It is interesting to take notice of the portions of the WikiLeaks Vault7 dump that have elicited the most visceral response. Many pundits and analysts have divided their rage between targets like Julian Assange (the traitor), the leaking NSA/CIA employee (deep drip), and the NSA itself (Big Bro) for spying on U.S. citizens.
But amid all of this noise, no one has even mentioned the most insidious revelation of all, and that is the blatant violation by every U.S. Intelligence agency of the Vulnerabilities Equity Process (VEP).
The VEP, a process originated in 2008, for the purpose of improving our government’s ability to use offensive capabilities against U.S. adversaries and to protect both government and public information systems, became a formal procedure by 2009 to be administered by the Cybersecurity Coordinator and Special Assistant to the President.
The procedure called for a series of steps to be taken whenever any of the Intel agencies became aware of certain cyber-vulnerabilities in various software tools, operating systems and applications, so that the originators of these technologies (Microsoft, Adobe, Apple, etc.) could repair the vulnerabilities before they led to abuse in the wild.
This all sounds reasonable, right?
The only problem is that the VEP is full of loopholes, subjective time-tables and interpretive rulings. The result is that any agency can do essentially as they please and choose not to disclose vulnerabilities that it deems are in the nation’s best interests to remain secret. And, they disclose almost nothing.
One of the smartest analysts on the topic of cybersecurity raged over the weekend about how the treasonous WikiLeaks dump has made public all of these hitherto undisclosed malware strains and techniques so that now our enemies can use them against us.
While that is a compelling problem, I think the larger revelation is that these Intel agencies have been hoarding knowledge of cyber-attack tools and techniques which are being repeatedly used in attacks against the private business sector on a daily basis. In fact, we have spent almost $60 billion defending against cyber-attacks in the U.S. last year, when in fact many if not all of the exploits, attack vectors and techniques have been known to our intelligence agencies all along.
Our primary cause for concern resulting from this Vault7 dump is the discovery that our intelligence agencies are lawfully able to withhold critical attack-vector, malware-design and exploit technique information from the private sector. If we are to be outraged about anything, it should be that we have met the enemy and it is indeed our own team. This knowledge should empower us to bring about significant changes in how these agencies are allowed to do business.
First, instead of using these secretly held vulnerabilities for their own offensive exploit purposes, our government should (by executive order) force these agencies to close these known vulnerabilities immediately and on an ongoing basis so that foreign governments and cyber-criminals will be forced to look elsewhere in order to launch cyber-attacks against businesses, organizations and U.S. citizens.
This won’t stop the problem, but it will stop us from helping our adversaries to attack us.
Regardless of how “useful” these known vulnerabilities are to our Intel agencies, if an unpatched exploit remains secret, then it leaves citizens’ data, businesses and government systems vulnerable to attack. Thus, if the government does not disclose to technology companies the vulnerabilities that it obtains, then both public and private systems will continue to remain at risk.
Second, the entire VEP needs to be scrapped and the proper intentions of the process included in new cybersecurity mandates designed to first protect our citizens and the private sector and then provide our intelligence agencies with the leverage they need to prosecute an offensive against nation-state cyber-terrorists.
There is nothing Pollyannaish about this view. If you think I don’t know that these agencies smirk at the idea that these low-information deplorables like myself, just don’t understand the “big picture” you are mistaken.
There is clear evidence that we are both under attack by global enemies and that we are engaged in asymmetric cyber-warfare with the playing field tilted dramatically against us. We are losing this war and we need all the help we can get. But, my premise is that we are relying on the wrong help in the wrong way.
Instead of hiding vulnerabilities in technology, our government agencies should be working together with the cyber-technology industry to invent new and effective offensive and defensive weapons to both increase the forward pressure on the enemy while reducing the inbound attack surfaces. And it’s not just software. Hardware is an important consideration today owing to mobile devices like smart phones, but will become critical tomorrow owing to an increasingly connected planet through tens of billions of IoT devices in our homes and businesses.
If we continue to allow our spy guys to run roughshod over the technology companies that are doing their best to swim against the current, we will never make any progress in this battle.
The current administration has a unique and time-limited opportunity to strike a blow against our enemies and we can only hope our new Sheriff is truly locked and loaded.