The little known corollary to General (now Secretary) Mattis’s comment on war is that your supply chain also gets a vote. People look at the ShadowBrokers to Wannacry-worm unofficial "technology transfer program" and think it is the Vulnerability Equities worst case scenario. But it’s really not.
The worst case scenario is that an exploit leaks that is composed of GCHQ parts, with some NSA add-ons, some CIA add ons, and a piece that you bought from a third party vendor under a special license. I'm not going to get into the fact that exploits DO get caught sometimes, and probably more often now that breach detection software is getting popular. But let's just look at the proposed PATCH law and other proposals from the simplest angle.
Most of the proposals for how to re-organize the VEP assume you can browbeat your third-party vendors, (and GCHQ, GCSB, etc. !) into accepting that, on your whim, you can send their vulnerabilities to a vendor for patching. This is simply not true - any more than the idea that you could GPL the Windows source code if you felt like it.
The thing is this: The exploit vendors also get a vote on these matters. And if you kill their bugs or exploit techniques or simply have bad OPSEC and get caught a lot they tend to vote by simply not selling you the good vulnerabilities. I cannot overstate how much we need our foreign second party partners in this space, and even more than that, how much we need our supply chain. Not only is the signals intelligence enabled through active network attack inescapably necessary for the safety of the country, but we are trying to build up CyberCom, enable Law Enforcement, and recover from the leaks and damage Snowden did.
In simple terms, yes, exploits save lives. They are not weapons, but they can be powerful tools. I have, and I cannot be more literal than this, seen it with my own eyes. You don't have to believe me.
Ironically, in order to determine which vulnerabilities present the most risk to us and just in general combat threats in cyberspace, we will probably have to hack into foreign services, which is going to require that we have even more capability in this space.
To sum up:
- If you enforce sending vulnerabilities which are not public to vendors via a law, we will lose our best people from the NSA, and they will go work for private industry.
- If we cannot protect our second party partner's technology they will stop giving it to us.
- If we give bought bugs to vendors, they will stop selling them to us. Not just that one exploit vendor. Once the USG has a reputation for operating in this way, word will get out and the entire pipeline will dry up causing massive harm to our operational capability.
- We need that technology because we do need to recover our capability in this space for strategic reasons
But there are better ideas than VEP available. One idea is simply to fund a bug bounty out of the Commerce Department for things we find strategic (i.e. not just for vulnerabilities which is something Microsoft and Apple should fund, but explicitly for exploits and toolkits other countries are using against us).
Likewise, the IC can be more open about what exploits we know get caught, and having custom-built mitigation expertise available ahead of time for corporations can limit the damage of a leak or an exploit getting caught, at the cost of attribution. This may include writing and distributing third party patches, IDS signatures, and implant removal tools.
And having sensors on as many networks as possible can help discover which of your vulnerabilities have been caught or stolen.
One interesting possibility if we close off our exploit pipeline is that we instead will be forced into wholesale outsourcing operations themselves - something I think we should be careful about. Finally before we codify the VEP into any sort of law, we should look for similar efforts from Russia and China to materialize out of the norms process, something we have not seen even a glimmer of yet.
Layercake "Golden Rules" quotes for those without YouTube. :)
o Always work in a small team
o Keep a very low profile
o Only deal with people who come recommended
o Never be too greedy