White House Says It Can Withhold Vulnerabilities If It Will Help Them Catch 'Intellectual Property Thieves'

from the say-what-now? dept

We’ve been among those critical of the White House for the administration’s dangerous policy of not revealing security vulnerabilities it discovers, as it seeks to exploit them. In trying to respond to some of the criticism about this policy, the White House has put out a blog post by White House Cybersecurity Coordinator Michael Daniel, in which he explains how the intelligence community determines whether to disclose a vulnerability… or hoard it for its own use. He lists out three potential reasons for not disclosing:

Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.

As Marcy Wheeler points out, withholding the release of such vulnerabilities for terrorism purposes is not new or surprising. Ditto for so-called cybersecurity (protecting against “hackers or other adversaries” looking to “exploit our networks”) What’s a bit of a surprise is the new inclusion of “intellectual property theft.” However, the NSA, DHS and various supporters have long used claims of China “stealing intellectual property” as an excuse to try to ratchet up surveillance powers. Rep. Mike Rogers, author of CISPA, used the “scary Chinese stealing our IP!” FUD card to push CISPA a few years ago. And former cybesecurity czar Richard Clarke has argued that China stealing intellectual property is a good reason for DHS to be able to spy on all internet traffic.

So, the fact that this argument is used as a sort of “cybersecurity” claim perhaps isn’t that surprising. However, it still seems like a massive logical leap to go from “well we need to protect corporate intelletual property from the Chinese” to arguing that’s a good reason for withholding the disclosure of key technical vulnerabilities that might put everyone at risk. Does anyone honestly believe that the US government should withhold details of a major technical vulnerability… just so it can catch some IP infringers?

And of course, by broadly allowing the NSA and others to fail to patch vulnerabilities, because they want to “prevent intellectual property theft,” it’s just opening up the whole system to be abused even more widely than before. Sure, they may mean “stopping Chinese hackers from swiping plans for a new fighter jet,” but vaguely denoting that it can withhold info on zero day vulnerabilities because of “pirates” seems wide open to abuse — especially given the way many in law enforcement and the administration seem to want to equate every day file sharers with “internet terrorists” or whatever.

Filed Under: , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “White House Says It Can Withhold Vulnerabilities If It Will Help Them Catch 'Intellectual Property Thieves'”

Subscribe: RSS Leave a comment
76 Comments
Ninja (profile) says:

by broadly allowing the NSA and others to fail to patch vulnerabilities

Open source. May not be immune to issues but at least you can check the code and at least reveal the vulnerabilities to the world regardless of what some NSA moron says.

As for the IP trope I don’t think they should be worried about foreigners “stealing” their IP. They are doing their best at killing it before it’s even born with the insanity that IP laws are nowadays.

AricTheRed says:

Re: In short...

I’ve said it before and I’ll say it again!

OATHBREAKERS!

And the problem is it is now trickling down from the top of the executive branch. Even if no one would acknowledge it they (I believe) conciously or unconciously take their ques from The Oathbreaker In Chief, even if they disagree with the policies and decisions that are implimented.

Anonymous Coward says:

About the only way that the Chines or others could steal IP these days if to physically steal the computers holding it. Failing to get zero days fixed is just leaving the the door open to foreign governments copying all the information that they can get hold of, as they can be assumed to be at least as competent in finding them.

Anonymous Coward says:

“that could thwart a terrorist attack [sic] stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks. “

“our nation’s”
“other adversaries”
“our networks”

Patriotism is the last refuge of a scoundrel.

Anonymous Coward says:

Re: Re:

Sometimes I wonder if the Obama administration is actually trying to poke and prod this nation into active rebellion? Bush had a great start with DHS, we should have rebelled then, but the coward that is America would not have any of it.

I listened back and forth to talk radio as every yakker just bent over and spread their asscheeks for Uncle Sam under Dubya… and now people seem to be doing it for Obamy now.

According to the law, we are all already terrorists…

Andy says:

What!!!!!

I believe that most Americans will be relieved when they know that their search and cloud and email is safe from legal prying eyes in the US.

Most people do not actually care that China is gaining access to American secrets, as long as they don’t touch Americans data like the American congress allows and protects. They then supply all Americans with advanced devices that they sell rather cheaply and yes their build quality if improving tremedously

Kenneth Michaels (profile) says:

Clever redefinitions

The year is 2005, a two step plan:
Step 1. Redefine copyright infringement as “intellectual property theft.”
Step 2. Redefine “misappropriation of trade secrets” as “intellectual property theft.”

