Experts ding DHS vulnerability sharing plan as too limited

Without universally availability, plan could miss smaller businesses hackers could use as an entry point to critical infrastructure companies


The Department of Homeland Security's plan to selectively share information on zero-day vulnerabilities is too restrictive and should be opened up to more companies, experts say.

DHS Secretary Janet Napolitano told Reuters this week that the agency would discreetly share classified information on software vulnerabilities that are unknown to the application developer.

The National Security Agency and other intelligence agencies buy the exploits for such flaws from bug hunters and resellers, so they can be used in cyberespionage missions.

The exploit signatures, called "indicators," would be shared with security service providers that have government clearance. These companies would provide a service for detecting and blocking the exploit-carrying malware from the networks of companies that have been designated as critical infrastructure, such as utilities, financial institutions and defense manufacturers.

"At no time do those indicators ever leave that entrusted environment within the commercial service provider," said Jeff Jacoby, director of information systems, operations and services at Raytheon. The defense contractor has agreed to provide what the government calls its Enhanced Cybersecurity Services. Other initial providers include AT&T, and Northrop Grumman.

In general, any government effort to share cyberattack information is welcomed by security experts. On the flipside, efforts to limit the data flow is frowned upon.

"While it is understandable that the government is starting slowly, I would like to see much broader sharing of information," said Wolfgang Kandek, chief technology officer for vulnerability management company Qualys. "From an offensive point of view, it is certainly valuable to maintain a certain number of exploits in private, but for defense the best option is to share the vulnerability information with the software vendor as quickly as possible."

[Also see: Researchers develop industrial systems that watch for breaches]

Andrew Braunberg, research director for NSS Labs, which performs security analysis on software, said the government wants to share data while also keep the zero-day bugs useful for its own purposes.

"Most obviously, the U.S. government wants it both ways," he said. "They don't really want these vulnerabilities to disappear because they want to use them offensively, but they don't want the same vulnerabilities to allow hacking of U.S. assets."

By not being universally available, the DHS plan could miss smaller businesses that hackers could use as an entry point to the networks of critical infrastructure companies they sell products or services to, some experts said. A recent report from Symantec found that the percentage of attacks targeted at companies with 250 employees or less almost doubled from 2011 to 2012.

"We may be addressing the big, defense-related organizations, but they're a fraction of the industry that would be left in the dark," said Rich Barger, chief intelligence officer for Cyber Squared, which specializes in protecting data in cyberattacks. 

Jacoby said companies of any size could take advantage of the service, provided they are categorized as critical infrastructure. Pricing is left up to the provider.

While important to defend against, zero-day vulnerabilities are a small portion the exploits used in attacking the computer systems of companies. Most break-ins occur with the hacker using known vulnerabilities in software that hasn't been patched.

"There has to be a much more holistic approach," Barger said. "The problem is bigger than just zero-day."

The DHS plan stems from an executive order issued by President Barack Obama in February. The order required government agencies to put systems in place for sharing cyberattack information with private industry.

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)