Cyber Statecraft Initiative Director Jason Healey is quoted by Wired on the White House announcement that certain government agencies have exploited software holes instead of disclosing them to vendors to be fixed:
“If this is a change in policy, it kind of explicitly confirms that beforehand that was not the policy,” says Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council and a former officer in the Air Force’s cyber division.
Healey notes that the public statements on the new policy leave a lot of questions unanswered and raise the possibility that the government has additional loopholes that go beyond the national security exception.
“It would be a natural bureaucratic response for the NSA to say ‘why should we spend our money discovering vulnerabilities anymore if we’re going to have to disclose them?’” Healey says. “You can imagine a natural reaction would be for them to stop spending money on finding vulnerabilities and use that money to buy them off the grey-market where they don’t have to worry about that bias.”
“Do you grandfather in all of the existing vulnerabilities that are in the Tailored Access Operations catalog or are they going to go through with the new bias and review every vulnerability they have in their catalog?,” Healey asks. “The military will do everything they can to not do that.”
If the government does apply the new rules to its back-catalog of exploits, suddenly disclosing to vendors a backlist of zero-day vulnerabilities it has been sitting on and exploiting for years, it may well be detectable, Healey notes. The tell-tale sign to look for: a slew of new patches and vulnerability announcements from companies like Microsoft and Adobe.