Result:
1. what should read: “to stop the misappropriation of trade secrets by foreign black-hat hackers cracking into our computers”
2. becomes: “to stop the theft of our nation’s intellectual property”
3. the latter includes copyright infringement!!! Yea!

Skip ahead to 2012: These new definitions allow the United States Government to use undisclosed exploits to hack into Kim Dotcom’s computers to bring him down under dubious interpretations of US copyright law!! Yippie!! Plan worked. Lets keep it going!

Anonymous Coward says:

Re: Clever redefinitions

Yes.
This is yet another example wherein we now have confirmation of what was suspected in the mid-2000’s. Back then however, those who suspected the entertainment industry would be asking the government to penetrate citizens’ computers and violate their 4th Amendment rights were derided by the industry shills posting right here on Techdirt that all-purpose catcall…”tinfoil hat”

Anonymous Coward says:

Wow, such gonads

At what point will they realize that they just sound like a bunch of moronic asshats violating our privacy for fun and profit?

I’m guessing they will realize this when they start seeing the revolution happening outside their office windows, and realize that they might be a tad late to fix the problem.

Anonymous Coward says:

Re: Twisted logic

That’s amusing, considering Google vacuums up everything you do online.

This article/blog isn’t about privacy, otherwise Masnick would rail every day on Google’s privacy-killing business model. It’s about Pirate Mike getting mad at the idea of pirates getting busted. Duh.

Kal Zekdor (profile) says:

Counterproductive?

Is it just me, or is the entire idea of combating IP theft by withholding knowledge of security vulnerabilities laughably counterproductive?

If NSA or other government agencies are aware of a vulnerability, so are numerous hackers, particularly those working for foreign governments. Those hackers can then use those vulnerabilities to break into secure systems to acquire high value IP. These agencies could prevent many instances of IP theft (theft meaning the initial illegal acquisition of privileged or non-public IP) by simply revealing knowledge of these vulnerabilities, allowing companies to patch their systems. Not to mention this would help protect against numerous other potentially costly attacks against US companies and infrastructure.

Anonymous Coward says:

This government has initiated a new cold war in the form of cyberweapons. Again the citizen is the MADD deterrent. No other government will be comfortable without weapons of their own.

Hence we now have weapons that aren’t physical but ones that corporations can really rake in the dough on as it is a result of labor with no manufacturing costs and very little distribution costs.

It seems in the process of arming up, our government doesn’t care about it’s economy, nor the citizens that are paying the tab. None of this is good news.

It has created an atmosphere of large distrust by these and other actions against it by the very citizens it depends on to support and finance these operations.

The push back has started. Many are now having to defend these actions that once they never had to udder a word in public about. As the time passes, the pressure becomes ever greater to terminate these insane schemes.

Pragmatic says:

Re: Re: Whose intellectual property again?

Yeah… but we play into their hands when we fail to call them on the way they frame the argument. Creative output is not property.

That we let them get away with this is inexcusable; we know what the truth is.

As for the notion that any creative output belongs to the nation – that’s just rot. Creative output is being locked away and the public domain diminished. That’s where the theft is and that’s what we should be calling out.

But first call the government out for lying about what is going on here.

Anonymous Anonymous Coward says:

Vulnerabilities for IP theft?

Why would the Chinese need a vulnerability to steal IP? They just need to connect to The Pirate Bay for all the IP they want.

Oh, you mean the other IP? Aren’t patents posted online just so one can read them?

Anyway, we don’t have any IP as valuable as that protected by the MAFIAA (who don’t actually produce anything), though there are a couple of celebrities exerting their publicity rights that I think a consensus could be formed which would allow us to ship them right on over to Bejing.

Anonymous Coward says:

“Disclosing a vulnerability can mean that we forego an opportunity to … discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.”

Let existing vulnerabilities go unpatched and open to attack by hackers so the government can perhaps discover other, “more dangerous” vulnerabilities in the future? Yah. That makes a lot of sense.

Anonymous Coward says:

‘we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities’

what an absolutely ridiculous statement! the only reason they would hang on to something is because they have been told to by the entertainment industries and it doesn’t want to bite the hand that feeds it! piss poor excuse, again, for the government to be able to shit on citizens!!

David says:

Who is the largest intellectual property thief?

The government promised artists that their works would pass into the public domain at a given date, and the artists got reimbursed from record companies according to that promise of having their work live on in the hands of the public without corporate control after a given date.

