The fact that the U.S. federal government would, under some circumstances, exploit software vulnerabilities to attack cyber-adversaries didn't perturb IT security providers I spoke with at the Infosecurity Europe 2014 conference in London this week.
See Also: The Future of IAM: Enterprise
On the eve of the London security conference, 3,662 miles (5,893 kilometers) away in Washington, White House Cybersecurity Coordinator Michael Daniel posted a blog on April 28 stating that the government would exploit vulnerabilities to go after those who would harm America's security, but only under limited circumstances (see: White House Policy on Disclosing Cyberflaws).
Cybersecurity is just a new version of espionage that has existed for a very, very long time.
One top executive of a London-based IT security provider, who asked not to be identified because of the sensitive nature of the topic, says he agrees with the approach outlined by Daniel, in which the U.S. federal government would exploit vulnerabilities to collect crucial intelligence that could thwart a terrorist attack or stop the theft of the nation's intellectual property. That's what governments should do to protect themselves and their citizens, the executive says.
Marc Maiffret, chief technology officer of BeyondTrust, a maker of privilege identity management and vulnerability management products, agrees the U.S. government is within its rights to take such action against those who would do damage. And, despite Daniel's implication that such actions likely would be rare, Maiffret says he believes it's in the DNA of agencies such as the National Security Agency to proactively exploit the vulnerabilities to target the nation's adversaries in cyberspace.
"I think it's more lip service to say, 'Hey, we're going to look at these things and in some cases report them,'" Maiffret says in an interview at the conference. "I think, for the most part, the government is more motivated on offensive capabilities. I don't think you'll see them reporting a lot of vulnerabilities, except in a token type of a way, saying: 'We did the right thing.' For the most part, they're going to stockpile them, just as they continue to stockpile missiles."
Maiffret says he doesn't distrust the U.S. government, despite his skeptical view of Daniel's words, but sees the federal government's primary objective as strengthening its offensive capabilities in cyberspace. "Cybersecurity is just a new version of espionage that has existed for a very, very long time," he says.
Taking a less cynical view is Hord Tipton, executive director of the IT security certification and training organization (ISC)². Tipton, on a layover in London on his return to the U.S. from Poland, says he's encouraged that the federal government is becoming more transparent about how it would address exploiting software vulnerabilities. And, he says, that transparency should help rebuild America's credibility around the world that was damaged by revelations from former NSA contractor Edward Snowden about the agency's cyber-meddling.
Daniel's blog reinforces an Obama administration decision made earlier in the month that the federal government should not exploit encryption flaws in most instances unless there's "a clear national security or law enforcement need" (see: Is Exploiting Heartbleed Ever Appropriate?).
Let's give the administration credit for increasing transparency on how it will approach the exploitation of some software vulnerabilities. But can we ever be sure how open the administration will be in discussing such a sensitive area? After all, the words Daniel used in the blog are intentionally vague. When Daniel speaks of withholding knowledge for a limited time, how long is a limited time - a week, a month, a year?
Please share your thoughts on the government's new transparency in the box below.