White House Says It Can Withhold Vulnerabilities If It Will Help Them Catch 'Intellectual Property Thieves'

from the say-what-now? dept

Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation's intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

We've been among those critical of the White House for the administration's dangerous policy of not revealing security vulnerabilities it discovers, as it seeks to exploit them. In trying to respond to some of the criticism about this policy, the White House has put out a blog post by White House Cybersecurity Coordinator Michael Daniel, in which he explains how the intelligence community determines whether to disclose a vulnerability... or hoard it for its own use. He lists out three potential reasons for not disclosing:As Marcy Wheeler points out, withholding the release of such vulnerabilities for terrorism purposes is not new or surprising. Ditto for so-called cybersecurity (protecting against "hackers or other adversaries" looking to "exploit our networks") What's a bit of a surprise is the new inclusion of "intellectual property theft." However, the NSA, DHS and various supporters have long used claims of China "stealing intellectual property" as an excuse to try to ratchet up surveillance powers. Rep. Mike Rogers, author of CISPA, used the "scary Chinese stealing our IP!" FUD card to push CISPA a few years ago. And former cybesecurity czar Richard Clarke has argued that China stealing intellectual property is a good reason for DHS to be able to spy on all internet traffic.So, the fact that this argument is used as a sort of "cybersecurity" claim perhaps isn't that surprising. However, it still seems like a massive logical leap to go from "well we need to protect corporate intelletual property from the Chinese" to arguing that's a good reason for withholding the disclosure of key technical vulnerabilities that might put everyone at risk. Does anyone honestly believe that the US government should withhold details of a major technical vulnerability... just so it can catch some IP infringers?And of course, by broadly allowing the NSA and others to fail to patch vulnerabilities, because they want to "prevent intellectual property theft," it's just opening up the whole system to be abused even more widely than before. Sure, they may mean "stopping Chinese hackers from swiping plans for a new fighter jet," but vaguely denoting that it can withhold info on zero day vulnerabilities because of "pirates" seems wide open to abuse -- especially given the way many in law enforcement and the administration seem to want to equate every day file sharers with "internet terrorists" or whatever.

Filed Under: cybersecurity, disclosure, intellectual property, michael daniel, nsa, surveillance, vulnerabilities, white house