By Elliot Kelly
In early June of 2013, then National Security Agency (NSA) contractor Edward Snowden leaked millions of classified documents to news sources worldwide. These documents revealed the existence of NSA global surveillance programs. The public and media backlash was immediate, with many defending Snowden as a champion of civil liberties, while others criticized him for committing treason against the United States.
The long term effects of the Snowden leaks have now become clear; these include international distrust of US companies and agencies, a loss in profit for US tech companies, and a decrease in public willingness to sacrifice privacy for safety. In 2014, former NSA general counsel Raj De stated that public distrust of the NSA caused by the leaks stymied cybersecurity legislation. The leaks also discredited the US internationally. Following the leaks, Brazil cancelled a state visit to the US and Ecuador renounced trade benefits with the US. One 2015 estimate found “that the US will lose between $25 billion to $35 billion in cloud computing based revenue due to Snowden’s leaks.”
Snowden’s revelations may have also changed US public opinion on data collection. One poll showed that the share of Americans unwilling to trade privacy for security increased by 14% from 2006 to 2014 (shortly after the leaks). Another poll from Pew found that “the share of Americans who disapproved of the government’s collection of telephone and internet data as part of anti-terrorism efforts increased from 47% in the days after the initial disclosure to 53% the following January.”
To limit negative repercussions from future leaks, the NSA should declassify some of their information assurance and signals intelligence processes. Shedding light on the Vulnerabilities Equities Process (VEP) might be their best bet.
The VEP is a process used by the intelligence and defense communities to determine whether to disclose software vulnerabilities to the affected vendor. The potential offensive benefit of a vulnerability is weighed against its potential for harm if exploited by a malicious actor. Former White House Cybersecurity Coordinator Michael Daniel wrote that these vulnerabilities are “an opportunity to collect crucial intelligence that could thwart a terrorist attack… or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.” Portions of the VEP were made public following the Heartbleed vulnerability in 2014. Despite this, far too much remains unknown.
The murkiest element of the VEP are its disclosure or retention decision criteria. In a 2014 blog post Daniel wrote that “there are no hard and fast rules” on disclosure or retention decisions. The criteria are top secret, meaning the NSA can change them without accountability. The NSA could begin to prioritize vulnerabilities that target US citizens private data without consequence or repercussions. Vulnerabilities are currently used for issues of critical national security; however, leaving the door open to a change in criteria means future vulnerabilities could be exploited for questionable purposes.
Additionally, the US government and the NSA stated that they have a strong bias towards disclosing vulnerabilities to vendors. They insist that they do not stockpile vulnerabilities, and they disclose significantly more vulnerabilities than they retain. Despite these assurances, no data has been released to determine their veracity. While individual VEP decisions should remain classified, there is nothing barring the NSA from releasing data on their retention and disclosure rates.
If the statements by NSA and others surrounding the VEP’s decision criteria and tendency to disclose are true, there would be minimal fallout from declassifying the remaining portions of the VEP. One poll showed that a strong majority of Americans are in favor of government surveillance of national security threats, while another found that a majority of Americans are willing to give up some privacy for security and other benefits. These findings suggest that declassifying the VEP would increase transparency. These efforts might extend effects beyond the American public to allied domestic and international software manufacturers, as well as foreign governments.
Security, privacy, and transparency are not mutually exclusive. If the NSA’s statements regarding the VEP are true, it is a critical decision making process that adequately weighs national security interests with the privacy of US entities. The NSA should continue to retain vulnerabilities critical to our national defense, but they must make efforts to build public and industry trust. Declassifying the remaining portions of the VEP charter and guaranteeing the criteria and a preference towards disclosure are important steps in regaining what was lost in 2013.
Elliot Kelly is a research assistant in the 2020-2021 Ethical Tech Research Assistant Cohort.