Saturday, April 10, 2021

Public Comments on CISA Vulnerability Discovery ICR Revision – 4-10-21

Last month DHS published [Link added 4-10-21 1422 EDT] a 60-day information collection request (ICR) notice to support the expansion of their Vulnerability Discovery program (VDP) to other agencies in the federal government. This post is (maybe?) part of a series of posts that looks at public comments submitted in response to that ICR. The end of the comment period is May 18th, 2021.

To date there are two public responses to that ICR notice. One, of course, is from my blog post [.PDF download link], the other is from Andrew Hunt. Along with a brief comment, Hunt provides a marked-up copy [.PDF download link] of the 60-day ICR notice, clarifying the changes that he suggests.

Hunt suggests:

“Overall, shift language from 'all agencies with their web forms' to 'DHS CISA centralized reporting'. They have the expertise to collect this sensitive information, secure it appropriately, disseminate appropriately, and engage agencies to remediate their exposures. Review 'lawful method to new vulnerabilities' language if that is not intended to provide safe harbor protections to hackers. Remove references to 'Solarwinds Hack' and replace with codenames (e.g. SunBurst, SunShuttle) or descriptions to reduce liability of brand damage to the Solarwinds company as it is trying to recover from this truly terrible attack. Reword the definition of a 'vulnerability' as more to do with redirection of expected execution and behavior rather than controls bypass. A vulnerability can exist without a defined/intended control.”

He makes the following additional points in the marked-up document:

• Controls are not always defined before being vulnerable. A better definition: ‘coerces hardware/software to execute or behave in unintended ways from the design’.

• “… lawful method to practice and discover new cyber methods to discover the vulnerabilities….” CLARIFY: this sounds like a safe-harbor statement for hackers.

• If you do not guarantee confidentiality, then no one will play with you. Exempt this from FOIA.

• Use one site, done right, secured, and managed by those with the experience to do so. Remediation of vulnerabilities are notified, then managed by CISA. Agencies follow CISA direction to properly mitigate the vulnerability.


While Hunt’s comments are brief he brings up some interesting points. First, his suggestion that DHS run a centralized VDP meshes well with my observations about the requirements of 44 USC 3509. The more interesting point, however, is his take on the definition of ‘security vulnerabilities’ used in the ICR notice. That definition comes from 6 USC 1501(17) and it reads:

“The term "security vulnerability" means any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control.”

Hunt makes the point that: “Controls are not always defined before being vulnerable. A better definition: ‘coerces hardware/software to execute or behave in unintended ways from the design’.” Playing with Hunt’s comments just a bit, I would like to offer this formal version of Hunt’s suggestion:

“The term “security vulnerability” means any attribute of hardware, software, process or procedure that would allow or cause that hardware, software, process or procedure to execute or perform in an unintended way from the design.”

Unfortunately, an ICR is not the appropriate vehicle for changing a regulatory definition. DHS is not, however, required to utilize the definition from §1501 in this ICR. They could instead use my formal definition above, substituting “Security vulnerabilities may be defined as” for the first five words of the revised definition.

His comment about removing the SolarWinds name from discussion in the ‘Supplementary Information’ portion of the Notice brings up an interesting point. While I personally do not care much about wounded corporate egos, DHS is not responding to the vulnerabilities in the SolarWind products (that is the sole responsibility of the company), they are responding to the effects of the attacks wrought by SunBurst, SunShuttle etc. Thus, naming them rather than SolarWinds is probably more appropriate.

Finally, I am not sure that I agree with his FOIA comment. Researchers have no need to ‘protect’ their discovery of vulnerabilities. Vendor and agency developers might, but their response is not the subject of the ICR. There would certainly be some justification for restricting access to the vulnerability information pending mitigation actions. Reported vulnerabilities should probably be protected as sensitive but unclassified information pending mitigation development.

No comments:

/* Use this with templates/template-twocol.html */