hijacks (or did until recently) Facebook sessions to install malware. It has its own botnets, or networks of compromised computers, that it controls, and it has taken over botnets created by other criminals. It uses these capabilities to steal information, to deny access to websites and other internet services, and to modify digital information, whether in transit or stored on servers. Given these revelations, the public might reasonably believe the NSA’s deck is stacked against securing people from the very same online vulnerabilities the agency could exploit. For example, some skeptics–not I, however–disbelieve government disavowals of advance knowledge of Heartbleed, one of the worst security holes ever found. To assuage this concern, on April 12th, President Obama announced the government will reveal major flaws in software to assure that they will be fixed, rather than keep quiet so that the vulnerabilities can be used in espionage or cyberattacks, with one huge exception—if there’s “a clear national security or law enforcement need”. Yesterday’s statement by Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator, tries to reassure the public that this Administration knows how to make that judgment call. There are “established principles” and an “established process” for making what are essentially guesses—bets—on network insecurities, based on a series of facially sensible, but practically almost unanswerable, questions. Officials have to assess the risk from vulnerabilities. They have to guess how hard it is for other people to find the same flaw. They have to gamble on whether officials will figure out when the bad guys gain the same attack capabilities. They have to hypothesize whether, when they do, the attackers will use their knowledge to devastating effect. […]