In the wake of the release of thousands of documents describing CIA hacking tools and techniques earlier this month, there has been a renewed discussion in the security and government communities about whether government agencies should disclose any vulnerabilities they discover. While raw numbers on vulnerability discovery are hard to come by, the NSA, which does much of the country’s offensive security operations, discloses more than nine of every 10 flaws it finds, the agency’s deputy director said.
NSA has both defensive and offensive roles in cybersecurity and does its own vulnerability research and exploit development. Some of the flaws NSA finds are kept private and used for intelligence-gathering purposes in targeted exploitation operations. But many others are disclosed to the affected vendors as soon as possible, said Richard Ledgett, deputy director of NSA.
“Our historic numbers are around 90 percent, or a little better than 90 percent toward disclosure,” Ledgett said during a roundtable discussion on cybersecurity issues Tuesday hosted by the Aspen Institute.
For several years, the United States government has maintained a policy called the Vulnerability Equities Process that lays out the factors agencies must consider when deciding how to handle a newly discovered vulnerability. The CIA-related documents known as Vault 7 include information that indicates the agency held onto a number of serious vulnerabilities in recent years, something that drew criticism.
“The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process. As these leaks show, we’re all made less safe by the CIA’s decision to keep — rather than ensure the patching of — vulnerabilities. Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans,” Cindy Cohn, executive director of the EFF, said in a post at the time of the document dump.
Among the vulnerabilities uncovered in the Vault 7 documents is a critical flaw in hundreds of Cisco switches that the company said it is working to patch. The bug can be exploited with a simple Telnet command, which would allow a remote attacker to take complete control of an affected switch. Cisco engineers discovered information on the vulnerability in the documents and the company released an advisory on it last week.
The company recommends that customers disable Telnet on affected switches and use SSH instead.
Image: t–h–s, CC by license.