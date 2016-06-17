By Joseph Menn
| SAN FRANCISCO, June 17
SAN FRANCISCO, June 17 Two former Obama
cyber-security officials say the federal government should be
barred from paying for hacking techniques while agreeing to keep
them secret, as the FBI did to crack the iPhone wielded by one
of the shooters in the San Bernardino killings.
Ari Schwartz and Rob Knake, who in separate stints oversaw
technology security issues at the National Security Council
(NSC), said changes are needed in the White House process for
determining whether software flaws discovered by government
agencies should be disclosed, or kept secret so they might be
used for offensive cyber operations.
Their recommendations came in a policy paper published on
Friday by Harvard University's Belfer Center for Science and
International Affairs. A spokesman for the White House's NSC had
no immediate comment.
The issues center around what is known as the Vulnerability
Equities Process, created in 2010 but made public and
"reinvigorated" only in 2014 after news reports drew attention
to a tilt toward keeping vulnerabilities secret so they might be
used for attacks.
The process requires agencies to submit security flaws that
they discover or buy to an inter-agency group that votes on
whether they should be kept for secret hacking operations or
disclosed to the software makers, which can update their wares.
White House cyber security coordinator Michael Daniel, in a
blog post describing the factors that are considered, maintained
that the current policy is biased toward disclosure. Much of the
procedure remains classified as secret, including which agencies
get a vote.
Schwartz and Knake, who oversaw the process under Daniel,
said that a new executive order should make clear that it is
mandatory for agencies to submit all the software flaws they
want to use to the inter-agency group.
In the San Bernardino, California, case, officials said they
paid less than $1 million to a third party for a tool to unlock
the killer's Apple iPhone but didn't know how it worked
and thus was able to circumvent the process.
The ex-officials also recommended that the Department of
Homeland Security run the process, rather than the National
Security Agency. They said much more should be disclosed about
the process, such as how many software flaws are held back and
for how long, and that Congress should get oversight of the
program.
"It shouldn't be a policy that is created through a blog
post," Schwartz told Reuters ahead of the paper's publication.
"It should be very clear what the policy is, and it should be
spelled out in an unclassified way."
