We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Experts ding DHS vulnerability sharing plan as too limited

The Department of Homeland Security's plan to selectively share information on zero-day vulnerabilities is too restrictive and should be opened up to more companies, experts say.

DHS Secretary Janet Napolitano told Reuters this week that the agency would discreetly share classified information on software vulnerabilities that are unknown to the application developer.

The National Security Agency and other intelligence agencies buy the exploits for such flaws from bug hunters and resellers, so they can be used in cyberespionage missions.

The exploit signatures, called "indicators," would be shared with security service providers that have government clearance. These companies would provide a service for detecting and blocking the exploit-carrying malware from the networks of companies that have been designated as critical infrastructure, such as utilities, financial institutions and defense manufacturers.

"At no time do those indicators ever leave that entrusted environment within the commercial service provider," said Jeff Jacoby, director of information systems, operations and services at Raytheon. The defense contractor has agreed to provide what the government calls its Enhanced Cybersecurity Services. Other initial providers include AT&T, and Northrop Grumman.

In general, any government effort to share cyberattack information is welcomed by security experts. On the flipside, efforts to limit the data flow is frowned upon.

"While it is understandable that the government is starting slowly, I would like to see much broader sharing of information," said Wolfgang Kandek, chief technology officer for vulnerability management company Qualys. "From an offensive point of view, it is certainly valuable to maintain a certain number of exploits in private, but for defense the best option is to share the vulnerability information with the software vendor as quickly as possible."

[Also see: Researchers develop industrial systems that watch for breaches]

Andrew Braunberg, research director for NSS Labs, which performs security analysis on software, said the government wants to share data while also keep the zero-day bugs useful for its own purposes.

"Most obviously, the U.S. government wants it both ways," he said. "They don't really want these vulnerabilities to disappear because they want to use them offensively, but they don't want the same vulnerabilities to allow hacking of U.S. assets."

By not being universally available, the DHS plan could miss smaller businesses that hackers could use as an entry point to the networks of critical infrastructure companies they sell products or services to, some experts said. A recent report from Symantec found that the percentage of attacks targeted at companies with 250 employees or less almost doubled from 2011 to 2012.

"We may be addressing the big, defense-related organizations, but they're a fraction of the industry that would be left in the dark," said Rich Barger, chief intelligence officer for Cyber Squared, which specializes in protecting data in cyberattacks.

Jacoby said companies of any size could take advantage of the service, provided they are categorized as critical infrastructure. Pricing is left up to the provider.

While important to defend against, zero-day vulnerabilities are a small portion the exploits used in attacking the computer systems of companies. Most break-ins occur with the hacker using known vulnerabilities in software that hasn't been patched.

"There has to be a much more holistic approach," Barger said. "The problem is bigger than just zero-day."

The DHS plan stems from an executive order issued by President Barack Obama in February. The order required government agencies to put systems in place for sharing cyberattack information with private industry.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

LED vs Halogen: Why now could be the right time to invest in LED bulbs

IDG UK Sites

Christmas' best ads: See great festive spots studios have created to promote themselves and clients

IDG UK Sites

Why Apple shouldn't be blamed for exploitation in China and Indonesia