Skip to main content
SpringerLink
Log in
SpringerLink
Log in

The U.S. Vulnerabilities Equities Process: An Economic Perspective

  • Conference paper
  • First Online:
Decision and Game Theory for Security (GameSec 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10575))

Included in the following conference series:

Abstract

The U.S. Vulnerabilities Equities Process (VEP) is used by the government to decide whether to retain or disclose zero day vulnerabilities that the government possesses. There are costs and benefits to both actions: disclosing the vulnerability allows the vulnerability to be patched and systems to be made more secure, while retaining the vulnerability allows the government to conduct intelligence, offensive national security, and law enforcement activities. While redacted documents give some information about the organization of the VEP, very little is publicly known about the decision-making process itself, with most of the detail about the criteria used coming from a blog post by Michael Daniel, the former White House Cybersecurity Coordinator. Although the decision to disclose or retain a vulnerability is often considered a binary choice—to either disclose or retain—it should actually be seen as a decision about timing: to determine when to disclose. In this paper, we present a model that shows how the criteria could be combined to determine the optimal time for the government to disclose a vulnerability, with the aim of providing insight into how a more formal, repeatable decision-making process might be achieved. We look at how the recent case of the WannaCry malware, which made use of a leaked NSA zero day exploit, EternalBlue, can be interpreted using the model.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Ablon, L., Bogart, T.: Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits. RAND Corporation publication, Santa Monica (2017)

    Google Scholar 

  2. Beres, Y., Griffin, J., Shiu, S.: Security analytics: Analysis of security policies for vulnerability management. Technical report HPL-2008-121, HP Labs (2008)

    Google Scholar 

  3. Budington, B., Crocker, A.: NSA’s failure to report shadow broker vulnerabilities underscores need for oversight, September 2016. https://www.eff.org/deeplinks/2016/09/nsas-failure-report-shadow-broker-vulnerabilities-underscores-need-oversight

  4. Commercial and government information technology and industrial control product or system vulnerabilities equities policy and process. https://www.eff.org/files/2015/09/04/document_71_-_vep_ocr.pdf

  5. Daniel, M.: Heartbleed: understanding when we disclose cyber vulnerabilities, April 2014. https://obamawhitehouse.archives.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities

  6. Dixon-Thayer, D.: Improving government disclosure of security vulnerabilities, September 2016. https://blog.mozilla.org/netpolicy/2016/09/19/improving-government-disclosure-of-security-vulnerabilities/

  7. Fidler, M., Herr, T.: PATCH: debating codication of the VEP, May 2017. https://lawfareblog.com/patch-debating-codification-vep

  8. Greenberg, A.: Shopping for zero-days: a price list for hackers’ secret software exploits, March 2012. https://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/

  9. Healey, J.: The U.S. Government and Zero-Day Vulnerabilities: From Pre-Heartbleed to Shadow Brokers. J. Int. Aff. (2016). https://jia.sipa.columbia.edu/online-articles/healey_vulnerability_equities_process

  10. Herr, T., Schneier, B., Morris, C., Stock, T.: Estimating vulnerability rediscovery, March 2017. https://ssrn.com/abstract=2928758

  11. Menn, J., Walcott, J.: Exclusive: Probe of leaked U.S. NSA hacking tools examines operative’s ‘mistake’, September 2016. http://www.reuters.com/article/us-cyber-nsa-tools-idUSKCN11S2MF

  12. Miller, C.: The legitimate vulnerability market: Inside the secretive world of 0-day exploit sales. In: Sixth Workshop on the Economics of Information Security (2007)

    Google Scholar 

  13. Nakashima, E., Timberg, C.: NSA officials worried about the day its potent hacking tool would get loose. Then it did, May 2017. https://www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16/50670b16-3978-11e7-a058-ddbb23c75d82_story.html

  14. National Security Policy Directive 54. https://fas.org/irp/offdocs/nspd/nspd-54.pdf

  15. ODNI Public Affairs Office. Statement on bloomberg news story that NSA knew about the “Heartbleed bug” aw and regularly used it to gather critical intelligence, April 2014. https://icontherecord.tumblr.com/post/82416436703/statement-on-bloomberg-news-story-that-nsa-knew

  16. Ozment, A.: The likelihood of vulnerability rediscovery and the social utility of vulnerability hunting. In: Workshop on Economics and Information Security (2005)

    Google Scholar 

  17. Peterson., A.: Why everyone is left less secure when the NSA doesn’t help fix security flaws, October 2013. https://www.washingtonpost.com/news/the-switch/wp/2013/10/04/why-everyone-is-left-less-secure-when-the-nsa-doesnt-help-fix-security-flaws/

  18. Riley, M.: NSA said to have used heartbleed bug, exposing consumers, April 2014. https://www.bloomberg.com/news/articles/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers

  19. Sanger, D.E.: Obama lets N.S.A. exploit some internet flaws, officials say, April 2014. https://www.nytimes.com/2014/04/13/us/politics/obama-lets-nsa-exploit-some-internet-flaws-officials-say.html?_r=1

  20. Schneier, B.: Managed security monitoring: Closing the window of exposure (2000). http://www.keystoneisit.com/window.pdf

  21. Schneier, B.: Simultaneous discovery of vulnerabilities, February 2016. https://www.schneier.com/blog/archives/2016/02/simultaneous_di.html

  22. Schneier, B.: The Vulnerabilities market and the future of security, June 2012. https://www.schneier.com/blog/archives/2012/06/the_vulnerabili.html

  23. Schneier, B.: WannaCry and Vulnerabilities. June 2017. https://www.schneier.com/blog/archives/2017/06/wannacry_and_vu.html

  24. Schwartz, A., Knake, R.: Government’s Role in Vulnerability Dis- closure, June 2016. http://www.belfercenter.org/publication/governments-role-vulnerability-disclosure-creating-permanent-and-accountable

  25. Zerodium: How to sell your 0day exploit to ZERODIUM, March 2017. https://zerodium.com/program.html

Download references

Author information

Authors and Affiliations

  1. University College London, London, England

    Tristan Caulfield & David Pym

  2. Aston Business School, Birmingham, England

    Christos Ioannidis

  3. The Alan Turing Institute, London, England

    David Pym

Authors
  1. Tristan Caulfield
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christos Ioannidis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. David Pym
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tristan Caulfield .

Editor information

Editors and Affiliations

  1. Universität Klagenfurt, Klagenfurt, Austria

    Stefan Rass

  2. Nanyang Technological University, Singapore, Singapore

    Bo An

  3. University of Texas at El Paso, El Paso, Texas, USA

    Christopher Kiekintveld

  4. Carnegie Mellon University, Pittsburgh, Pennsylvania, USA

    Fei Fang

  5. AIT Austrian Institute of Technology GmbH, Klagenfurt, Austria

    Stefan Schauer

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Caulfield, T., Ioannidis, C., Pym, D. (2017). The U.S. Vulnerabilities Equities Process: An Economic Perspective. In: Rass, S., An, B., Kiekintveld, C., Fang, F., Schauer, S. (eds) Decision and Game Theory for Security. GameSec 2017. Lecture Notes in Computer Science(), vol 10575. Springer, Cham. https://doi.org/10.1007/978-3-319-68711-7_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-68711-7_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-68710-0

  • Online ISBN: 978-3-319-68711-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation