VEP Analysis Checklist
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
Comment only
 
 
ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
ScenarioSven TextNetgative ResultsPositive Results...
2
Government is restricted to using N-days and not 0-daysThis is good news for government agencies wishing to engage in hacking, as they do not necessarily need to acquire knowledge of 0-days - which is much harder and more costly; they can exploit widespread unfxed n-daysHarder targets become impenetrable. HIDS/NIDS catch Government hackers, without the Govt knowing, much more often. Govt unable to scan their networks for 0days they know about and catch other Govts who do not have the same policy. This is essentially enshrining a difficult OPSEC decision into policy/law (i.e. for some targets you use 0day even when n-day is available because you do not want to get caught, or you want the extra reliability). Also, should patching get better, this policy leaves the Govt without any capabilities at all.Users know 0days are not being used by their Govt. Increased trust between vendors and Govt. Also, not inconsequentially, more bugs will be fixed in theory, since any bug the Government finds itself, will get fixed, although this policy will necessarily mean the Govt is left out of any coordinated use of 0day by NATO partners or with the 5EYES alliance, and of course, will not be buying bugs, leaving that market to other players. We may be able to parlay our good relations with vendors into NOBUS and reliable backdoors (or we may have legislative cover to REQUIRE such things...)
3
Process cannot be changed in the face of obvious (in retrospect) downsides that affect national securityProcess Enshrined in Law (5-year sunset)Either process is ignored by relevant parties if major difficulties with it are discovered, or process is followed (Germans are known to be strict about such things), but major national interest is sacraficed.Process is known and immutable. This builds trust in various communities
4
Extremely valuable vulnerability is used against high-import national target but if patched will shut down a valuable intelligence source as well as potentially alerting target that they were being monitored (since they do full historical traffic collection). Vulnerabilities are never permanently retained. Their disclosure is merely delayed. Therefore they are temporarily retained by the government and must ultimately be disclosed through close coordination with the “maintainer”Loss of the target, also compromises other human intelligence and signal intelligence operations on that target. OPSEC requirements in the future may need to be to avoid any target that does full-take historical collection. Likewise, provides extremely high-fidelity signal on what sorts of vulns we can find and exploit to all adversaries, so they can tune their detection, protection, and offensive operations around us. Likewise, are we clearing every software vendor in the world to recieve this information, or are we somehow laundering it through a process to make it seem it is not from our SIGINT team?Keeps us in the bug-buying and finding world, but also keeps the trust of the software vendors and internet ecosystem. There may be bugs we know about that our adversaries also know about and use, and we may get those bugs patched. (aka, the bug collision problem)
5
We what we think is a Govt-sponsored backdoor in Huawei routers, but it is essentially a 0day...There should be a strong presumption that disclosure of vulnerabilities is in the best interest of commerce, civil liberties, public safety, and IT securityHuawei (and Chinese Govt) know exactly which of their backdoors we have found, and which we have not. This has various implications but is overall hugely bad.Huawei has a not-insignificant place in our infrastructure, which is now protected against the backdoors we know about.
6
We find out that we urgently need an exploit for FooBarRouter, because it is installed on an Al Quada network, but we have already sent all our FooBarRouter bugs to the maintainer.A government that wants to retain vulnerabilities must demonstrate a critical need that outweighs the security benefts of disclosure to the “maintainer,” and a plan to minimize harm, including adequate protections to ensure a secure retention of vulnerabilities by properly protecting them from any unauthorized access during the period prior to disclosure. The protections should include a mechanism to accelerate disclosure in light of an event indicating that the existence of the vulnerability is known to othersWe cannot predict our future technical needs, which means we need to maintain a large stockpile anticipating at least SOME coverage on future targets. Not having that stockpile means we are starting from scratch on emerging targets, which often means NOT getting those targets, which has severe national security implications. Likewise, what does it mean when you've given up capability, and a maintainer decides not to act on that knowledge?At least FooBarRouter is more secure! :)
7
China and Russia ignore the international norm in creating a VEP, and our VEP becomes more stringent than the US VEP (let alone the UK VEP)Governments that have implemented such a process should work towards promoting it as an international norm28 through relevant international coordination mechanisms and cooperation networks.In addition to not disclosing their vulnerabilities and capabilities, China hacks (or uses HUMINT) various software vendors to gain intelligence on our own capabilities, and achieves a lasting advantage over us in the cyber domain. There's a sort of weird optimism on the European front that they can drag the US in the direction of cyber regulations when this is clearly not the case.Microsoft and other vendors treat us as a "Most Favored Nation"!
8
We urgently need a vulnerability that we know a bug-vendor has, but they will not sell it to us without a strict NDA.Therefore, vulnerabilities must not be subject to NDAs35. This includes government procurement of hacking tools and services which leverage those vulnerabilities. This might give governments which enter into NDAs an edge over those who do not, because companies would rather sell to the former, but monopsony conditions might however still allow governments that reject NDAs on principle to acquire vulnerabilities from third parties, and possibly at a higher price. In order to increase the pressure on vendors to abandon the requirement of NDAs, like-minded states could be convinced to reject NDAs as well.The negative ramifications are that you are essentially left out of the bug buying market, since no vendor worth their salt will agree to sell to you without an NDA.If they are domestic, we can make it illegal to sell to someone else, assuming we can catch them doing so (which seems unlikely?). If not domestic, we essentially need an international treaty (WA?) to make transmitting exploit information illegal across state lines, although this may contravene other "rights" (aka 1st Amendment), etc. and be impractical. The positive spin is that all bugs go through the same equities process, at least.
9
We get five thousand bugs a year. (The scalability question)
Text about the complex inter-agency workflow starts on page 16, and is lengthy.No possible scalability is possible with this structure, so we end up making bad decisions. Even beginning this process is cost prohibitive.On a positive note, we train up thousands of engineers on how to look at vulnerabilities for equities issues. And we have a huge database of vulnerabilities which we can do science on.
10
All our bugs are hacked and leaked to the public on Chistmas Day.(No stockpiles allowed typically, but in theory could still happen - and text would assume this means instant release to maintainers as we help do damage control)Text assumes we have done pretty much everything we can to both prevent and predict this kind of scenario (the SHADOWBROKERS EVENT). Bad things may happen, but they are "not our fault"(TM)We should have substantial political credit built up to help ward off any blowback from this kind of event. Likewise, we've minimized our (and industries) exposure through our VEP process.
11
Patching one of the bugs through our VEP kills one of France's bugs, which was in a nearby (although not the same) codebase, and they were actively using it as part of an important anti-terrorism effort.France may decide to sign onto a EU-wide VEP, although that implies EU-wide defense strategy as well, which may or may not be realistic.
12
Patching a bug allows one of our targets to attribute a sensitive effort to us, instead of to whom we had false flagged it as. Acting in Cyberspace as if every effort you will do will end up on the front page of the NYT is a good way to live.
13
Patching a bug allows a target to detect our implant system
We lose millions of dollars and have to rebuild from scratchWe are forced to operate with extremely tight opsec. Bugs get detected all the time anyways, and we are implicitly adjusting for that.
14
Strong VEP means people who want to work in finding 0day and don't share our "patch things" values may choose to emmigrate...This is arguably happening to Germany already. :) I mean to be fair, my personal interests as an American are to encourage an extreme VEP in Germany, in many respects."Good riddance?"
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...
Main menu