Mapping a Plan to Improve Hardware Component Vulnerability Disclosure

Ari Schwartz & John Banghart

Ari Schwartz & John Banghart

Not long after we arrived at the National Security Council, we were confronted by what seemed to be at best a major coordination headache and at worst a national security disaster. A new vulnerability in the OpenSSL cryptography library was disclosed. At the time, OpenSSL was being used by approximately 80% of all websites across the global Internet, and it was one of the pillars on which Internet security and privacy stood. The seriousness of this vulnerability, called Heartbleed, was a product not only of its pervasiveness, but the fact that it had been around for years before its discovery and could lead to the exposure of usernames, passwords, and other potentially sensitive information.

While a patch to fix the problem had been created by Google engineers, it needed to be deployed on nearly every Web server globally. Focusing initially on the federal government, we had to coordinate — with the help of the leadership of the Department of Homeland Security and Department of Defense — every single agency, regardless of how large or small. To make sure the seriousness of the issue was clearly understood, Chief of Staff Denis McDonough personally called Secretaries of Departments and Agencies to explain how concerning the situation was. Each was informed that the White House was requiring daily progress updates on the patching status of their systems.

Thanks to the work of a lot of dedicated, hardworking government employees, we were able to get patching done at amazing speed. In the aftermath of Heartbleed, we made sure we reported the lessons we learned about what went right, and wrong, among the cybersecurity leadership at every agency, and the White House. Major changes were quickly approved and implemented to ensure that when the next systemic vulnerability was found in Internet infrastructure code, we could respond much more quickly.

Building on our extensive expertise, the Center for Cybersecurity Policy and Law announced last month an effort to examine coordinated vulnerability disclosure policies and practices relative to hardware.

We believe this work is important as we reflect on recent experiences with hardware vulnerabilities. These experiences provide an opportunity to advance disclosure policy and practice and provide insight into options for future improvements.

While we are at the initial stages of the project, a few key areas and themes have emerged from our research. First, industry vetted processes, policies and practices were developed with a greater focus on software than hardware. While unintentional, the specifics of those policies and practices don’t always translate to complex hardware situations. Also, hardware component vendors often have only indirect patching ability that requires other industry players to be deeply involved in the patching process. Certainly more can be done to better coordinate the partners in these multiparty cases, but it does call into question the standard 45–90 day disclosure timeframes that were developed for software. A hardware component specific process could create a better structure to hold all of the parties responsible for patching systems as quickly as possible, with timeframes that match the coordination challenge, while providing credit to the researchers that found the flaw.

We are proceeding forward on the project in three phases. The first phase is a detailed comparative analysis of existing policies and practices and the differences between hardware and software. In the second phase we plan to survey the partners involved in the patching process to understand the views of different industry segments dependent on hardware components. And, in the third phase we will offer recommendations. This is by no means an easy project. It means bringing together the researchers that find vulnerabilities and key stakeholders from each of the groups involved in the patching and disclosure processes in each of these phases. It also means talking to consumer groups, academics, and those who have helped design and run software and hardware patching and disclosure processes in the past.

We must all confront the reality that we have not seen the last major hardware component vulnerability. With every challenge comes a lot of opportunity and we are excited about the impact this project can have on the future. We look forward to working with old and new colleagues and friends to make it a meaningful product.

If you would like to talk to us about the project, please contact us and we will set up a time to talk or otherwise invite you to one of the meetings that we plan to hold.

Ari Schwartz is Coordinator of the Center for Cybersecurity Policy and Law and Managing Director for Cybersecurity Services at Venable. Prior to joining Venable, Ari was a member of the White House National Security Council, where he served as Special Assistant to the President and Senior Director for Cybersecurity.
John Banghart is Venable’s Senior Director for Technology Risk Management. Prior to joining Venable, John was the Senior Director for Trusted Engineering for Microsoft. From 2013 to 2015, John played a key role in developing the Obama Administration’s cybersecurity and technology policy as the National Security Council’s Director for Federal Cybersecurity. He also spent several years at the National Institute for Standards and Technology (NIST).