Governmental Vulnerability Assessment and Management
Weighing Temporary Retention versus Immediate Disclosure of 0-Day Vulnerabilities
Government-led acquisition, assessment and management of vulnerabilities to enable offensive cyber operations and a wide array of information gathering efforts is one of the most topical debates in cyber security today. Vulnerabilities are at the core of major discussions, namely hacking by law enforcement, private sector hacking back, military cyber operations and intelligence collection, because they greatly increase the operational value and efficiency of those activities. Mitigating and patching vulnerabilities is crucial, however, for protecting both public and private sector networks and critical infrastructures. In addition to government entities and critical infrastructure operators, the private sector and the general public have vested interests in this issue. Governments for their part are not only potential exploiters of vulnerability information, but also users of the technologies that may be impacted from a security standpoint by a failure to patch discovered vulnerabilities. In addition, they are regulators of entities required to protect critical infrastructure and sensitive personal information. Hardware vendors, software vendors and providers of online services have an incentive to identify and fix vulnerabilities in their hardware, software and online services, in order to provide a secure service and prevent reputational and financial harm. The private sector and the public would like to use secure devices and services to avoid falling victim to cyber espionage and crime, as well as to simply communicate freely and confidentially. In general, the internet ecosystem benefits from patching vulnerabilities, and government policy should be to disclose them unless there is a specific, justifiable reason for retaining and using them in law enforcement, intelligence or military programs. Therefore, it is paramount to assess and manage the tradeoffs and various equities of civil liberties, commerce, public safety and IT security. The underlying mission statement has been eloquently summarized in the Vulnerabilities Equities Policy and Process for the United States Government (VEP): “The primary focus of this policy is to prioritize the public’s interest in cybersecurity and to protect core internet infrastructure, information systems, critical infrastructure systems, and the US economy through the disclosure of vulnerabilities discovered by the USG, absent a demonstrable, overriding interest in the use of the vulnerability for lawful intelligence, law enforcement, or national security purposes".
In November 2017, the United States Government published its VEP charter, which outlines the organizational structure, processes and respective indicators/equities which are to be applied to government-held vulnerabilities. Though details about this process still remain classified, the VEP publication set a new bar when it comes to transparency of governments around vulnerability handling and disclosure. The longstanding discussion about the VEP, even when the mechanism was still mainly discussed behind closed doors, as well as other information about international approaches, provided important source material for the development of this paper, and are relevant to governments around the world.
The main focus of the Transatlantic Cyber Forum’s working group on encryption policy and government hacking is to urge the adoption of publicly disclosed policies for vulnerability handling and disclosure in the German and EU debates, while continuing to identify and advocate for further improvements to the existing process in the United States. This paper highlights principles and criteria that could guide discussions on implementation across different countries. An overarching theme is that governments should develop processes that are weighted towards disclosure, with retention being authorized under specific circumstances and only for limited periods of time. The focus of these policies should be on “when” and “how” disclosure should occur rather than “whether” and “if”.