The government has stolen the intellectual property that it has promised the artist to deliver into the public domain and handed it to the big companies. By now the U.S.A. has robbed the graves of deceased artists and stolen about 70?years worth of culture from the general public in order to line the pockets of entertainment industry members in return for lobbying bribes.

OrganizedThoughtCrime says:

“Does anyone honestly believe that the US government should withhold details of a major technical vulnerability, putting everyone at serious risk, just so it can catch some IP infringers?”

I certainly don’t. It’s a catch-22 to say that your withholding vital computer security-related vulnerability information to protect people, when that same withholding puts the same people at greater risk as a result. What does the US government consider all of the actual and potential innocent victims of these practices — collateral damage?

Anonymous Coward says:

Re: Re:

If the government knows about a security hole, does nothing to report it to the companies responsible for fixing the hole and use it as a honeypot to catch people exploiting the hole is the government possibly guilty of entrapment? I would say that the longer something goes unreported the more like entrapment this seems.

Anonymous Coward says:

As an observation, having read the linked article it seems to me that your use and the author’s use of the term “intellectual property” are not the same. You may wish to consider the distinct possibility that he uses the term in a very generic, shorthand sense to refer to the possible scraping of important information that is not as a general rule intended for public disclosure (For example, unpublished technical information associated with the design, development, manufacture, use and maintenance of defense systems.). Whenever I speak of IP I tend to associate it with specific legal regimes such as patents, trademarks, copyrights, etc. Most outside the field of law, however, then to use the term quite generically.

Mike Masnick (profile) says:

Re: Re:

You may wish to consider the distinct possibility that he uses the term in a very generic, shorthand sense

No words written out by intelligence officials are ever “very generic, shorthand sense.” They choose words and terms very explicitly. This was not an off-the-cuff remark. What he established is a broad and dangerous rule.

For example, unpublished technical information associated with the design, development, manufacture, use and maintenance of defense systems.

As we mentioned late in the post — which, clearly, you did not choose to read, as per usual.

Anonymous Coward says:

Re: Re: Re:

Having dealt directly with senior officials at federal agencies and at the WH over the course of many years, my experience has been that IP is almost always used as a shorthand for non-public, technical data and computer software…and not for IP rights as you seem to suggest. Of course, most of the technical and computer software relates to systems closely allied with national security interests.

As for your snarky remark, I did read your entire article and presented my comment entirely in good faith and without any deprecatory motivation in mind. I wish I could say the same for you, but it seems you simply will never consider good faith as a possibility when perusing whatever I may happen to say.

Mike Masnick (profile) says:

Re: Re: Re: Re:

You are such an astounding hypocrite, it’s not even funny.

Having dealt directly with senior officials at federal agencies and at the WH over the course of many years, my experience has been that IP is almost always used as a shorthand for non-public, technical data and computer software…

1. As I stated, and you totally ignored, this was not an off-hand comment, but a public statement on an issue that people are following closely — meaning that the words were chosen especially carefully.

2. Here’s the hypocritical part: whenever we use a simple “short-hand” in this area, you immediately take offense. For example, when we talk about bad patents, you acted all indignant about how you have no idea what a “bad” patent is because it’s not defined anywhere and you only know of valid or invalid patents.

Similarly, when we’ve spoken of software patents, you again go into an astounding huff about how there’s no definition of software patent, so you can’t possibly understand what we’re talking about.

Yet, when it comes to your buddies in the national security space, you’re suddenly willing to grant them whatever leeway possible, and assuming that any statement is fine because it’s the shorthand they use.

I did read your entire article and presented my comment entirely in good faith and without any deprecatory motivation in mind

If you hadn’t spent the last 5 years on this site commenting on nearly every article with the clear intent to mock my position on damn near everything, you might be believable.

But you have… and you’re not.

it seems you simply will never consider good faith as a possibility when perusing whatever I may happen to say

I assume everyone has good faith until they prove otherwise. You proved otherwise long ago.

Anonymous Coward says:

Re: Re: Re:2 Re:

Under Title 35 a patent is either valid or invalid. “Bad” is not a part of the statutory scheme. It seems that here and elsewhere the term “bad” is used as a preface to asking a question along the lines “WTF was the patent office thinking when it allowed a patent to be granted for this astoundingly obvious thing?” My remarks are directed to such questions since those who loudly bleat “bad” have almost universally taken zero time to analyze the patent and its associated file history. Maybe the patent should never have issued because it does not meet the statutory requirements of 102, 103, 112, etc. Then again, maybe it should have issued. It is impossible to know without having done more, much more, than pontificating about it being “bad”. That takes intellectual laziness to new heights.

