The U.S. government informs software companies of 90 percent of the security flaws the intelligence community finds in their products, but a significant number of vendors ignore the warnings, the federal cyber czar said Wednesday.
Rob Joyce, the White House cybersecurity coordinator, said many high-tech firms act quickly to issue patches when told of vulnerabilities. But some firms balk, leaving consumers exposed.
“We’ve gone to companies and told them, ‘Here’s a flaw. It needs to be fixed in your device.’ And they’ve said, ‘That’s great but we’re telling customers they need to buy our new, shiny, next-generation thing, right?’ So they have no intention of patching,” Joyce said.
Joyce made the remarks at the Aspen Institute, a nonpartisan think tank, in a presentation in which he pulled the curtain on the once-secretive process by which the government decides when to tell tech firms of vulnerabilities discovered in their wares.
He refuted the notion that U.S. intelligence agencies, which have been hit by recent leaks of offensive cyber tools, have kept secret their knowledge of numerous flaws in software in order to deploy it for surveillance.
“There’s rumors of this vast stockpile,” Joyce said. “Reporters in the room, please help me. ‘Hoards’ and ‘stockpiles’ should not be words in your articles. It’s factually inaccurate,” Joyce said.
Joyce, who once led the National Security Agency’s elite Tailored Access Operations unit entrusted with developing and deploying cyber weapons, said the U.S. government leads the world in debating how and when to tell tech companies about flaws in their products.
We’re more than 90 percent disclosing through this process.
Rob Joyce, White House cybersecurity czar
“The vast majority are communicated. We’re more than 90 percent disclosing through this process,” Joyce said.
The framework for telling industry about holes in software has long been secret. Under pressure from the high-tech industry and privacy advocates, which feared that the government had amassed powerful exploits found in their software, the government made partial details of the process public in January 2016. Wednesday’s announcement marked the first time the revised Vulnerabilities Equities Process, contained in a 14-page document, was declassified.
A White House fact sheet said an inter-agency group would consider four areas in deciding whether to disclose: defensive purposes, law enforcement and intelligence value, possible harm to industry by retaining the flaws, and whether international partnerships would be hurt by disclosure.
Joyce said in a blog post that the small percentage of software flaws that the government keeps secret from industry would be protected “as carefully as our military services protect the traditional weapons” of war.
Industry critics have said past government policies on disclosure were doing more harm than good. The debate surged in April when a murky group known as the Shadow Brokers began releasing what it said were sophisticated hacking tools filched from the NSA.
Criminal groups used some of the coding from those hacking tools in global attacks in May and June that froze the hard drives of hundreds of thousands of computers worldwide. One wave of attacks that began in the Ukraine June 27 is estimated to have cost shipping, pharmaceutical, logistics and other companies at least $1.2 billion in lost revenue.
Signs that the government had tipped off the private sector about flaws occurred earlier in the year. Microsoft, the Redmond, Washington, software giant, issued a statement in April saying it had already patched the flaws that the stolen hacking tools utilized, indicating that it had received information in advance of the Shadow Brokers’ release.
Federal officials and executives of high-tech companies have kept largely silent about how the vulnerabilities program has been implemented.
In its release Wednesday, the Trump administration said it would offer to companies “the vast majority” of vulnerabilities identified by government researchers. But in some cases, it said, such flaws would not be revealed.
“We need these capabilities to protect our troops in combat, to produce the intelligence that guides the leadership decisions of the nation, to prosecute in criminal spaces,” Joyce said.
Officials from an inter-agency group debate when software flaws should or should not be disclosed, he said, noting that representatives from the departments of Defense, State, Homeland Security, Commerce, Energy, Treasury, and Justice as well as officials from the NSA, CIA, the FBI and the Office of Management and Budget have a voice in the debate.
Missing from the committee are employees of some agencies, such as the Food and Drug Administration, that may oversee areas affected by a crescendo of global hacking.
Joyce said some agencies lacked employees with security clearances to take part.
In some cases, the government is constrained from releasing flaws it discovers, he said. Those cases include when the flaws are shared with an ally nation and that country has active intelligence operations underway, or when a flaw has been purchased from a private contractor and carries contractual stipulations.
A number of small firms of engineers and hackers, inside and outside the United States, identify and sell exploits, sometimes known as “zero days” because they give victims zero time to throw up cyber defenses. Prices can top $1 million for a major exploit.
Joyce said that as the leader of the inter-agency review process, he must review details of any flaw that the government keeps secret, and that such reviews must recur every six months.
Tim Johnson, 202-383-6028, @timjohnson4