21 July 2017

Intel bill directs report on cyber-vulnerability disclosure process

By: Mark Pomerleau

A newly passed bill in the House Intelligence Committee directs the Intelligence Community inspector general to review the IC’s role the disclosure process of cyber vulnerabilities. 

A newly passed bill in the House Intelligence Committee directs the Intelligence Community inspector general to review the IC’s role the disclosure process of cyber vulnerabilities.

The FY18 Intelligence Authorization Act, which unanimously passed the committee July 13 but is still a bill, is meant to help determine “whether, how and to whom information about a vulnerability that is not publicly known will be shared with or released to a non-Federal entity or the public.”

Following such a review, the House bill mandates a report 240 days after becoming law about the results of the review to include a description of the IC’s roles and responsibilities within this process, the criteria used by the federal government in making a determination, when and with whom to disclose vulnerabilities, a description of current mechanisms overseeing the process, and recommendations to improve the efficiency, effectiveness and accountability.

The bill also asks the report to include a summary of the most significant incidents where a vulnerability known to the intelligence community, but not shared with or released to a nonfederal entity or the public, was exploited by an individual, an entity or a foreign country in the course of carrying out a cyber intrusion.

Several high-profile global cyber incidents allegedly leveraging stolen vulnerability stockpiles of the National Security Agency have created an uproar of sorts. The government retains sets of discovered exploits or vulnerabilities, in some cases zero days, as a means of collecting intelligence against certain targets. Experts as well as current and former officials maintain such hording of vulnerabilities is critical to keeping the nation safe for spying purposes, while civil libertarians and private sector IT companies believe exploit-hording creates a dangerous environment.

Under the Obama administration, the White House established the vulnerabilities equities process, by which the government would disclose certain vulnerabilities discovered by both the public and private sectors in the name of cybersecurity for all.

Following recent global cyber incidents, the Obama-era policy and the process of hording vulnerabilities has come under increased scrutiny. Legislation has been introduced to codify the vulnerabilities equities process, as it is merely policy.

Microsoft’s president and chief legal officer, Brad Smith, has become one of the most vocal critics of the United States IC in light of recent incidents — especially since a Microsoft exploit has been twice used in global attacks.

“[T]his attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017,” he wrote in a blog post in May following the so-called WannaCry episode. “We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”

Smith went on to say these incidents should be a wake-up call for governments, demanding they take a different approach to cybersecurity, one akin to rules applied to physical weapons and even going as far to solicit a digital Geneva Convention. 

Cybersecurity exchange

The House Intelligence Committee bill also calls for a voluntary cybersecurity exchange program between the government and private sector.

The director of national intelligence, the bill directs, will submit a report to Congress on the potential establishment of a voluntary exchange program, through which an intelligence community employee with “demonstrated expertise and work experience in cybersecurity” may elect to be temporarily detailed to a private tech company that has chosen to participate in such a process, and vice versa.

Government officials point out the need for more talent competition given the national shortage of proficient cybersecurity expertise. While unable to compete with salaries in the lucrative private sector, officials maintain the mission and pride of serving one’s country is what attracts potential recruits. 

Election security

Following the alleged Russian influence operation in the 2016 presidential election, the House Intelligence Committee bill calls for the director of national intelligence, the undersecretary of homeland security for intelligence and analysis, and the FBI director to create an advisory report for public online availability detailing foreign counterintelligence and cybersecurity threats to federal election campaigns.

Each such report — taking into account the protection of sources and methods — will include a description of foreign counterintelligence and cybersecurity threats to federal campaigns, a summary of best practices for campaigns to employ, and an identification of any publicly available resources for countering threats.

Moreover, if the FBI director and undersecretary of homeland security for intelligence and analysis jointly determine a campaign is subject to a heightened threat, the bill says, they may make available additional information to appropriate representatives of each campaign — again, consistent with the protection of sources and methods.

The bill now moves to the full House for consideration. 

No comments: