When do Canadian spies disclose the software flaws they find? There's a policy, but few details

When a crippling ransomware attack wreaked havoc on computers around the world earlier this year, it did so with alarming, worm-like speed. It didn't take long for security researchers to find out why. The highly sophisticated code that was used to sneak silently into computers, largely undetected, had been stolen from the NSA.

The incident thrust a long-simmering debate about the disclosure of previously undiscovered software flaws into the spotlight: how should government agencies decide which vulnerabilities to report, and which ones to keep secret for future use?

In the U.S., the policy governing this careful weighing of stakes is known as the Vulnerabilities Equities Process, or VEP.

In Canada, spies have for the first time acknowledged that a similar process exists here, too.

"CSE (Canada's electronic spy service) has a rigorous process in place to review and assess software vulnerabilities," wrote Communications Security Establishment spokesperson Ryan Foreman in an email, in response to a list of questions about the handling of zero-day vulnerabilities sent by CBC News. "This longstanding assessment process is carried out by a panel of experts from across CSE."

According to Foreman, the panel meets "regularly," though he declined to say how often, nor how many times they have met in recent years. CSE's policy is not public, and the agency declined to even give the policy's formal name, citing "operational specifics."

"We would want the policy itself to be public and scrutinizable," says Brenda McPhail, privacy director for the Canadian Civil Liberties Association (CCLA).

A copy of the U.S. government's own vulnerability handling policy was only obtained through a Freedom of Information Act lawsuit filed by the digital rights group Electronic Frontier Foundation in 2014, after the NSA declined to publicly release its policy.

The risk of 'stockpiling'

In the U.S., the VEP was created to help different government agencies weigh the risk of keeping newly discovered software vulnerabilities secret, so that they can be exploited by law enforcement or intelligence agencies to gather intelligence from computers and phones without detection.

So-called zero-day vulnerabilities are considered especially serious because no patches have been developed to fix them, and software developers be it Microsoft, Apple, Google, or others don't know the flaws exist.

As a result, some are worried that keeping the discovery of zero-day vulnerabilities secret unnecessarily puts users around the world at risk especially if knowledge of the vulnerability is obtained or discovered by someone else first.

That concern was realized in May when previously undisclosed software vulnerabilities discovered by the NSA were stolen, and later used to infect computers with a particularly nasty strain of ransomware called WannaCry.

"This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," wrote Brad Smith, Microsoft's president and chief legal officer, in a blog post following the incident. "Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage."

Zero-day vulnerabilities used by the CIA have also been published online by WikiLeaks in recent months.

In the interest of greater transparency, U.S. senators drafted new legislation last month that would require government agencies to prepare an annual report detailing the number of vulnerabilities that have been reviewed and ultimately disclosed under the VEP. They would also have to describe the nature and severity of each flaw found.

Reviewing the review process

Foreman, CSE's spokesperson, said any decisions made by CSE's panel of experts are made "in the best interests of Canada's security, which includes protecting Canada's critical information systems and networks, and protecting Canadians from foreign threats at home and abroad."

But some are skeptical that intelligence agencies such as the NSA and CSE which contain both offensive and defensive units that sometimes have opposing goals are in a position to make that call.

"You'll have the defensive people at the table, and you'll have the offensive people at the table, and you'll have the foreign intelligence people at the table," said Christopher Parsons, a research associate at the University of Toronto'sCitizen Lab. "And they do not necessarily share the same agenda."

Experts say they would like to know the criteria that CSE's panel uses to evaluate the severity of vulnerabilities and its decision to report them to technology companies, as well as reporting similar to what senators are pushing for in the U.S.

Both Parsons and McPhail suggest this may be an area worthy of further study by CSE's current review body, or even the Intelligence Commissioner proposed in the recently introduced national security legislation Bill C-59.

"We think of our national security agencies as people whose jobs is to keep us safe," said McPhail. "And I think it's problematic when people whosejob it is to keep us safe are able to make decisions to deliberately reduce our safety online for their own advantage."