It is interesting to note the portions of the WikiLeaks Vault 7 dump that have elicited the most visceral response. Many pundits and analysts have divided their rage between targets like Julian Assange (the traitor), the leaking NSA/CIA employee (deep drip), and the NSA itself (Big Bro) for spying on U.S. citizens. But nowhere have I heard a word in the mainstream media about mis-attribution or Russian hacks.

More importantly perhaps, no one has even mentioned the most insidious revelation of all: the blatant violation by every U.S. intelligence agency of the Vulnerabilities Equity Process (VEP).

Close

The VEP, a process originated in 2008 for the purpose of improving our government’s ability to use offensive capabilities against U.S. adversaries and to protect both government and public information systems, became a formal procedure by 2009 to be administered by the cybersecurity coordinator and special assistant to the president.

The procedure called for a series of steps to be taken whenever any of the intelligence agencies became aware of certain vulnerabilities in various software tools, operating systems, and applications, so that the originators of these technologies (Microsoft, Adobe, Apple, etc.) could repair the vulnerabilities before they led to abuse in the wild.

This all sounds reasonable, right?

[lz_ndn video=32099943]

The only problem is that the VEP is full of loopholes, subjective time-tables, and interpretive rulings. The result is that any agency can do essentially as it pleases and choose not to disclose vulnerabilities that it deems are in the nation’s best interests to remain secret.

One of the smartest analysts on the topic of cybersecurity raged over the weekend about how the treasonous WikiLeaks dump has made public all of these hitherto undisclosed malware strains and techniques so that now our enemies can use them against us.

While that is a compelling problem, I think the larger revelation is that these agencies have been hoarding knowledge of cyberattack tools and techniques which are being repeatedly used in attacks against the private business sector on a daily basis. We have spent almost $60 billion defending against cyberattacks in the U.S. last year, when many if not all of the exploits, attack vectors, and techniques have been known to our intelligence agencies all along.

Our primary cause for concern resulting from this Vault 7 dump is the discovery that our intelligence agencies are lawfully able to withhold critical attack-vector, malware-design, and exploit technique information from the private sector. If we are to be outraged about anything, it should be that we have met the enemy — and it is our own team. This knowledge should empower us to bring about significant changes in how these agencies are allowed to do business.

Who do you think would win the Presidency?

By completing the poll, you agree to receive emails from LifeZette, occasional offers from our partners and that you've read and agree to our privacy policy and legal statement.

First, instead of using these secretly held vulnerabilities for their own offensive exploit purposes, our government should (by executive order) force these agencies to close these known vulnerabilities immediately and on an ongoing basis so that foreign governments and criminals will be forced to look elsewhere in order to launch cyberattacks against businesses, organizations, and U.S. citizens.

This won’t stop the problem, but it will stop us from helping our adversaries to attack us.

Regardless of how “useful” these known vulnerabilities are to our intelligence agencies, if an unpatched exploit remains secret, then it leaves citizens’ data, businesses, and government systems vulnerable to attack. Thus, if the government does not disclose to technology companies the vulnerabilities that it obtains, then both public and private systems will continue to remain at risk.

Second, the entire VEP needs to be scrapped and the proper intentions of the process included in new cybersecurity mandates designed to first protect our citizens and the private sector and then provide our intelligence agencies with the leverage they need to prosecute an offensive against nation-state cyber-terrorists.

There is nothing Pollyannaish about this view. If you think I don’t know that these agencies smirk at the idea that these low-information deplorables like myself just don’t understand the “big picture” — you are mistaken.

[lz_related_box id=377490]

There is clear evidence that we are both under attack by global enemies and that we are engaged in asymmetric warfare with the playing field tilted dramatically against us. We are losing this war and we need all the help we can get. But, my premise is that we are relying on the wrong help in the wrong way.

Instead of hiding vulnerabilities in technology, our government agencies should be working together with the technology industry to invent new and effective offensive and defensive weapons to both increase the forward pressure on the enemy while reducing the inbound attack surfaces. And it’s not just software. Hardware is an important consideration today owing to mobile devices like smartphones, but will become critical tomorrow owing to an increasingly connected planet through tens of billions of IoT devices in our homes and businesses.

If we continue to allow our spy guys to run roughshod over the technology companies that are doing their best to swim against the current, we will never make any progress in this battle. The Trump administration has a unique and time-limited opportunity to strike a blow against our enemies, and we can only hope our new sheriff is truly locked and loaded.

Steve King is the COO and CTO of Netswitch Technology Management.