Two former Obama cyber-security officials say the federal government should be barred from paying for hacking techniques while agreeing to keep
them secret, as the FBI did to crack the iPhone wielded by one
of the shooters in the San Bernardino killings.
Ari Schwartz and Rob Knake, who in separate stints oversaw technology security issues at the National Security Council (NSC), said changes are needed in the White House process for determining whether software flaws discovered by government agencies should be disclosed, or kept secret so they might be used for offensive cyber operations.
Their recommendations came in a policy paper published on Friday by Harvard University's Belfer Center for Science and International Affairs. A spokesman for the White House's NSC had no immediate comment.
The issues center around what is known as the Vulnerability Equities Process, created in 2010 but made public and "reinvigorated" only in 2014 after news reports drew attention to a tilt toward keeping vulnerabilities secret so they might be used for attacks.
The process requires agencies to submit security flaws that they discover or buy to an inter-agency group that votes on whether they should be kept for secret hacking operations or disclosed to the software makers, which can update their wares.
White House cyber security coordinator Michael Daniel, in a blog post describing the factors that are considered, maintained that the current policy is biased toward disclosure. Much of the procedure remains classified as secret, including which agencies get a vote.
Schwartz and Knake, who oversaw the process under Daniel, said that a new executive order should make clear that it is mandatory for agencies to submit all the software flaws they want to use to the inter-agency group.
In the San Bernardino, California, case, officials said they paid less than $1 million to a third party for a tool to unlock the killer's Apple iPhone but didn't know how it worked and thus was able to circumvent the process.
The ex-officials also recommended that the Department of Homeland Security run the process, rather than the National Security Agency. They said much more should be disclosed about the process, such as how many software flaws are held back and for how long, and that Congress should get oversight of the program.
"It shouldn't be a policy that is created through a blog post," Schwartz told Reuters ahead of the paper's publication. "It should be very clear what the policy is, and it should be spelled out in an unclassified way."