Obama Policy on Zero Days Craps Out

[InfoSec News <alerts () infosecnews org>]

http://www.forbes.com/sites/jennifergranick/2014/04/29/obama-policy-on-zero-days-crap/

By Jennifer Granick
Forbes.com
4/29/2014

Yesterday afternoon, the White House put out a statement describing its 
vulnerability disclosure policies: the contentious issue of whether and 
when government agencies should disclose their knowledge of computer 
vulnerabilities. The statement falls far short of a commitment to network 
security for all and fails to provide the reassurance the global public 
needs in the midst of the NSA’s security scandal. It basically says the 
White House plays a well-intentioned guessing game with our online safety.

The National Security Agency (NSA) is a single agency with a dual 
mission—protecting the security of U.S. communications while also 
eavesdropping on our enemies. In furtherance of its surveillance goals, we 
recently learned about some of NSA’s top secret efforts to hack the 
Internet. For example, the NSA runs a network of Internet routers that it 
surveils all traffic going through. It hijacks (or did until recently) 
Facebook sessions to install malware. It has its own botnets, or networks 
of compromised computers, that it controls, and it has taken over botnets 
created by other criminals. It uses these capabilities to steal 
information, to deny access to websites and other internet services, and 
to modify digital information, whether in transit or stored on servers.

Given these revelations, the public might reasonably believe the NSA’s 
deck is stacked against securing people from the very same online 
vulnerabilities the agency could exploit. For example, some skeptics–not 
I, however–disbelieve government disavowals of advance knowledge of 
Heartbleed, one of the worst security holes ever found. To assuage this 
concern, on April 12th, President Obama announced the government will 
reveal major flaws in software to assure that they will be fixed, rather 
than keep quiet so that the vulnerabilities can be used in espionage or 
cyberattacks, with one huge exception—if there’s “a clear national 
security or law enforcement need”.

Yesterday’s statement by Michael Daniel, Special Assistant to the 
President and Cybersecurity Coordinator, tries to reassure the public that 
this Administration knows how to make that judgment call. There are 
“established principles” and an “established process” for making what are 
essentially guesses—bets—on network insecurities, based on a series of 
facially sensible, but practically almost unanswerable, questions. 
Officials have to assess the risk from vulnerabilities. They have to guess 
how hard it is for other people to find the same flaw. They have to gamble 
on whether officials will figure out when the bad guys gain the same 
attack capabilities. They have to hypothesize whether, when they do, the 
attackers will use their knowledge to devastating effect.

[...]

--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/