This article is more than 1 year old
The four problems with the US government's latest rulebook on security bug disclosures
But it's still better than nothing
3. The NSA gets special treatment
In case you imagined for a second that the NSA doesn't maintain its special status in the "Vulnerabilities Equities Process", the policy makes it clear that things haven't changed in that respect.
Not only will the NSA serve as the executive secretariat of the VEP and so coordinate everything, but it also gets control of anything that impacts its own equipment.
"If a vulnerability is found in GOTS [Government off-the-shelf] equipment or systems that were certified by NSA, or in any cryptographic function, whether in hardware or software, certified or approved by NSA, then the vulnerability will be reported to NSA as soon as practical," the policy notes. "NSA will assume responsibility for this vulnerability and submit it formally through the VEP Executive Secretariat."
Not that the NSA is in complete control of the process. Its staff will run the secretariat but under the direction and control of the US Secretary of Defense. The secretary can, in theory, replace NSA staff and "designate another agency to perform this function with the permission of the head of that agency."
It's a nuclear option written into the policy in case the NSA plays its own games within the US government but make no mistake the NSA is still effectively running things.
4. Multitude of other options
Even though disclosure is put forward as a default, the policy provides lots of other options instead of public disclosure.
"The US government's determination as to whether to disseminate or restrict a vulnerability is only one element of the vulnerability equities evaluation process and is not always a binary determination," the policy notes.
"Other options that can be considered include disseminating mitigation information to certain entities without disclosing the particular vulnerability, limiting use of the vulnerability by the USG in some way, informing US and allied government entities of the vulnerability at a classified level, and using indirect means to inform the vendor of the vulnerability."
It goes on: "All of these determinations must be informed by the understanding of risks of dissemination, the potential benefits of government use of the vulnerabilities, and the risks and benefits of all options in between."
That is a hell of a lot of wiggle room for NSA operatives to work with.
As ever, a policy is only as good as its practical implementation. And in this case, with the NSA still in overall charge, it is going to require a cultural sea-change for anything to really shift in terms of the US government not stock-piling security holes.
Whether there has been that cultural change, we will have to wait and see. The Shadow Brokers that somehow obtained the NSA's tools and then publicly released them, has certainly given the agency food for thought, however, cultures have an eerie tendency to persist long after they should have shifted. ®
Biting the hand that feeds IT
