Vulnerabilities / Threats
5/16/2013
08:58 AM
Connect Directly
RSS
E-Mail
50%
50%

DHS Eyes Sharing Zero-Day Intelligence With Businesses

DHS proposal would give private businesses access to the government's stockpile of zero-day secrets for a fee. But some say the program may actually fuel the bug vulnerability marketplace.

The Department of Homeland Security (DHS) Wednesday offered to help private businesses zero in on the zero-day vulnerabilities being used to compromise their networks. The DHS pitch: We'll share intelligence gleaned from the U.S. government's vast stockpile of zero-day vulnerabilities -- purchased from bug hunters and resellers -- to help block zero-day threats.

"It is a way to share information about known vulnerabilities that may not be commonly available," Homeland Security secretary Janet Napolitano said Wednesday at the Reuters Cybersecurity Summit in Washington, D.C., reported Reuters.

Private businesses would pay for the service, which would be offered by telecommunications firms and defense contractors.

The DHS proposal is a continuation of the February 2013 executive order and related presidential policy directive issued by President Obama, which created a public-private cyber-threat information sharing regime, as well as voluntary private sector cybersecurity standards.

The executive order expanded the Enhanced Cybersecurity Services program -- formerly known as the Defense Industrial Base pilot -- to share threat information, including classified intelligence, with defense contractors, telecommunications and other critical-infrastructure firms that have appropriate security clearances.

Enhanced Cybersecurity Services participants include AT&T, Northrop Grumman and Raytheon.

[ Threat-intelligence sharing must balance security against privacy. Read CISPA 2.0: House Intelligence Committee Fumbles Privacy Again. ]

Rep. Mike Rogers (R-Mich.), chairman of the House Intelligence Committee, lauded the DHS plan because the black-box approach wouldn't expose U.S. threat intelligence to other countries. "This can't happen if you post it on a website," he said. "We have to find a forum in which we can share it, and 10 providers serve 80% of the market. We have classified relationships with a good number of them."

Rogers is also the co-author of the Cyber Intelligence Sharing and Protection Act (CISPA), the second version of which recently passed in the House but stalled in the Senate. The legislation has proposed indemnifying any business that shares network scans with U.S. government agencies, in a bid to crowdsource threat detection. But the suggestion has drawn the ire of privacy and civil rights groups, which object to giving blanket immunity to any business that shares customer and employee information -- potentially including full texts of all emails sent and received via business networks -- with intelligence agencies.

Outsourcing zero-day-vulnerability scanning to a private business, however, would seem to obviate related privacy concerns, since network providers already scan their customers' network traffic for some signs of attack.

The offer of shared threat intelligence is a crucial incentive for getting private businesses to agree to participate in the government's cybersecurity program, which is designed in large measure to better secure the critical infrastructure, which is largely owned by private businesses.

To date, the large sums of money on offer for buying zero-day vulnerabilities have seen the bug-buying restricted to organizations, criminal gangs or governments with deep enough pockets, and presumably a need to put the vulnerabilities to use. "The only people paying are on the offensive side," former NSA employee and renowned smartphone hacker Charlie Miller, who's now a security researcher at Twitter, told Reuters.

Furthermore, some information security experts have warned that the move to share threat intelligence gathered by the NSA and other agencies could further bolster the bug vulnerability marketplace and potentially direct tax dollars to anti-U.S. hackers who are expert bug hunters, as opposed to spending that money on defense.

Others have said that the United States has an obligation to serve Americans by disclosing what it knows about zero-day threats. "If the U.S. government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell U.S. users," former White House cybersecurity advisor Richard Clarke told Reuters. "There is supposed to be some mechanism for deciding how they use the information, for offense or defense. But there isn't."

The U.S. government's apparent emphasis on playing cyber offense comes as critics have accused the government of lagging on defense. "NSA, CIA and military are now #1 buyers of exploits, while DHS, which is responsible for cyber defense, has lost most of its top officials," said Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project, via Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3090
Published: 2014-09-23
IBM Rational ClearCase 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

CVE-2014-3101
Published: 2014-09-23
The login form in the Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not insert a delay after a failed authentication attempt, which makes it easier for remote attackers to obtain access via a brute-force attack.

CVE-2014-3103
Published: 2014-09-23
The Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http...

CVE-2014-3104
Published: 2014-09-23
IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

CVE-2014-3105
Published: 2014-09-23
The OSLC integration feature in the Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account n...

Best of the Web
Dark Reading Radio