When U.S. government officials discover a new vulnerability they can use to hack into people’s computers, they have a decision to make: Should they keep it to themselves? Or should they warn the world?
Exactly how they make that decision is a mystery.
Now, two top former White House cybersecurity officials are recommending in a report that the administration be more transparent about how it deals with those vulnerabilities when it discovers them or buys tools to exploit them from the private sector.
“The principles guiding these decisions, as well as a high-level map of the process that will be used to make such decisions, can and should be public,” wrote Ari Schwartz and Robert Knake in a new report for Harvard’s Belfer Center for Science and International Affairs.
Members of the Intelligence Community have an obvious incentive to hold on to undiscovered cyber flaws so they can keep using them to hack their targets. But failing to tell a company about a flaw in its product — so it can be fixed, puts users at risk from other hackers.
The White House’s continued refusal to explain how it balances the priorities of intelligence versus cybersecurity for Americans is leading to a lack of public trust, the authors suggest.