Former deputy director of the National Security Agency  Chris Inglis

After the humiliation of the United States’ National Security Agency having its trove of hacking tools stolen and used to create ransomware attacks, the US government has decided to clarify its rules around using software vulnerabilities.

The NSA came in for harsh criticism, including a public rebuke by Microsoft, after a collection of its hacking tools, based on unrepaired flaws in common commercially available software, were released in circumstances the agency still doesn’t understand. The tools were used to create at least two ransomware viruses, based on a now-repaired flaw in a Microsoft operating system, that swept the world earlier this year.

The debacle came at the same time as politicians in the US, the UK and Australia were demanding the creation of government-controlled backdoors into encrypted communication systems, thereby underlining how dangerous such tools could be when stolen. Politicians such as Malcolm Turnbull and George Brandis have since retreated to insisting they want some other, unexplained, form of access that is “not a backdoor”.

In August Chris Inglis, a former deputy director of the National Security Agency, told Crikey the NSA only reports 90% of the software flaws it learns about to manufacturers such as Microsoft, Cisco and Apple, and keeps the other 10% — assumed to be the most significant and dangerous flaws — secret to develop hacking tools using them. 

Overnight, the White House released a document called Vulnerabilities Equities Policy and Process for the United States Government, which formalises a process that was developed in 2016 by the Obama administration for handling flaws discovered by agencies. The process involves an equities review board, composed of major US departments, the Pentagon and the CIA, with the NSA acting as secretariat, which will meet at least monthly and issue an annual, publicly available summary to Congress. Agencies will report newly discovered software vulnerabilities to the ERB, which will then consider whether to inform the relevant manufacturer, including by voting if there is disagreement between agencies. Manufacturers will be advised within seven days if it is decided to release the flaw.

The key part of the document is a long list of issues that will be considered by the ERB in determining whether to release it, split into defensive considerations, such as how likely it is that enemy agencies will exploit the vulnerability and what impact that would have, and offensive considerations such as, “Does exploitation of this vulnerability provide specialized operational value against cyber threat actors or their operations? Against high-priority National Intelligence Priorities Framework (NIPF) or military targets? For protection of warfighters or civilians?”

One exemption that has attracted bemusement is that “the USG’s decision to disclose or restrict vulnerability information could be subject to restrictions by foreign or private sector partners of the USG, such as Non-Disclosure Agreements (NDAs), Memoranda of Understanding, or other agreements that constrain USG options for disclosing vulnerability information”. That is, if the NSA buys information on a hitherto-unknown vulnerability from a private source such as a hacker, that hacker could require an NDA that would prohibit the NSA from telling the manufacturer.

All this may sound abstruse but, as the ransomware attacks earlier this year show, there’s a direct link between the tendency of spies to hoard vulnerabilities, and businesses and ordinary users being attacked by malign online actors. And, however flawed the US system may be (and however surprising from the Trump administration), the policy demonstrates at least some willingness for greater transparency in the US, post-Snowden, about its mass surveillance apparatus.

In contrast, despite Australia being one of the US’ Five Eyes partners, there is nothing even comparable here. The Australian Signals Directorate, the effectiveness of which is in serious doubt after recent revelations, operates under a bipartisan blanket of secrecy and non-accountability. Meantime, the government continues to lecture business about the importance of cybersecurity, unwilling to admit that its own security agencies may be a massive part of the problem.