- Blog Post
- Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.
In observance of Thanksgiving, we will no be publishing Week in Review next week and will return December 1. Here is a quick round-up of this week’s technology headlines and related stories you may have missed:
To disclose or not to disclose? The White House unveiled the first charter for an updated Vulnerabilities Equities Process (VEP) this week. The VEP charter offers a detailed look at the process by which government agencies decide whether to disclose software flaws or retain them for intelligence gathering purposes or offensive operations. Prominently featured in the updated VEP: more transparency, interagency collaboration, and codified processes. According to the new guidelines, if an agency determines a vulnerability reaches the threshold for entry into the process, a board of representatives from relevant agencies (listed in the guidelines) convenes to discuss the vulnerability’s impact on intelligence collection, weigh its operational value, and votes on whether or not to disclose it to the public. If the VEP board decides to keep a vulnerability private, the decision must be reviewed every year.
VEP has long been criticized for favoring secrecy and allowing the NSA to hoard exploits. Despite some deficiencies, Robert Knake argues that the new guidelines are a general improvement from the Obama-era process. On the other hand, some are unsatisfied and have long maintained that the review process should be codified into law, while others argue that the process is only meant to satisfy the public without truly holding agencies accountable.
BUT CHINA! Even as the U.S. attempts to make the VEP more transparent, other countries have been less forthcoming with their disclosure process. A report from Recorded Future says that China’s National Vulnerability Database (CNNVD) holds back more disclosures than previously thought. Studying 300 cases of delayed disclosures, the researchers found that CNNVD is slow to report malware associated with Chinese APT groups. The most atypical delay (236 days) was for a pre-installed backdoor that sent user data back to China, likely for surveillance purposes. The researchers conclude that CNNVD is essential a shell for China's spy service, the Ministry of State Security (MSS), and willfully delays disclosures to aid MSS operations.
Déjà Vu. A team of researchers recently disclosed evidence that Russia attempted to influence the Brexit referendum last year. About 150,000 Russian Twitter accounts disseminated messages on social media urging the UK to leave the European Union in the days leading up to the vote, and more than 400 of these accounts are suspected to be directly linked to the Kremlin. The messages utilized racist and xenophobic content containing racial slurs, anti-Muslim rhetoric, and pictures of London Mayor Sadiq Khan. In addition, the United Kingdom's top cyber official announced this week that Russian hackers have launched attacks on Britain's energy, communication, and media industry networks in the past year. The disclosure earned Russia a sharp rebuke by Prime Minister Theresa May. “We know what you are doing,” she said. “And you will not succeed.”
I'm old enough to remember when the internet was becoming freer. Online freedom declined for the seventh consecutive year, according to a new Freedom House report on the state of internet freedom around the world. Behind this year's downbeat report are the usual cast of characters: China was found to be the world’s worst abuser of internet freedom, followed by Syria and Ethiopia. Other countries where the internet was determined to be “not free” include Russia, Saudi Arabia, and Venezuela. The United States was found to have the sixth freest internet but scored worse than last year. Reasons cited for the decline in the U.S.'s standing include an uptick in the harassment of journalists and the FCC’s intentions to roll back neutrality protections.