Make America Secure Again: Trump Should Order U.S. Spy Agencies to Responsibly Disclose Cyber Vulnerabilities

March 13, 2017

(Ed. Note: The “Innovation Fact of the Week” appears as a regular feature in each edition of ITIF’s weekly email newsletter. Sign up today.)

Last week, WikiLeaks released a trove of CIA documents that detail many of the spy agency’s hacking capabilities. These documents, if genuine (and early reports suggest that they are), validate concerns that U.S. spy agencies are stockpiling cybersecurity vulnerabilities. The intelligence community uses undisclosed vulnerabilities to develop tools that can penetrate the computer systems and networks of its foreign targets. Unfortunately, since everyone uses the same technology in today’s global economy, each of these vulnerabilities also represents a threat to American businesses and individuals. In the future, rather than hoard this information, the CIA and other intelligence agencies should commit to responsibly disclosing vulnerabilities it discovers to the private sector so that security holes can be patched.

One of the most serious cyber security threats come from zero-day attacks—attacks designed to exploit vulnerabilities that a developer either does not know about or has not had time to fix. Because this threat is so great, the information security community has developed policies on how to responsibly disclose vulnerabilities. These policies generally require immediately and confidentially notifying developers of discovered weaknesses and then allowing them time to create a security patch. However, these policies typically also entail public notification within a short period of time, such as 45 days, both to motivate developers to respond quickly and to balance users’ right to know about weaknesses in the software and hardware they use.

While most professional security researchers, such as those in the private sector and academia, adhere to responsible disclosure policies, U.S. spy agencies do not. The NSA, for example, admits that it does not disclose approximately 9 percent of the vulnerabilities it comes across. Moreover, even among those vulnerabilities the NSA does disclose, it does not necessarily disclose them rapidly. By not disclosing vulnerabilities immediately, intelligence agencies allow dangerous flaws in everyday services and devices to persist—weaknesses that malicious hackers and foreign governments can exploit.

Ironically, WikiLeaks, which has a history of releasing sensitive information publicly without regard to its consequences, is doing exactly what the intelligence community should have done to begin with: responsible disclosure. WikiLeaks announced that it would give tech companies affected by vulnerabilities in the leaked CIA documents the ability to preview the information so they could fix their security problems prior to public release. While it remains to be seen whether WikiLeaks follows through on this promise or delivers anything of value, this is the proper method for releasing this information.

The U.S. government’s policy for disclosing vulnerabilities is misguided. The intelligence community operates under the assumption that national security is best served by maintaining a relative advantage over its adversaries, rather than absolute security for everyone. This is the reason that it hoards vulnerabilities, even though doing so puts Americans at risk and is fundamentally at odds with the U.S. government’s ostensible goal of improving cybersecurity. For example, the NSA reportedly allowed a major security flaw, known as Heartbleed, to exist for years to gather intelligence on the Internet. By the time that a Google engineer discovered Heartbleed in 2014, it affected two-thirds of the world’s websites.

In the digital era, national security cannot be achieved at the expense of cyber security. A better approach would be for the Trump administration to commit to responsible disclosure for every vulnerability that it finds, 100 percent of the time. Moreover, it should rethink where it focuses its resources. Imagine if the U.S. government were to invest as much on securing U.S.-made products and services as it spends now breaking into them. By working in partnership with the private sector, the U.S. government could greatly improve security for everyday Americans and make U.S. companies more competitive.