The latest skirmish over government software vulnerability hoarding

With help from Eric Geller and Martin Matishak

A NEW FIGHT OVER VULNERABILITY DISCLOSURE — A recently departed top NSA official on Monday reignited the simmering debate about government disclosure of software vulnerabilities it discovers. In a Lawfare piece, former NSA Deputy Director Rick Ledgett, who left his job in April, argued that more vulnerability sharing wouldn’t have done much to head off the recent global malware outbreaks that were powered, in part, by leaked vulnerabilities the NSA hoarded for its own use. The WannaCry and Petya bugs, he noted, succeeded largely because of victims’ errors. “WannaCry and Petya exploited flaws in software that had either been corrected or superseded, on networks that not been patched or updated, by actors operating illegally,” Ledgett wrote. “The idea that these problems will be solved by the U.S. government disclosing any vulnerabilities in its possession is at best naive and at worst dangerous,” given that few other nations disclose any vulnerabilities at all, according to Ledgett. In fact, he insisted, increasing vulnerability disclosure could leave the United States toothless in an increasingly dangerous digital world.


But others were quick to suggest Ledgett was knocking down a straw man by misrepresenting critics’ position as wanting “the U.S. government to release all vulnerabilities that it holds.” On Twitter, Mieke Eoyang, vice president for the national security program at the centrist think tank Third Way, answered: “It's not about disclosing everything, but a process by which they decide how/when to tell manufacturer for patching & where default is.” Marcy Wheeler, a national security and civil liberties-focused writer, offered a similar point, adding that the agency needed to do a better job of keeping the vulnerabilities it doesn’t disclose safe from other hackers. But Susan Hennessy, a former NSA official and now Lawfare’s managing editor, said that Ledgett’s point about disclosing “all” vulnerabilities was on fair ground. “I’d bet that if you mapped vulnerabilities valuable enough to want to keep and those advocates want disclosed the overlap is near total,” she tweeted.

HAPPY TUESDAY and welcome to Morning Cybersecurity! Everybody’s paying a lot of attention to the long-awaited return of “Game of Thrones,” naturally, but what are you “Rick and Morty” fans thinking of the new season? Send your thoughts, feedback and especially tips to [email protected], and be sure to follow @timstarks, @POLITICOPro, and @MorningCybersec. Full team info below.

MATTIS HEADED WEST — During a trip to the West Coast later this week, Defense Secretary Jim Mattis will make his first official visit to the Defense Innovation Unit Experimental, the Pentagon’s Silicon Valley outpost meant to connect the military with cutting-edge technologies. Mattis’ stop at DIUx is part of a three-day swing that will also include a tour of Google's main campus in Palo Alto, Calif., and a stop at Amazon's headquarters in Seattle, Pentagon spokesman Capt. Jeff Davis told reporters on Monday. “During his visit to Silicon Valley, Secretary Mattis will meet with DIUx staff, and discuss with key leaders in the technology community how DoD can leverage new commercial technologies and methodologies, and further expand initiatives designed to accelerate fielding capabilities to the warfighter,” Davis said. The DIUx effort, aimed at connecting the Pentagon with nontraditional companies to rapidly field new technology, was launched by then-Defense Secretary Ash Carter in 2015. In April, Raj Shah, DIUx’s managing partner, said the Trump administration is committed to the innovation initiative.

BLOWING UP HOTSPOT’S SPOT — A popular free virtual private network that promises privacy to its users is instead collecting data about them to share with advertisers, according to a complaint filed with the FTC on Monday. The Center for Democracy and Technology filed the complaint against Hotspot Shield, accusing the company of unfair and deceptive trade practices. “Hotspot Shield tells customers that their privacy and security are ‘guaranteed’ but their actual practices starkly contradict this,” said Michelle De Mooy, director of CDT’s privacy and data project. “They are sharing sensitive information with third-party advertisers and exposing users’ data to leaks or outside attacks.” The FTC confirmed receiving the complaint but declined to comment. AnchorFree, makers of the VPN, did not respond to requests for comment.

WORKING ON THE WORKFORCE — Businesses and federal agencies now have a common language for discussing hiring, training and education issues related to the cybersecurity workforce, thanks to the technical standards agency NIST. The agency’s new Cybersecurity Workforce Framework, published on Monday, “serves as a fundamental reference resource to support a workforce capable of meeting an organization’s cybersecurity needs,” according to the document. “It provides organizations with a common, consistent lexicon that categorizes and describes cybersecurity work.” NIST is leading the Trump administration’s study of cyber workforce issues as part of Trump’s cyber executive order. In the framework’s introduction, NIST researchers expressed their hope that it could foster “a more consistent, comparable, and repeatable approach to select and specify cybersecurity roles for positions within organizations.” By reducing confusion about aspects of the cyber workforce, NIST hopes to help stakeholders increase the supply of cyber workers and fill critical shortages throughout the private sector, the intelligence community and under-resourced government agencies.

