The DHS pitch: We’ll share intelligence gleaned from the U.S. government’s vast stockpile of zero-day vulnerabilities — purchased from bug hunters and resellers — to help block zero-day threats. “It is a way to share information about known vulnerabilities that may not be commonly available,” Homeland Security secretary Janet Napolitano said Wednesday at the Reuters Cybersecurity Summit in Washington, D.C., reported Reuters. The DHS proposal is a continuation of the February 2013 executive order and related presidential policy directive issued by President Obama, which created a public-private cyber-threat information sharing regime, as well as voluntary private sector cybersecurity standards.
The executive order expanded the Enhanced Cybersecurity Services program — formerly known as the Defense Industrial Base pilot — to share threat information, including classified intelligence, with defense contractors, telecommunications and other critical-infrastructure firms that have appropriate security clearances.
But the suggestion has drawn the ire of privacy and civil rights groups, which object to giving blanket immunity to any business that shares customer and employee information — potentially including full texts of all emails sent and received via business networks — with intelligence agencies.
Outsourcing zero-day-vulnerability scanning to a private business, however, would seem to obviate related privacy concerns, since network providers already scan their customers’ network traffic for some signs of attack.
The offer of shared threat intelligence is a crucial incentive for getting private businesses to agree to participate in the government’s cybersecurity program, which is designed in large measure to better secure the critical infrastructure, which is largely owned by private businesses.
To date, the large sums of money on offer for buying zero-day vulnerabilities have seen the bug-buying restricted to organizations, criminal gangs or governments with deep enough pockets, and presumably a need to put the vulnerabilities to use.
Furthermore, some information security experts have warned that the move to share threat intelligence gathered by the NSA and other agencies could further bolster the bug vulnerability marketplace and potentially direct tax dollars to anti-U.S. hackers who are expert bug hunters, as opposed to spending that money on defense.
“If the U.S. government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell U.S. users,” former White House cybersecurity advisor Richard Clarke told Reuters.
“NSA, CIA and military are now #1 buyers of exploits, while DHS, which is responsible for cyber defense, has lost most of its top officials,” said Christopher Soghoian, principal technologist and senior policy analyst for the ACLU’s Speech, Privacy and Technology Project, via Twitter.
Link: http://www.informationweek.com/security/vulnerabilities/dhs-eyes-sharing-zero-day-intelligence-w/240154972?queryText=ThreatGrid