The Vulnerability Disclosure Debate
Here we go again, but this time it will be different
For many of us in the information security industry, the vulnerability disclosure debate is old and tired. I’ve been dealing with this myself going on twenty years now. The underlying debate hasn’t changed much, but there have been a few new wrinkles and nuances added over the years. At its core, the debate is about how someone who finds a security vulnerability and the vendor of the product in which it was found should behave.
One of the big differences with this age-old debate today is that there are now new players in the game
One of the big differences with this age-old debate today is that there are now new players in the game, players who were not around twenty, ten, or even five years ago; people who don't remember the days of full or no disclosure, the RFPolicy or the introduction of responsible disclosure that has morphed into coordinated disclosure. Companies such as auto manufacturers, airlines, energy companies and medical device manufacturers are just now starting to learn some of the painful lessons the rest of us learned the hard way. So we can either grit our teeth and flail about as these new entrants to the debate learn these old lessons, or we can attempt to gently guide them along the path that the rest of us have been trotting along for years and come to some sort of common level of understanding.
In fact, how to handle information security vulnerability information was one of the topics discussed at The White House Summit of Cyber Security and Consumer Protection back in February. This age old debate has become so important that even the President of the United States is discussing it.
Enter the National Telecommunications and Information Administration
The National Telecommunications and Information Administration (NTIA) under the Department of Commerce is attempting to advance the debate one more step. The NTIA has begun holding multi-stakeholder meetings in an attempt to come to some sort of consensus as to what should be the preferred course of action when a vulnerability is found. The first such meeting was recently held at the Berkeley School of Law in California. The NTIA has stressed that they are present only as a facilitator and have no desire to direct or influence the conversation at all and that it is up to the participants to decide what the output of the group will be.
Is the problem disclosure or bad code?
We need to work out the acceptable actions now, actions that we can all agree on, about what we will do with vulnerabilities when they get found.
The problem of what to do with security vulnerability information is not going to go away, in fact it is going to get worse—a lot worse. Actually, disclosure itself is not the problem. Disclosure is a symptom, a symptom of bad code. If you write code you are going to make mistakes. In fact, it is estimated that there are at least ten defects in every one thousand lines of code. The amount of code that companies are pushing into their products is growing at an ever increasing rate. Take cars for example: most modern vehicles rolling off the assembly line today contain over one million lines of software code. Based on industry averages, that means there is about ten thousand defects in every car. Not all of those defects are security problems, but some of them will be. As we continue to push software into vehicles, medical devices, refrigerators, light bulbs, etc. this problem will get worse and worse. We need to work out the acceptable actions now, actions that we can all agree on, about what we will do with vulnerabilities when they get found.
What should we do?
Of course, one option is to do nothing and maintain the status quo, meaning that researchers and vendors will continue to butt heads. Researchers will threaten full disclosure and vendors will run to their lawyers and the public will be caught in the middle. However, if we (the vendors and researchers) fail to take action and don’t come to some sort of agreement, we will likely find action being taken for us in the form of government regulation. We have a collective interest and a shared fate in the outcome of this issue; we should work on a solution together or we risk having a solution forced on us.
Let’s face it, there is a power inequity in the vulnerability equation. Vendors usually have money and lawyers, and it is easy for them to run to the courts to immediately stop threats to their bottom line. The researcher seldom has the resources available to match those of the vendor and is left at a disadvantage. And the public, who stands to gain the most from the information that the researcher has found, is diffuse and does not understand the complexities of the equation.
There has already been some criticism of the multi-stakeholder meetings held by the NTIA from people who rightly point out that the Department of Commerce has no way to enforce any outcome from these meetings. The have no enforcement arm, can not pass laws or levy fines. The process is also long and time consuming, with monthly meetings most likely being held over the next several years before any output can be released.
The NTIA contribution
What the NTIA can do—what they have already proven they can do—is get a disparate group of people in the same room to start the discussion and drive change.
What the NTIA can do—what they have already proven they can do—is get a disparate group of people in the same room to start the discussion and drive change. At the first meeting in Berkeley, the attendees proved to be varied and diverse, with viewpoints presented not only from security researchers but also large software vendors, vehicle manufacturers and medical device companies. That is the power that the NTIA can bring; by getting all of these people in the same room to discuss this important topic, maybe—just maybe—we can come to some sort of conclusion on this ancient debate.
Granted, the NTIA doesn’t have any enforcement authority, but that doesn’t mean we should just give up and walk away. It does not mean that we should shrug our shoulders and say that nothing will change. It does not mean that all the debate and discussion is just there so that people in the information security industry can listen to themselves talk. The more we sit down in the same room and discuss the problem, the more likely we will find a solution.
The status quo will not change without a revolution.