Yes, tell me what is a “software” patent. Apparently the view here is that a patent that in any way involves software is a software patent. Heck, no need to review the claims in any detail…that would be such drudgery.

Re national security…no, I am not a friend of the NSA, or Clapper, or anyone else associated with our intelligence services. I am merely one who has worked around highly classified information for many years and who recognizes that the seemingly logical solutions offered here (and elsewhere) oftentimes are not solutions at all because of other considerations unknown to those who do not work with classified information. This is in part what motivated my comments anent Wyden and Clapper.

Re commenting on articles, a believe you will find that I comment on only a very few. What I do find interesting is that virtually everything I may say is responded to by you, almost as if I am challenging your integrity, knowledge, etc. This is not, and never has been, my intent. My interest is invariably to provide some perspective that might otherwise not arise during the course of article commentary. For example, the original SOPA had a third party right of action. Even though it was later removed from the bill, one would never know that reading articles here and elsewhere because they kept talking about the issue as if it was still an issue. The same can be said of the re-direct that was initially proposed, but then removed since the bill’s proponents finally admitted that the concept had some problems requiring a much closer look.

My good faith continues with every comment I may submit. You are mistaken to believe otherwise, which would be readily apparent were we ever to meet. If you plan a trip to Central Florida anytime soon, let me know. I do not bite.

Mike Masnick (profile) says:

Re: Re: Re:3 Re:

And you have just proved my point. You hold such incredible double standards. For us, who you like to mock, you insist that our obvious choices of language are unacceptable. But when it’s a White House official making a statement of utmost importance, you have no problem insisting that while the words he used are problematic, you’re sure it’s okay because you alone understand what he meant to say.

Incredible that you still don’t see this as hypocrisy.

Anonymous Coward says:

Oh for fucks sake, seriously? It’s fucking bad enough that the NSA is promoting poor security. At least that is supposedly a matter of national fucking defense, even if monumentally retarded. But to catch “intellectual property thieves”?! REALLY?! Some of these people could do their best for the world by eating a bullet.

Anonymous Coward says:

Perhaps I misunderstand, but the term “bad patent” as used on your site does not appear to be ambiguous (susceptible to a reasonable, alternate definition). My point re “IP” was merely to note that there is an alternate definition that is quite reasonable. Importantly, I did not pull this out of thin air. I have seen such usage on countless occasions, and in instances such as this it was meant to denote subject matter other than patents, etc.

Anonymous Coward says:

Re: Re: Re:

Trying to have a discussion with you on a subject of mutual interest is well nigh impossible. Saying I know how the term “bad patent” is being used here, and that somehow equates to dishonesty, misses my point entirely. Clearly you are trying to communicate that a patent should never have been issued because it is blatantly obvious and the USPTO should hang its head in shame for allowing the application to pass to issue. Of course, the reasons why a bad patent is blatantly obvious amounts to little more than arm waving, generic references to alleged prior art that may or may not be relevant, anecdotal musings, etc., IOW, because you or other article writers here say so. Unfortunately, and frustratingly for those of us who have dealt with matters such as these, a factual record counts. Arm waving does not. If people want to call something bad, then at the very least they should present relevant evidence, and then proceed to show how that relevant evidence compels a conclusion of obviousness (and this is done by claim analysis). Over my career I have been required to stake out positions that patents are obvious, and for the most part have been able to do so. Why? Because I read the patents, read their file histories, researched the relevant technical areas to identify the general state of the art at the time the application was filed and specific instances appearing at the time the invention was first made of acts, publications, etc. that all bear on the legal test for obviousness. I can assure you that at no time would what regularly is passed off here as proof of a bad patent carry a whit of persuasive force. While I believe Daniel Ravicher takes a much too simplistic view of his patent invalidation initiative, I respect and give him credit for taking the time to do things the right way.

Mike Masnick (profile) says:

Re: Re: Re: Re:

Trying to have a discussion with you on a subject of mutual interest is well nigh impossible.

I have no problem having interesting discussions with others. Perhaps the problem is that you love to put on your pedantic “but only I am so wise to possibly understand these kinds of complex issues — and until you, too, have been a lawyer held in the sort of esteem as I once was, all your piddling comments are nothing more than dust in the wind that I and my knowledgeable cohorts from the defense industry spit at.”

