Advertisement

The U.S. Vulnerabilities Equities Process: An Economic Perspective

  • Tristan Caulfield
  • Christos Ioannidis
  • David Pym
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10575)

Abstract

The U.S. Vulnerabilities Equities Process (VEP) is used by the government to decide whether to retain or disclose zero day vulnerabilities that the government possesses. There are costs and benefits to both actions: disclosing the vulnerability allows the vulnerability to be patched and systems to be made more secure, while retaining the vulnerability allows the government to conduct intelligence, offensive national security, and law enforcement activities. While redacted documents give some information about the organization of the VEP, very little is publicly known about the decision-making process itself, with most of the detail about the criteria used coming from a blog post by Michael Daniel, the former White House Cybersecurity Coordinator. Although the decision to disclose or retain a vulnerability is often considered a binary choice—to either disclose or retain—it should actually be seen as a decision about timing: to determine when to disclose. In this paper, we present a model that shows how the criteria could be combined to determine the optimal time for the government to disclose a vulnerability, with the aim of providing insight into how a more formal, repeatable decision-making process might be achieved. We look at how the recent case of the WannaCry malware, which made use of a leaked NSA zero day exploit, EternalBlue, can be interpreted using the model.

References

  1. 1.
    Ablon, L., Bogart, T.: Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits. RAND Corporation publication, Santa Monica (2017)Google Scholar
  2. 2.
    Beres, Y., Griffin, J., Shiu, S.: Security analytics: Analysis of security policies for vulnerability management. Technical report HPL-2008-121, HP Labs (2008)Google Scholar
  3. 3.
    Budington, B., Crocker, A.: NSA’s failure to report shadow broker vulnerabilities underscores need for oversight, September 2016. https://www.eff.org/deeplinks/2016/09/nsas-failure-report-shadow-broker-vulnerabilities-underscores-need-oversight
  4. 4.
    Commercial and government information technology and industrial control product or system vulnerabilities equities policy and process. https://www.eff.org/files/2015/09/04/document_71_-_vep_ocr.pdf
  5. 5.
    Daniel, M.: Heartbleed: understanding when we disclose cyber vulnerabilities, April 2014. https://obamawhitehouse.archives.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities
  6. 6.
    Dixon-Thayer, D.: Improving government disclosure of security vulnerabilities, September 2016. https://blog.mozilla.org/netpolicy/2016/09/19/improving-government-disclosure-of-security-vulnerabilities/
  7. 7.
    Fidler, M., Herr, T.: PATCH: debating codication of the VEP, May 2017. https://lawfareblog.com/patch-debating-codification-vep
  8. 8.
    Greenberg, A.: Shopping for zero-days: a price list for hackers’ secret software exploits, March 2012. https://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/
  9. 9.
    Healey, J.: The U.S. Government and Zero-Day Vulnerabilities: From Pre-Heartbleed to Shadow Brokers. J. Int. Aff. (2016). https://jia.sipa.columbia.edu/online-articles/healey_vulnerability_equities_process
  10. 10.
    Herr, T., Schneier, B., Morris, C., Stock, T.: Estimating vulnerability rediscovery, March 2017. https://ssrn.com/abstract=2928758
  11. 11.
    Menn, J., Walcott, J.: Exclusive: Probe of leaked U.S. NSA hacking tools examines operative’s ‘mistake’, September 2016. http://www.reuters.com/article/us-cyber-nsa-tools-idUSKCN11S2MF
  12. 12.
    Miller, C.: The legitimate vulnerability market: Inside the secretive world of 0-day exploit sales. In: Sixth Workshop on the Economics of Information Security (2007)Google Scholar
  13. 13.
  14. 14.
    National Security Policy Directive 54. https://fas.org/irp/offdocs/nspd/nspd-54.pdf
  15. 15.
    ODNI Public Affairs Office. Statement on bloomberg news story that NSA knew about the “Heartbleed bug” aw and regularly used it to gather critical intelligence, April 2014. https://icontherecord.tumblr.com/post/82416436703/statement-on-bloomberg-news-story-that-nsa-knew
  16. 16.
    Ozment, A.: The likelihood of vulnerability rediscovery and the social utility of vulnerability hunting. In: Workshop on Economics and Information Security (2005)Google Scholar
  17. 17.
    Peterson., A.: Why everyone is left less secure when the NSA doesn’t help fix security flaws, October 2013. https://www.washingtonpost.com/news/the-switch/wp/2013/10/04/why-everyone-is-left-less-secure-when-the-nsa-doesnt-help-fix-security-flaws/
  18. 18.
    Riley, M.: NSA said to have used heartbleed bug, exposing consumers, April 2014. https://www.bloomberg.com/news/articles/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers
  19. 19.
    Sanger, D.E.: Obama lets N.S.A. exploit some internet flaws, officials say, April 2014. https://www.nytimes.com/2014/04/13/us/politics/obama-lets-nsa-exploit-some-internet-flaws-officials-say.html?_r=1
  20. 20.
    Schneier, B.: Managed security monitoring: Closing the window of exposure (2000). http://www.keystoneisit.com/window.pdf
  21. 21.
    Schneier, B.: Simultaneous discovery of vulnerabilities, February 2016. https://www.schneier.com/blog/archives/2016/02/simultaneous_di.html
  22. 22.
    Schneier, B.: The Vulnerabilities market and the future of security, June 2012. https://www.schneier.com/blog/archives/2012/06/the_vulnerabili.html
  23. 23.
    Schneier, B.: WannaCry and Vulnerabilities. June 2017. https://www.schneier.com/blog/archives/2017/06/wannacry_and_vu.html
  24. 24.
    Schwartz, A., Knake, R.: Government’s Role in Vulnerability Dis- closure, June 2016. http://www.belfercenter.org/publication/governments-role-vulnerability-disclosure-creating-permanent-and-accountable
  25. 25.
    Zerodium: How to sell your 0day exploit to ZERODIUM, March 2017. https://zerodium.com/program.html

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Tristan Caulfield
    • 1
  • Christos Ioannidis
    • 2
  • David Pym
    • 1
    • 3
  1. 1.University College LondonLondonEngland
  2. 2.Aston Business SchoolBirminghamEngland
  3. 3.The Alan Turing InstituteLondonEngland

Personalised recommendations