White House Says It Can Withhold Vulnerabilities If It Will Help Them Catch 'Intellectual Property Thieves'
from the say-what-now? dept
We’ve been among those critical of the White House for the administration’s dangerous policy of not revealing security vulnerabilities it discovers, as it seeks to exploit them. In trying to respond to some of the criticism about this policy, the White House has put out a blog post by White House Cybersecurity Coordinator Michael Daniel, in which he explains how the intelligence community determines whether to disclose a vulnerability… or hoard it for its own use. He lists out three potential reasons for not disclosing:
Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.
As Marcy Wheeler points out, withholding the release of such vulnerabilities for terrorism purposes is not new or surprising. Ditto for so-called cybersecurity (protecting against “hackers or other adversaries” looking to “exploit our networks”) What’s a bit of a surprise is the new inclusion of “intellectual property theft.” However, the NSA, DHS and various supporters have long used claims of China “stealing intellectual property” as an excuse to try to ratchet up surveillance powers. Rep. Mike Rogers, author of CISPA, used the “scary Chinese stealing our IP!” FUD card to push CISPA a few years ago. And former cybesecurity czar Richard Clarke has argued that China stealing intellectual property is a good reason for DHS to be able to spy on all internet traffic.
So, the fact that this argument is used as a sort of “cybersecurity” claim perhaps isn’t that surprising. However, it still seems like a massive logical leap to go from “well we need to protect corporate intelletual property from the Chinese” to arguing that’s a good reason for withholding the disclosure of key technical vulnerabilities that might put everyone at risk. Does anyone honestly believe that the US government should withhold details of a major technical vulnerability… just so it can catch some IP infringers?
And of course, by broadly allowing the NSA and others to fail to patch vulnerabilities, because they want to “prevent intellectual property theft,” it’s just opening up the whole system to be abused even more widely than before. Sure, they may mean “stopping Chinese hackers from swiping plans for a new fighter jet,” but vaguely denoting that it can withhold info on zero day vulnerabilities because of “pirates” seems wide open to abuse — especially given the way many in law enforcement and the administration seem to want to equate every day file sharers with “internet terrorists” or whatever.