Unfortunately, and frustratingly for those of us who have dealt with matters such as these, a factual record counts. Arm waving does not. If people want to call something bad, then at the very least they should present relevant evidence, and then proceed to show how that relevant evidence compels a conclusion of obviousness (and this is done by claim analysis). Over my career I have been required to stake out positions that patents are obvious, and for the most part have been able to do so. Why? Because I read the patents, read their file histories, researched the relevant technical areas to identify the general state of the art at the time the application was filed and specific instances appearing at the time the invention was first made of acts, publications, etc. that all bear on the legal test for obviousness.

You approach it like a lawyer. Because the system is broken. If you actually spent any time with actual developers — like I do — you’d understand why basically every software developer hates patents. They know that patents (1) do not do what they’re supposed to (i.e., disclose something new and non-obvious to those skilled in the art) and that (2) they almost always describe something that is quite obvious (and often done many times before).

So, yes, I speak to my audience from my knowledge and experience in the world of developers.

The problem, of course, is that you patent lawyers turned the patent system into something that only lawyers can play in — what with your “claim construction” “file histories” and blah blah blah. You’ve purposely set up the system so that obvious ideas can be patents, and where they provide no value to the world whatsoever.

And when people WITH ACTUAL KNOWLEDGE OF THE TECHNOLOGY tell you that they’re obvious because everyone already does this you suddenly freak out about your precious ability to bill, and you look down the bridge of your nose at THE PEOPLE WHO ACTUALLY KNOW THIS STUFF and start tsk tsking about how they need to follow your stupid process to say what is obvious: THIS IS OBVIOUS AND DONE A MILLION TIMES BEFORE.

Anonymous Coward says:

No, I am not at all saying I am wise, something that should long ago have been readily apparent. What I am saying is that one who exhibits intellectual laziness by stating conclusions without factual analysis is unwise. There is a significant difference. I am old enough to know that I do not know all the answers, and the older I get the more I realize just how little I really know. Hence, mine is a constant study of issues in pursuit of memory recollection, other perspectives, etc. Things I may have taken for granted many years ago are no longer so clear cut. Shades of gray overwhelmingly predominate.

I have spent more time with developers than I can possibly begin to recall, but it should be noted that my time spent with them in many instances related to taking ideas to products/services and company launch, including securing needed private investment, market introduction, etc., those very activities associated with the creation of new businesses. Our experience likely diverges in one respect. The startups I have helped come to life have not faced many of the mundane issues associated with startups of the type that arise from humble beginnings such as one’s garage or the like. The large majority of mine have begun from the transfer of sophisticated technical products and services (in some cases sunk costs amounting to hundreds of millions…which, BTW, imparts a tremendous competitive advantage, whether or not patents are a part of the deal) arising within the defense and aerospace industry into the commercial market. MMW systems used with helicopters were adapted to terrestrial and satellite civilian telecommunications. Image and signal processing systems were transformed into products for use by commercial broadcasters. Many of these products and systems were birthed by research programs under the auspices of the DOE, NASA, and the DOD, with DARPA being a major source for defining future technology needs.

As for your “when people with actual knowledge…” comment, your cocksureness belies a fundamental weakness in your argument, but most troubling of all your attitude. It has been my experience that many, perhaps even most, technologists do look at patents and exclaim “It’s obvious. How did this ever issue?” It is here that you seem inclined to stop any further inquiry and proclaim “bad patent”. Unlike you, however, I have sat down with technical subject matter experts (most of whom are among the very best…and recognized as such…in their technical fields) and discussed in detail what the described invention comprises, the claims, the cited prior art, any unknown art deemed particularly relevant by the technologist, and a host of other factors where the goal is to flesh out if the patent is likely valid or likely invalid. Quite surprisingly to almost all of them, they came to the eventual conclusion that their initial impressions were wrong. Of course, what this took was us rolling up our sleeves and actually developing facts necessary to arrive at an informed opinion. It is easy to spout initial impressions. It is quite another to dig into the subject matter to see if an initial impression is accurate.

Amazing just how often persons who are at the forefront of their fields, upon sitting down and actually studying materials to identify and understand relevant facts, do a complete 180. If it was necessary for them to do so in order to actually understand what was involved, then your imperious remarks about what you deem a stupid process rings hollow indeed.

Anonymous Coward says:

Re: Re:

No. What you are saying is that you have successfully hijacked an entire thread by filling it with stuff about YOU.

Start a personal blog for god’s sake.

That way, people who want to know about you can listen to you as much as they want to, somewhere else.

Unless of course, this is now your paying job.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...