For many years, federal government officials have cited the need for a public-private partnership to address cybersecurity weaknesses, attacks, and defenses, which has generally meant enterprises and security companies providing threat intelligence and other information to the government while getting little back in return. That dynamic has shifted somewhat recently, with agencies such as CISA, FBI, and NSA sharing both public and private warnings to companies about vulnerabilities and ongoing attacks.
A recent example is a set of four critical flaws in Microsoft Exchange that National Security Agency engineers discovered and disclosed to the company earlier this year. Microsoft patched the vulnerabilities in its April update cycle, and said that it had not seen malicious exploitation of the bugs at that point. It’s unclear how soon after NSA disclosed the flaws to Microsoft that the company patched them, but shortening that window of vulnerability is the goal of both the government and the vendors to which agencies report bugs. However, some companies don’t necessarily respond to those reports as quickly as one might expect.
Anne Neuberger, the Deputy National Security Advisor for Cyber and Emerging Technology, and the former director of cybersecurity at NSA, said that sometimes when the agency disclosed vulnerabilities to vendors, the reaction could be a little slow.
“When we found sensitive vulnerabilities and quietly shared them with the company, they weren't often rapidly patched, and that’s a troubling factor because we’re balancing the visibility problem,” Neuberger said during a discussion with Dmitri Alperovitch of Silverado Policy Accelerator on Tuesday.
Neuberger, who has a deep background in both policy and security, did not single out any specific technology vendors or point to any vulnerabilities as examples, but the issue she described is a thorny one. In the years following the Edward Snowden disclosures, NSA publicly committed to disclosing more of the vulnerabilities that its teams find internally rather than keeping them secret for use in offensive operations. Given that NSA has a dual offensive and defensive mission in cybersecurity, deciding when to disclose is a delicate thing. There is a formal process to guide that decision, known as the Vulnerability Equities Process, and while it applies to a number of federal agencies, NSA is the executive secretariat for the VEP.
“When we found sensitive vulnerabilities and quietly shared them with the company, they weren't often rapidly patched."
NSA has one of the preeminent offensive cyber groups in the world, and part of that work includes vulnerability discovery. If the agency finds a vulnerability that is serious enough that the potential damage from not disclosing it to the affected vendor outweighs its offensive value, that should serve as a clear signal to the vendor that quick action is warranted. But the way that most vendors handle bug triage and remediation doesn't always lend itself to prioritizing flaws reported by NSA or another government agency.
"NSA, or any other organization outside of your own, telling you they’ve come across a vulnerability, it would depend on the context. If it's being exploited in the wild, then it might cause you to act more quickly. It really depends on was it exploitation in progress or a true vulnerability discovery ahead of exploitation. The right move would be to prioritize it relative to all the other bugs you're working on," said Katie Moussouris, CEO of Luta Security.
Just from my experience at Microsoft, we were working on hundreds or even thousands of bugs at any time.
The VEP specifically addresses the scenario of a vendor either deciding not to fix a vulnerability or moving too slowly on it.
“If the vendor chooses not to address a vulnerability, or is not acting with urgency consistent with the risk of the vulnerability, the releasing agency will notify the VEP Executive Secretariat, and the USG may take other mitigation steps,” the VEP says.
A variation of this situation came up in March after Microsoft had released emergency fixes for the ProxyLogon vulnerabilities in Exchange--which are distinct from the Exchange flaws NSA reported to Microsoft a month later. Although the patches were available, there were still tens of thousands of vulnerable Exchange servers online two weeks later, due in part to the fact that some enterprises couldn’t apply the patches because they had not installed older fixes that are required. So the White House asked Microsoft to do whatever it could to simplify the process for customers in order to reduce the risk of mass exploitation. Microsoft quickly developed and released a one-click tool that mitigated the vulnerabilities.
“The Exchange bugs were a very serious area of concern and it led the White House to innovate in how we respond,” Neuberger said.
Those bugs were being exploited as zero days by a threat actor that Microsoft calls Hafnium, and the company said when it released the fixes in March that the group was based in China. Neuberger said Tuesday that the U.S. plans to name the group publicly soon.
“We will attribute that activity and along with that determine what we need to do as a follow up to that, and you will see further from us on that in the next few weeks,” she said.