According to a Reuters’ article today Trump Administration is going to publish guidance on what to disclose about security flaws discovered by intelligence agencies. I have sympathy for the cause, but the discussion is about the wrong thing.
The issue for many years has been that flaws are found by the offense side of cyber and those flaws are used to get into systems outside the US. When I started, we didn’t admit that we had an offense, but since Snowden it is a little harder to avoid. The defense in cyber finds the same flaw and sets out to get the vendor to correct it to make for better security. We used to call the difference between the two sides equities. Is it more important to be able to get into a foreign system or fix a flaw that occurred but was not detected by the public or the vendor? I know that sounds like a rational question, but it is the wrong question.
The real question should be, “Should we allow the offensive side of cyber to work with the defensive side of cyber to improve defenses?” That answer is no, even though every rational person in cyber security thinks it is a great idea. It is counter-intuitive to say no to the question.
First, both sides look for flaws in systems. One side wants to exploit them; the other side wants to fix them. Cooperation seems to be of mutual benefit. Only in this one case, it isn’t. What the offense gives up in this is its ability to exploit systems from defects that already exist and have not been defected by the defensive sides of the world. Sharing those with the defense side reduces their effectiveness and ability to collect. It is not in their collective interest to do it. Those kinds of flaws should be state secrets and not published anywhere. The tools that are used to exploit them should be state secrets and protected accordingly. Never publicly talk about what they do or how they do it.
Second, the defense cannot be entirely open about what they have discovered either. Vendors have to develop patches before they want to advertise that the flaw has been discovered. It would be easier to handle this if vendors had liability for what they produce, but they don’t, so it takes a long time to correct those flaws. During that time, criminals, other state hackers (who probably already know) and other security firms are discovering that these flaws exist. That creates pressure on the vendor to get a change out that actually fixes the flaw. That is the real difference between the two sides - in equities, how long can we allow that exploit to exist before it starts to hurt us because we have told nobody, except the vendors, that it exists. Note that this is a question for the defense and not the offense. The offense will continue to use an exploit until it is patched.
The defensive side of cyber never needs to know what the offense is doing. Sometimes the offense will complain that something or another has been disrupted by something the defense has done, but that goes with the job. They don’t run over to the other side and tell then what they have done to disrupt them. They find something else that works.
The offensive side has a vested interest in keeping the status quo in cyber security, so the less they say about what they do and how, the better. The defense thinks it can get better by finding and fixing those flaws. The simple rule is not allow the two sides to cooperate, even where it seems like both might benefit. Only the defense benefits, and we take away important intelligence assets by thinking any other way.
So while we might think guidance on how to treat flaws exposed by the intelligence community is a good idea, unless it says “keep quiet about them” it isn’t helping.
No comments:
Post a Comment