WE’RE GETTING THERE — The State Department expects to meet soon with Chinese officials to discuss cyber issues, Secretary of State Rex Tillerson said on Monday. President Donald Trump and Chinese President Xi Jinping established a broad U.S.-China dialogue during their April meeting at Mar-a-Lago, but two of the four diplomatic channels — including the one focused on law enforcement and cybersecurity issues — have yet to hold meetings. Speaking to reporters while traveling in the Philippines, Tillerson said officials “hope” to hold a cyber meeting “in the next several weeks.” The broader U.S.-China talks, Tillerson said, “should strive to strengthen this relationship so that it benefits both of our countries from an economic prosperity standpoint but also benefits the world in terms of maintaining a secure world absent of conflict.”

ASIAN CYBER COOPERATION — The Trump administration is deepening America’s security ties with two of its closest allies in the Pacific, seeking to counter the rising influence of China across a host of issues, including cyber. At a meeting over the weekend, State Department officials and their Australian and Japanese counterparts discussed the need for a “strategic framework for international cyber stability based on the application of existing international law,” according to a joint statement released late Sunday. They also pledged to abide by voluntary norms of responsible behavior in cyberspace, such as placing critical infrastructure off-limits to state-sponsored hackers. The three governments voiced support for the creation of a Southeast Asian version of the United Nations cybersecurity working group that releases periodic reports on the intersection of international law and cyber issues.

Japan and the United States will continue discussing security issues next week, when Tillerson and Mattis host their Japanese counterparts. “The meeting will focus on how the United States and Japan can coordinate their response to the evolving regional security environment, and strengthen their bilateral security and defense cooperation,” the State Department said in announcing the meeting, which will be held on Aug. 17 in Washington.

INTERPOL’S NEW FRIEND — Interpol is formally teaming up with Palo Alto Networks, the organizations announced Monday. The agreement cements a relationship that played out in April when the international police co-op joined forces with several private-sector companies to reveal that 9,000 servers in Southeast Asia were infected with malware. “Tackling cybercrime is not something which law enforcement can do in isolation,” said Noboru Nakatani, executive director of the Interpol Global Complex for Innovation. “Cooperation with the private sector is essential if we are to effectively combat this global phenomenon.” The team-up sets parameters for information sharing between Palo Alto Networks and Interpol, and includes Palo Alto Networks assigning a member of its threat intelligence team to collaborate with the Interpol center.

U.K. EYES DATA PROTECTION REVAMP — The United Kingdom has committed to updating its data protection laws ahead of its departure from the European Union. The bill would bring U.K. law in line with the EU’s General Data Protection Regulation, a set of strict cybersecurity requirements for companies handling personal data that go into effect in 2018. Matt Hancock, the U.K.’s digital minister who's promoting the bill, believes London would do well to emulate the rest of Europe. “The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world,” Hancock said in a statement. “It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit.” The measure would, among other things, expand the definition of personal data to include internet protocol addresses and cookies, allow people to ask for their data to be deleted and make it easier for people to withdraw consent for their personal data to be used.

DHS CIO OFFICIALLY OUT — The Homeland Security Department’s chief information officer is resigning effective Sept. 1, according to a department spokeswoman. The White House announced in late April that Richard Staropoli would become DHS’s CIO. He handed in his resignation last week. In the interim, current Deputy CIO Stephen Rice will serve as acting CIO. Sources have offered varying explanations for Staropoli’s departure after just three months on the job.

TWEET OF THE DAY — We’re basically one hack away from Armageddon.

QUICK BYTES

— Insight on the State Department’s Cyber and Technology Security directorate from Federal News Radio.

— How Russia’s spy game is doing compared to the United States after a series of events dating to last year’s campaign hacks, via The New Yorker.

— Cyber threats are pushing ships toward old-school navigation techniques. Reuters.

— Gizmodo goes behind a 2014 claim that the FCC was hacked.

— There are a lot, lot, lot more cyber pros in D.C. than anywhere else in the United States. CSO.

— Throw out the old notions about writing secure passwords, says a man who helped cement those notions. The Wall Street Journal.

That’s all for today. Your MC host votes “yea” on “Pickle Rick.”

Stay in touch with the whole team: Cory Bennett ([email protected], @Cory_Bennett); Bryan Bender ([email protected], @BryanDBender); Eric Geller ([email protected], @ericgeller); Martin Matishak ([email protected], @martinmatishak) and Tim Starks ([email protected], @timstarks).

Follow us on Twitter Heidi Vogt @HeidiVogt



Eric Geller @ericgeller



Martin Matishak @martinmatishak



Tim Starks @timstarks