[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Obama Policy on Zero Days Craps Out
From: InfoSec News <alerts () infosecnews ! org>
Date: 2014-04-30 8:40:56
Message-ID: alpine.DEB.2.02.1404300840330.24415 () infosecnews ! org
[Download RAW message or body]
http://www.forbes.com/sites/jennifergranick/2014/04/29/obama-policy-on-zero-days-crap/
By Jennifer Granick
Forbes.com
4/29/2014
Yesterday afternoon, the White House put out a statement describing its
vulnerability disclosure policies: the contentious issue of whether and
when government agencies should disclose their knowledge of computer
vulnerabilities. The statement falls far short of a commitment to network
security for all and fails to provide the reassurance the global public
needs in the midst of the NSA's security scandal. It basically says the
White House plays a well-intentioned guessing game with our online safety.
The National Security Agency (NSA) is a single agency with a dual
mission—protecting the security of U.S. communications while also
eavesdropping on our enemies. In furtherance of its surveillance goals, we
recently learned about some of NSA's top secret efforts to hack the
Internet. For example, the NSA runs a network of Internet routers that it
surveils all traffic going through. It hijacks (or did until recently)
Facebook sessions to install malware. It has its own botnets, or networks
of compromised computers, that it controls, and it has taken over botnets
created by other criminals. It uses these capabilities to steal
information, to deny access to websites and other internet services, and
to modify digital information, whether in transit or stored on servers.
Given these revelations, the public might reasonably believe the NSA's
deck is stacked against securing people from the very same online
vulnerabilities the agency could exploit. For example, some skeptics–not
I, however–disbelieve government disavowals of advance knowledge of
Heartbleed, one of the worst security holes ever found. To assuage this
concern, on April 12th, President Obama announced the government will
reveal major flaws in software to assure that they will be fixed, rather
than keep quiet so that the vulnerabilities can be used in espionage or
cyberattacks, with one huge exception—if there's "a clear national
security or law enforcement need".
Yesterday's statement by Michael Daniel, Special Assistant to the
President and Cybersecurity Coordinator, tries to reassure the public that
this Administration knows how to make that judgment call. There are
"established principles" and an "established process" for making what are
essentially guesses—bets—on network insecurities, based on a series of
facially sensible, but practically almost unanswerable, questions.
Officials have to assess the risk from vulnerabilities. They have to guess
how hard it is for other people to find the same flaw. They have to gamble
on whether officials will figure out when the bad guys gain the same
attack capabilities. They have to hypothesize whether, when they do, the
attackers will use their knowledge to devastating effect.
[...]
--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic