Sunday, November 19, 2017

Government Outlines When It Will Disclose Or Exploit Software Vulnerabilities

Government agencies that deal with cybersecurity, like the National Security Agency, have two competing interests. On the one hand, they want to protect America's online infrastructure and economy from cyberattacks. On the other hand, government agencies want to harness tools to attack opponents in cyberspace.

These goals come into conflict when government agencies discover or buy flaws in software, called "zero day" exploits, that the software's makers don't know about. The government can inform the company so the flaw can be patched — or it can save the secret weakness in order to use it to launch attacks against enemies.

There's a catch to hoarding the software flaws though: That same exploit could end up being used against Americans if hackers discover the flaw on their own.

It's with this conflict in mind that the White House rolled out new guidelines on Wednesday for the process it will use to decide when to inform tech companies about vulnerabilities discovered in their software, and when agencies will decide to keep something classified.

There's a "tension between the government's need to sustain the means to pursue rogue actors in cyberspace through the use of cyber exploits, and its obligation to share its knowledge of flaws in software and hardware with responsible parties who can ensure digital infrastructure is upgraded and made stronger in the face of growing cyber threats," White House Cybersecurity Coordinator Rob Joyce wrote in announcing the guidelines.

The Vulnerabilities Equities Process Charterlays out what to do once a vulnerability is both "newly discovered and not publicly known" (emphasis theirs). - Read More

Government Outlines When It Will Disclose Or Exploit Software Vulnerabilities

0 Comments:

Post a Comment

<< Home