Vulnerabilities / Threats
5/16/2013
08:58 AM
Connect Directly
RSS
E-Mail
50%
50%

DHS Eyes Sharing Zero-Day Intelligence With Businesses

DHS proposal would give private businesses access to the government's stockpile of zero-day secrets for a fee. But some say the program may actually fuel the bug vulnerability marketplace.

The Department of Homeland Security (DHS) Wednesday offered to help private businesses zero in on the zero-day vulnerabilities being used to compromise their networks. The DHS pitch: We'll share intelligence gleaned from the U.S. government's vast stockpile of zero-day vulnerabilities -- purchased from bug hunters and resellers -- to help block zero-day threats.

"It is a way to share information about known vulnerabilities that may not be commonly available," Homeland Security secretary Janet Napolitano said Wednesday at the Reuters Cybersecurity Summit in Washington, D.C., reported Reuters.

Private businesses would pay for the service, which would be offered by telecommunications firms and defense contractors.

The DHS proposal is a continuation of the February 2013 executive order and related presidential policy directive issued by President Obama, which created a public-private cyber-threat information sharing regime, as well as voluntary private sector cybersecurity standards.

The executive order expanded the Enhanced Cybersecurity Services program -- formerly known as the Defense Industrial Base pilot -- to share threat information, including classified intelligence, with defense contractors, telecommunications and other critical-infrastructure firms that have appropriate security clearances.

Enhanced Cybersecurity Services participants include AT&T, Northrop Grumman and Raytheon.

[ Threat-intelligence sharing must balance security against privacy. Read CISPA 2.0: House Intelligence Committee Fumbles Privacy Again. ]

Rep. Mike Rogers (R-Mich.), chairman of the House Intelligence Committee, lauded the DHS plan because the black-box approach wouldn't expose U.S. threat intelligence to other countries. "This can't happen if you post it on a website," he said. "We have to find a forum in which we can share it, and 10 providers serve 80% of the market. We have classified relationships with a good number of them."

Rogers is also the co-author of the Cyber Intelligence Sharing and Protection Act (CISPA), the second version of which recently passed in the House but stalled in the Senate. The legislation has proposed indemnifying any business that shares network scans with U.S. government agencies, in a bid to crowdsource threat detection. But the suggestion has drawn the ire of privacy and civil rights groups, which object to giving blanket immunity to any business that shares customer and employee information -- potentially including full texts of all emails sent and received via business networks -- with intelligence agencies.

Outsourcing zero-day-vulnerability scanning to a private business, however, would seem to obviate related privacy concerns, since network providers already scan their customers' network traffic for some signs of attack.

The offer of shared threat intelligence is a crucial incentive for getting private businesses to agree to participate in the government's cybersecurity program, which is designed in large measure to better secure the critical infrastructure, which is largely owned by private businesses.

To date, the large sums of money on offer for buying zero-day vulnerabilities have seen the bug-buying restricted to organizations, criminal gangs or governments with deep enough pockets, and presumably a need to put the vulnerabilities to use. "The only people paying are on the offensive side," former NSA employee and renowned smartphone hacker Charlie Miller, who's now a security researcher at Twitter, told Reuters.

Furthermore, some information security experts have warned that the move to share threat intelligence gathered by the NSA and other agencies could further bolster the bug vulnerability marketplace and potentially direct tax dollars to anti-U.S. hackers who are expert bug hunters, as opposed to spending that money on defense.

Others have said that the United States has an obligation to serve Americans by disclosing what it knows about zero-day threats. "If the U.S. government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell U.S. users," former White House cybersecurity advisor Richard Clarke told Reuters. "There is supposed to be some mechanism for deciding how they use the information, for offense or defense. But there isn't."

The U.S. government's apparent emphasis on playing cyber offense comes as critics have accused the government of lagging on defense. "NSA, CIA and military are now #1 buyers of exploits, while DHS, which is responsible for cyber defense, has lost most of its top officials," said Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project, via Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio