Mozilla wants the Obama administration to take more responsibility for discovering and disclosing flaws in internet connected products that leave users vulnerable to hacking.
“Governments, companies, and users all need to work together to protect internet security,” wrote Heather West, public policy representative for Mozilla in a blog post on Tuesday.
Mozilla wrote in support of two members of the Senate Intelligence Committee, Angus King Jr., I-Maine, and Martin Heinrich, D-N.M., who requested on Monday that President Barack Obama formalize a policy called the Vulnerabilities Equities Process. The policy brings together government agencies to discuss whether or not to disclose weaknesses in web browsers, software, phones, and other digital technologies to companies — or maintain that knowledge for intelligence purposes.
The two senators also suggested that the White House create a government-wide “bug bounty” program so that hackers could disclose online flaws they find for a reward. The Pentagon has recently established a similar program.
The White House is in a unique position when it comes to cybersecurity. Companies, privacy advocates, and cybersecurity hawks demand that the government defend the security of the internet by tracking down vulnerabilities in code and disclosing them, to make sure vendors can patch holes and sell the most secure product to the American people.
However, those same holes give the national security community an opportunity to infiltrate devices — and some security researchers and former government intelligence employees have argued that it is rare two actors, nation states or criminals, discover the same bug. This is colloquially called “bug collision.”
In other words, it wouldn’t be helpful to give up an intelligence capability if no one else will find it. Yet there’s little nonproprietary or unclassified data to prove this assertion.
Additionally, security researchers often complain vendors are slow to fix bugs they report.
Mozilla pointed to the recent massive denial of service attack that prevented people from connecting to websites like Twitter and Netflix, perpetrated by a zombie horde of infected webcams and other devices with poor security. Events like this, West wrote in her blog post, should inspire action towards improving cybersecurity.
Mozilla also proposed five specific reforms to the opaque Vulnerabilities Equities Process — whose participating member agencies and finer details are still unknown. The company had asked the FBI in May to disclose what it thought was likely a bug in Mozilla’s browser, which allowed the agency to hack into over 1,000 computers to locate child porn viewers and peddlers — a request the FBI denied.
Every vulnerability the U.S. government comes across should be entered into the process, West wrote — and the policy should be codified into law, and overseen by an independent watchdog. That suggestion is largely in line with arguments made by Rob Knake and Ari Schwartz, former directors of cybersecurity policy in the White House.
The Department of Homeland Security should be in charge of that process, writes West.
Mozilla also calls for a “criteria” by which “all relevant risks are considered” before choosing to disclose — standards that aren’t currently clear. While it appears that the White House does not put vulnerabilities or exploits it purchases from third party companies through the process, like when the FBI bought an exploit to hack into an iPhone belonging to San Bernardino shooter Syed Rizwan Farook, that distinction isn’t clear based on its public statements.
“These changes to the discovery, review, and sharing of security vulnerabilities would be a great start to strengthening the shared responsibility of cybersecurity and reducing the countless cyber attacks we see today,” West concluded.
However, former intelligence workers like Dave Aitel, who worked at NSA, and Matt Tait, formerly of the British equivalent, Government Communications Headquarters (GCHQ), have vehemently argued against the idea of full review and disclosure. For the intelligence community, allowing this sort of review “injects uncertainty by requiring inexpert intergovernmental oversight of the actions of your offensive teams, effectively subjects certain classes of bugs to time limits and eventual public exposure — all without any strategic or tactical thought governing the overall process,” they wrote in a blog post on LawFare blog
They argue decision to disclose a vulnerability should require answering two questions: whether the bug will be used by the intelligence community and whether it’s too dangerous for users to keep secret.
However, former White House cybersecurity chiefs Knake and Schwarz have argued the intelligence community has a conflict of interest in the cybersecurity decision-making process, and may be unable to be “neutral.”