The U.S. government took a long-needed step when it announced on Wednesday new details about its Vulnerability Equities Process (VEP), the interagency process used to determine whether to notify a software vendor about a previously unknown (“zero-day”) vulnerability, or to temporarily use the vulnerability for lawful, national security purposes. The public release of this charter is a positive step toward increasing transparency on this controversial process. This announcement is certain to prompt a new round of national debate as people continue to examine and question the specifics of the charter. But another key challenge is also beginning to surface: multiple countries around the world are likely discovering, retaining and exploiting zero-day vulnerabilities without a process to properly consider the trade-offs. This needs to change. It's time for the international community to get serious about vulnerability equities.
As Offensive Cyber Capabilities Rise, Few Consider Vulnerability Equities
More nations are bearing the responsibility to make well-informed trade-offs regarding vulnerabilities. In early 2017, senior U.S. intelligence officials told Congress (PDF) that more than 30 nations (PDF) are adopting offensive cyber capabilities. Such programs are increasingly integrated into military operations and planning. The United States and United Kingdom speak openly about their use of offensive cyber operations against ISIS. Russia has publicly stated (PDF) its intention to use offensive cyber operations before resorting to conventional military force.
To accomplish offensive cyber missions--including law enforcement, military and traditional intelligence missions--states look for flaws or weaknesses in hardware and software that allow them to remotely access and manipulate an adversary's computer system. Zero-day vulnerabilities provide valuable access to targets; in fact, they played important roles in prominent malware such as Stuxnet and Flame, which was used to disrupt Iran's nuclear program. In addition to these offensive interests, every nation also has defensive cyber interests, such as securing the systems upon which its government, businesses and citizens rely. Stronger defensive concerns relative to offensive ones, might induce a state to disclose a vulnerability to the vendor, which may then issue a patch or otherwise protect its users.…
The remainder of this commentary is available at lawfareblog.com
Kate Charlet is the inaugural Program Director for Technology & International Affairs at the Carnegie Endowment for International Peace. She focuses on the international implications of information technology, biotechnology, and artificial intelligence. She previously served as the Deputy Assistant Secretary of Defense (acting) for Cyber Policy. Sasha Romanosky, PhD, is a policy researcher at the RAND Corporation where he researches topics on the economics of security and privacy, national security, applied microeconomics, and law & economics. He is a former Cyber Policy Advisor at the Department of Defense, and co-author of the Common Vulnerability Scoring System, an international standard for scoring computer vulnerabilities. Bert Thompson is a former James C. Gaither Junior Fellow in Carnegie's Cyber Policy Initiative.
This commentary originally appeared on Lawfare on November 15, 2017. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.