Rep. Jim Langevin, D-R.I., co-chair of the Congressional Cybersecurity Caucus, applauded the Federal government’s handling earlier this week of public disclosure by the intelligence community of serious vulnerabilities it found in Microsoft’s Windows 10 and Service 2016 products, for which the company released patches.
The decision by the National Security Agency to publicly disclose the flaws – rather than keep them secret and thus operative for intelligence purposes – is at the heart of the “vulnerabilities equities process” used by the government to make case-by-case decisions on how to treat zero-day computer vulnerabilities. In the balance in that process is public disclosure in order to help improve computer security versus keeping vulnerabilities secret and thus available for offensive purposes.
The Microsoft vulnerabilities disclosure was relayed by the Cybersecurity and Infrastructure Security Agency (CISA), which implored Microsoft users through and emergency directive to patch the vulnerabilities.
“We do not issue emergency directives unless we have carefully and collaboratively assessed it to be necessary – indeed, this is only the second time CISA has ever issued an emergency directive,” the agency said on Jan. 14. “But left unpatched, these vulnerabilities hit at the core of digital trust, and pose an unacceptable risk to the Federal enterprise that requires an immediate and emergency action. We have directed agencies to implement the patch across their infrastructure within 10 days, and given instructions for which of their many systems to prioritize,” CISA said.
Rep. Langevin said in a Jan. 15 statement that disclosure of the Microsoft vulnerability “shows that the vulnerabilities equities process is working.”
“When government researchers discover a vulnerability in a widely used commercial product, the bias must be towards disclosure,” the congressman said. “This is a feather in the cap of the NSA’s new Cybersecurity Directorate, which is committed to helping partners, whether government customers or private sector critical infrastructure owners and operators, defend against malicious activity.”
“I strongly support the United States government’s continued leadership on coordinated vulnerability disclosure, leadership enhanced by the recent binding operational directive directing government agencies to have their own vulnerability disclosure policies,” Rep. Langevin said.