Thursday, May 25, 2017

The PATCH Act

The PATCH act is well meaning, but handles strategic security issues with the wrong scope and without the information needed to solidify US Government response any longer term systemic risks.

Specifically, we know the following things:
  • Patched vulnerabilities can still result in massive security events (such as Wannacry)
  • Vulnerabilities we know about are sometimes, but not often, found out by our adversaries (RAND paper)
  • Exploits DO sometimes get caught (usually one at a time)
  • Exploits lately have been leaking (wholesale)
  • Understanding the risks or technical details of any one vulnerability is a massive undertaking
  • Exploits are composed of multiple vulnerabilities, each with their own complex story and background
  • Other governments are unlikely to give vulnerabilities to US companies through any similar system

We also know what we don’t know:
  • We don’t know which vulnerabilities we will need in the future
  • We don’t know what vulnerabilities our adversaries will find and use in the future
  • We often don’t know what mitigations will and won’t work in the real world (you would THINK patching would work, but Wannacry exists!)
  • We don't know how our supply chain will react to us giving vulnerabilities to vendors

The PATCH act defines vulnerabilities quite broadly for this reason: We don’t know what types of things will have impact and we will need to react to in the future. But this is also a sign that we are not ready for a legislative solution.

Imagine setting up the exact system described in the Act but only for Internet Explorer vulnerabilities. As you run this imaginary system through its paces you immediately discover how hard it is to get any value out of it. That’s not a good sign for a new law. Proponents of the PATCH Act say it is a "light touch" but anything that handles every vulnerability the United States government uses from every possible dimension is by definition a giant process. One, in this case, we don't know will be effective.

Another question is how we build a defensive whole-of-government framework - for example, should the head of the GSA be read in on our vulnerability knowledge (in aggregate, if not of individual vulnerabilities) so they can guide future purchasing decisions?

In order for our IC to continue in the field of computer exploitation, we will have to get some hold on wholesale leakers of our most sensitive technology. This does not mean “tracking down leakers” but building systems and processes resistant to leaking. It is about information segmentation and taking operators out of the system as much as possible.

This is true in all intelligence fields and may require re-engineering many of our internal processes. But assuming we can do that, and that efforts are already underway to do so, we still have to handle that exploits get caught occasionally, and that other people find and use exploits and that even after a patch, we have complex strategic issues to deal with.


In that sense, having a vendor produce and distribute a patch is only part of the complete breakfast of helping our strategic security needs. It is less about “defense vs offense” and more about handling the complex situations that occur when using this kind of technology. We would be wise to build an emerging strategy around that understanding before any legislation like the PATCH act forces us down a path.

No comments:

Post a Comment