CybersecurityDebating disclosures of cyber vulnerabilities

Cybersecurity experts are debating whether the NSA and U.S. Cyber Command should keep cyber vulnerabilities secret, or disclose and fix them. Not disclosing and fixing cyber vulnerabilities means that, when necessary, such vulnerabilities may be used as weapons in offensive information warfare. A software vulnerability allows a hacker to reduce a system’s information assurance, and hundreds such vulnerabilities are discovered every year. Zero-day vulnerabilities, or other unpublished vulnerabilities, are valuable because no system is protected, and someone with knowledge of the flaws within a system can attack that system with impunity.

 Those in charge of the nation’s cyber health may decide that defensive cyber action may be more valuable: this means that when vulnerabilities are discovered, the vendor is alerted, leading to the vulnerability being fixed and resulting in a more secured system. U.S. cyber warrior may not be able to attack these systems and disrupt an adversary’s network, but the adversary would not be able to attack U.S. systems.

According to the Atlantic, if an offensive military unit discovers a software vulnerability, it will keep such knowledge classified and cautiously use it as a cyber-weapon, but if the vulnerability remains classified without use for too long, it risks being discovered by an adversary. The likelihood of finding a vulnerability after it has been recently discovered by another source is high. The Heartbleed bug remained undiscovered for two years until two independent researchers discovered it within two days of each other.

There is a race to develop cyber-weapons and discover cyber vulnerabilities, and the Chinese, Russian, and U.S. government, while trying to eliminate their own vulnerabilities, realize that by doing so, they may end up diminishing the effectiveness of their own offensive cyber-weapons. The Atlantic notes that there is no way simultaneously to defend U.S. networks while leaving foreign networks open to attack. We all use the same software, so fixing our systems means fixing their systems, and leaving them vulnerable means leaving us vulnerable. “Every offensive weapon is a (potential) chink in our defense — and vice versa,” said Harvard Law Professor Jack Goldsmith.

The president’s Review Group on Intelligence and Communications Technologies concluded that vulnerabilities should be stored in rare instances and for a limited time. Computer security analyst Dan Geer recommends that the U.S. government should dominate the vulnerabilities market and fix all vulnerabilities, but intelligence agencies claim that this will result in unilateral disarmament. The NSA has a classified process to determine whether vulnerabilities should be disclosed or kept secret, but the U.S. government cannot discover all vulnerabilities, as there are just too many of them. Moreover, the vulnerabilities discovered by the U.S. government will be different from those discovered by the Chinese or Russians.

A disclosure of discovered vulnerabilities will diminish the offensive power of those vulnerabilities in the hands of adversaries. Even when a vulnerability has been discovered, using it offensively requires a delivery mechanism. Common delivery mechanisms can be fought with the proper security measures. More investment in securing U.S. government systems, and the adoption of the government’s voluntary cybersecurity framework for the private sector, may offer some protection against those delivery mechanisms.