Government Handling of Zero-Days: More Sunlight, Fewer Shadows
This post was originally authored by Josh Kenway.
To say the least, 2020 was a turbulent year. While certain governments responded to the spread of COVID-19 more effectively than others, the pandemic’s disruptive impact on human society is sure to linger well into this new decade. The paramount importance of cybersecurity in the post-pandemic world is evident, and it is time for governments to lead by example on protecting our digital ecosystem. Although there are many pressing cybersecurity policy issues at hand, among the most important of these is ensuring greater accountability and transparency in how governments decide what to do with high-value cybersecurity vulnerabilities. For such an outcome to be realized, widespread adoption of policy frameworks rooted in a holistic view of countries’ national interests are needed, and they are needed yesterday.
COVID-19: A Tipping Point for Cybersecurity
Policymakers, cybersecurity providers, and non-profit organizations have been working hard to help the private sector, educational institutions, and governments alike to secure their digital infrastructure from a tide of cybercrime and nation-state hacking that was on the rise even before a significant proportion of the global population started working remotely. However, this undertaking has been of even greater importance as COVID-related and COVID-adjacent malicious cyber activity has come to the fore.
Recent reporting on Russian and Chinese efforts to exfiltrate proprietary vaccine research, as well as the ongoing fallout from the SolarWinds supply chain compromise, indicates the pointy end of this particular spear; however, no nation, institution, or individual is immune from the diverse digital risks that have become increasingly apparent over recent years. Moreover, with the ongoing proliferation of IoT devices and ever-greater data flows enabled by 5G network technologies, the global cyber attack surface is only going to grow larger over the coming years.
Thus, the question of how governments — the world’s most uniquely capable and well-resourced cyber actors — acquire, develop, and use hacking tools has never been more pressing.
Government Use (and Misuse) of Cybersecurity Vulnerabilities
At the heart of many of the hacking tools used by malicious actors and governments alike are cybersecurity vulnerabilities. These “bugs” in software or hardware can be exploited to enable illicit access to sensitive data or to grant unauthorized control over affected systems. Of these vulnerabilities, it is those that are truly novel, so-called “zero days,” that are the hardest to protect a computer system against.
These particular vulnerabilities are a highly sought-after commodity and take real skill to operationalize. As such, zero-day-based cyberattacks are relatively rare, at least compared to run-of-the-mill cybercrime leveraging widely known vulnerabilities. However, in the hands of governments, zero-days grant an extraordinary power to surveil adversaries, investigate serious wrongdoing, and even cause damage that extends beyond cyberspace and into the physical world. Government use of these vulnerabilities represents a “long tail” cybersecurity risk that must be appropriately constrained moving forward if we are to avoid a true cyber calamity.
Governments have a duty to handle high-value vulnerabilities with extraordinary care. However, doing so requires carefully structured, transparent, and holistic decision-making frameworks tailored to their respective institutional contexts.
While in the US this policy structure is known as the “Vulnerabilities Equities Process” and in the UK just as the “Equities Process” we opt for an umbrella term of Government Vulnerability Disclosure (GVD) policy. It is worth noting that GVD policies serve a very different role than the Coordinated Vulnerability Disclosure (CVD) or Vulnerability Disclosure Policies (VDPs) maintained by government entities for intaking and responding to reports of vulnerabilities in those organizations’ networks or systems. CVD and VDP provide an exclusively defensive function, whereas GVD policies attempt to ensure that an appropriate balance is struck between defensive cyber risk and offensive, intelligence, or investigative opportunity resulting from the potential use of cybersecurity vulnerabilities.
Outside of the US and UK contexts, little progress has been made to date in establishing GVD policies. While some other governments, including the Dutch, have stated broad principles that inform their high-level decision-making on the handling of vulnerabilities, such statements do not go far enough. Formalized and publicized mechanisms are needed to ensure that legislators and citizens can hold their governments to account for their handling (or mishandling) of cybersecurity vulnerabilities. Such processes must encompass a broad conception of the national interest — and have adequate oversight and accountability built in from the get-go. Moreover, even where such decision-making frameworks already exist, improvements can still be made to the status quo.
A New Paradigm
Given the relentless pace of digitalization and interdependence of networked systems for critical national functions, the present situation is not sustainable and should be rectified. Today, the Cyber Threat Alliance and Center for Cybersecurity Policy and Law published a framework of best practices for implementing and strengthening GVD policies. We believe that this document can serve as a useful template for countries to meaningfully advance transparency, equity, and accountability in their governments’ handling of high-value cybersecurity vulnerabilities.
Over the coming weeks and months, we intend to continue our research and advocacy efforts to draw attention to and build upon this initial release.
Lastly, we would like to take this opportunity to thank all those who contributed guidance and feedback through the course of this project.
“More Sunlight, Fewer Shadows: Guidelines for Establishing & Strengthening Government Vulnerability Disclosure Policies” is available here.