The Electronic Frontier Foundation (EFF) is suing the National Security Agency (NSA) over government disclosure of security flaws that have been uncovered by the intelligence community.
In the wake of the Heartbleed fiasco, and pointed reports that the NSA both knew about the vulnerability and had exploited it, the Office of the Director of National Intelligence (ODNI) denied any prior knowledge of the bug. As the EFF quotes in its lawsuit, the ODNI stated that a policy in place called the “Vulnerabilities Equities Process” is used to decide when to disclose security flaws that it uncovers.
Amid the controversy in April, the White House explained the process the administration uses to disclose cyber vulnerabilities in a post on its blog. But its explanation was vague and flawed.
Michael Daniel, special assistant to the president and the cybersecurity center, said “we have established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure.” Yet in the same paragraph, he goes on to say “there are no hard and fast rules.” He then goes on to give a list of broad questions he asks when an agency wants to withhold knowledge of a vulnerability.
Another concern with the post is that it notes efforts to implement this policy were “re-invigorated” this spring. The reports (that the White House denied) accuse the DNI of knowing about the Heartbleed vulnerability for years. Was the policy being fully implemented before the Heartbleed reports put the public on high alert?
In its suit, the EFF wants to know how the Vulnerabilities Equity Process was built, and how it works in practice. Leaning on the Freedom of Information Act (FOIA), it requested records that relate to “the development or implementation of the ‘Vulnerabilities Equity Process’ and . . . the ‘principles’ that guide the agency ‘decision-making process for vulnerability disclosure’ in the process described in the White House blog post.”
Despite asking for expedited processing, the government failed to produce the requested material inside of the standard 21 day timeframe. As such, the EFF now is using more aggressive legal action force disclosure.
It matters that we understand how the government approaches security flaws, especially when it feels compelled to disclose them, given that such weaknesses can be potent weapons.
As the White House pointed out in its April post, disclosing a vulnerability could mean the government misses an opportunity to “thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities.”
But when the NSA finds a vulnerability and does not disclose the bug to the software maker, or community as a whole, all users of the code in question are open to exploit by other parties who discover the issue.
The White House says it considers such risks when the government withholds this information, but it could and should be more transparent about how it arrives at these decisions that could endanger Americans’ security and privacy.