Tech giants including Microsoft, Facebook, Oracle, Cisco, Dell, and VMware are calling on the United States and other governments to invest in defensive, rather than offensive, cyber technologies.
The Cybersecurity Tech Accord–which represents a public commitment among more than 40 global companies to protect and empower civilians online and to improve the security, stability, and resilience of cyberspace–wrote on its website yesterday that “governments should optimize investing in defensive rather than offensive technologies and develop policies that clearly define how they acquire, retain, and use vulnerability information.”
The signatories stressed that cybersecurity is the new battlefield, but that it is unlike any battlefield from the past and must be treated differently.
“To create a cyberweapon, governments and sophisticated threat attackers exploit unintentional weaknesses or ‘vulnerabilities’ found in mass-market hardware and software products or services and apply techniques developed to exploit those weaknesses,” the signatories wrote. “The damaging effects of the resulting cyberweapons–especially when mishandled–can extend far beyond an intended target, potentially impacting millions of innocent users around the world.”
While many countries are beginning to acquire and develop offensive cybersecurity weapons, the Cybersecurity Tech Accord cautions that this approach may bring more harms than benefits, and against stockpiling known cyber vulnerabilities.
“While there may be national security benefits from acquiring and retaining such vulnerabilities, these benefits must be weighed against the risks that those same vulnerabilities may be used against a government’s own computing infrastructure, all its citizens, and, potentially, interdependent organizations around the world,” the letter said.
The U.S. government earned praise in the letter for publicly releasing significant portions of its Vulnerability Equities Process (VEP) at the end of last year. The VEP shares when and how the U.S. government will choose to disclose cyber vulnerabilities that it discovers or purchases.
“The 2017 update enhanced the transparency of the process, in part by identifying the respective departments and agencies represented on the vulnerability review committee (a mix of intelligence and civilian agencies), the criteria used for determining whether to disclose a vulnerability, and the mechanism for handling disagreements within the committee,” the letter said.
The Cybersecurity Tech Accord raised concerns over whether other nations have their own VEPs in place, saying the “number of VEPs around the world is even more difficult to ascertain, with the United States being one of the few governments willing to openly discuss its process.” According to the letter, it is rumored that other countries have similar frameworks in place and a few more will likely adopt them soon. However, the Accord stressed the importance of transparency and public-private collaboration in developing a framework.
The Accord encouraged all countries to develop their own version of the VEP framework, saying that countries should operate with a “presumption of private disclosure over the retention of vulnerabilities.” When it comes to developing the framework, the letter said the principles underpinning this process should:
- “Presume disclosure as the starting point;
- Clearly consider the impact on the computing ecosystem if the vulnerability is released publicly and the costs associated with cleanup and mitigation;
- Clearly define the process of making a disclosure decision and identify the stakeholders at the departmental level, ensuring that stakeholders represent not only national security and law enforcement but also economic, consumer, and diplomatic interests;
- Make public the criteria used in determining whether to disclose a vulnerability or not. In addition to assessing the relevance of the vulnerability to national security, these criteria should also consider threat and impact, impact on international partners, and commercial concerns;
- Mandate that all government-held vulnerabilities, irrespective of where or how they have been identified, go through an evaluation process leading to a decision to disclose or retain it;
- Prohibit any vulnerability non-disclosure agreements between governments and contractors, resellers, or security researchers and limit any other exceptions, e.g., for sensitive issues;
- Prohibit use of contractors or other third parties as a means of circumventing the disclosure process;
- Ensure any decision to retain a vulnerability is subject to a six-month review;
- Establish oversight through an independent body within the government with an annual public report on the body’s activities;
- Expand funding for defensive vulnerability discovery and research;
- Ensure disclosure procedures are in line with coordinated vulnerability disclosure, an industry best practice; and
- Ensure that any retained vulnerabilities are secure from theft (or loss).”
“The signatories of the Tech Accord have always believed that protecting the public interest in cyberspace requires robust collaboration between the government and private sectors,” the letter concludes. “When the government approach to vulnerabilities favors stockpiling over disclosure, this critical collaboration is weakened, and we risk losing the public’s trust in cyberspace.”