The precise details behind the US government’s Vulnerabilities Equities Process remain classified, but that didn’t stop Atlantic Council fellow and Columbia University researcher Jason Healey from addressing the subject during his speech at this year’s Defcon hacker conference in Las Vegas.
Healey told his audience what he had gathered through extensive research of the VEP, a covert procedure used by the US government to determine whether to disclose its discoveries of major manufacturers’ software and hardware vulnerabilities or keep them secret so as to exploit them. According to Healey’s mass of research from interviews, public documents, and budget information, the NSA was likely hording only dozens of exploitable code flaws.
“I was shocked,” Healey told a room of incredulous attendees. “I assumed it was in the hundreds.”
The public knows very little about the procedure or the amount of vulnerabilities that are relevant to it. Some civil liberties groups have even called for the government to submit all vulnerabilities to review, publish transparency reports, and disclose all vulnerabilities as quickly as possible.
“This is a mindbogglingly terrible idea,” security consultancy founders Matt Tait and Dave Aitel wrote in an essay they wrote for Lawfare this week. According to the experts, the VEP is “broken” and “at some level empty PR gamesmanship or simply poorly thought out guesswork,” but the revision that some activists call for constitutes “clamour to make things significantly worse.”
According to their post, the VEP puts the US at a disadvantage without actually protecting its citizens:
“Herein lies the basic problem: US cyber operations already face a greater level of scrutiny and limitations than our competitors. But single-minded reformists seek still more restrictions. At the same time, US cyber capabilities grow increasingly critical and central to the basic function of democratic interests worldwide. Without a robust investment in these capabilities, the US will lack the ability to solve the “Going Dark” issue and our intelligence efforts will start to run into quicksand around the world.”
Tait and Aitel argue that the government must stockpile bugs or else risk falling behind in the race to build ever-stronger cyber weaponry.
Of course, given “The Shadow Brokers revelations” and how they’ve stood as a testament to the risk that keeping vulnerabilities a secret inherently creates for private users all around the world, the tide may turn in favor of the very activists that Tait and Aitel condemn.
The fact is, vulnerabilities in security software that the US government found and kept covert are now exposed to malicious hackers all around the world. If the NSA can be hacked and its information can be stolen, any cyber weapons it makes can fall into the wrong hands, escalating an arms race instead of winning it.
In that regard these hacking tools and vulnerabilities all fit neatly into a schema involving wars and developing technology to try to win them only to find your new and empowering technology to be the very source of your next biggest risk. Only time will tell if the human race will ever escape this cycle.