White House Says It Can Withhold Vulnerabilities If It Will Help Them Catch 'Intellectual Property Thieves'
from the say-what-now? dept
We've been among those critical of the White House for the administration's dangerous policy of not revealing security vulnerabilities it discovers, as it seeks to exploit them. In trying to respond to some of the criticism about this policy, the White House has put out a blog post by White House Cybersecurity Coordinator Michael Daniel, in which he explains how the intelligence community determines whether to disclose a vulnerability... or hoard it for its own use. He lists out three potential reasons for not disclosing:Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation's intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.As Marcy Wheeler points out, withholding the release of such vulnerabilities for terrorism purposes is not new or surprising. Ditto for so-called cybersecurity (protecting against "hackers or other adversaries" looking to "exploit our networks") What's a bit of a surprise is the new inclusion of "intellectual property theft." However, the NSA, DHS and various supporters have long used claims of China "stealing intellectual property" as an excuse to try to ratchet up surveillance powers. Rep. Mike Rogers, author of CISPA, used the "scary Chinese stealing our IP!" FUD card to push CISPA a few years ago. And former cybesecurity czar Richard Clarke has argued that China stealing intellectual property is a good reason for DHS to be able to spy on all internet traffic.
So, the fact that this argument is used as a sort of "cybersecurity" claim perhaps isn't that surprising. However, it still seems like a massive logical leap to go from "well we need to protect corporate intelletual property from the Chinese" to arguing that's a good reason for withholding the disclosure of key technical vulnerabilities that might put everyone at risk. Does anyone honestly believe that the US government should withhold details of a major technical vulnerability... just so it can catch some IP infringers?
And of course, by broadly allowing the NSA and others to fail to patch vulnerabilities, because they want to "prevent intellectual property theft," it's just opening up the whole system to be abused even more widely than before. Sure, they may mean "stopping Chinese hackers from swiping plans for a new fighter jet," but vaguely denoting that it can withhold info on zero day vulnerabilities because of "pirates" seems wide open to abuse -- especially given the way many in law enforcement and the administration seem to want to equate every day file sharers with "internet terrorists" or whatever.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, disclosure, intellectual property, michael daniel, nsa, surveillance, vulnerabilities, white house
Reader Comments
Subscribe: RSS
View by: Time | Thread
Open source. May not be immune to issues but at least you can check the code and at least reveal the vulnerabilities to the world regardless of what some NSA moron says.
As for the IP trope I don't think they should be worried about foreigners "stealing" their IP. They are doing their best at killing it before it's even born with the insanity that IP laws are nowadays.
[ link to this | view in thread ]
[ link to this | view in thread ]
They seem to have stopped using any intelligence more than a decade ago.
[ link to this | view in thread ]
We have to keep the internet open to IP theft to save it from IP theft!
[ link to this | view in thread ]
In short...
[ link to this | view in thread ]
[ link to this | view in thread ]
"our nation's"
"other adversaries"
"our networks"
Patriotism is the last refuge of a scoundrel.
[ link to this | view in thread ]
[ link to this | view in thread ]
What is going through the govt's head
[ link to this | view in thread ]
Re:
I listened back and forth to talk radio as every yakker just bent over and spread their asscheeks for Uncle Sam under Dubya... and now people seem to be doing it for Obamy now.
According to the law, we are all already terrorists...
[ link to this | view in thread ]
What!!!!!
Most people do not actually care that China is gaining access to American secrets, as long as they don't touch Americans data like the American congress allows and protects. They then supply all Americans with advanced devices that they sell rather cheaply and yes their build quality if improving tremedously
[ link to this | view in thread ]
[ link to this | view in thread ]
Definitions
[ link to this | view in thread ]
Clever redefinitions
Step 1. Redefine copyright infringement as "intellectual property theft."
Step 2. Redefine "misappropriation of trade secrets" as "intellectual property theft."
Result:
1. what should read: "to stop the misappropriation of trade secrets by foreign black-hat hackers cracking into our computers"
2. becomes: "to stop the theft of our nation's intellectual property"
3. the latter includes copyright infringement!!! Yea!
Skip ahead to 2012: These new definitions allow the United States Government to use undisclosed exploits to hack into Kim Dotcom's computers to bring him down under dubious interpretations of US copyright law!! Yippie!! Plan worked. Lets keep it going!
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: In short...
OATHBREAKERS!
And the problem is it is now trickling down from the top of the executive branch. Even if no one would acknowledge it they (I believe) conciously or unconciously take their ques from The Oathbreaker In Chief, even if they disagree with the policies and decisions that are implimented.
[ link to this | view in thread ]
Re: Re: In short...
American citizens are the cheese, without the protection of a mouse trap or the cat.
[ link to this | view in thread ]
Correctional Corporation of America
How much did the private prison industry contribute to the Obama campaign?
[ link to this | view in thread ]
Re: Re: Re: In short...
[ link to this | view in thread ]
If we don't do something soon, then we've lost this country to tyranny.
[ link to this | view in thread ]
Wow, such gonads
I'm guessing they will realize this when they start seeing the revolution happening outside their office windows, and realize that they might be a tad late to fix the problem.
[ link to this | view in thread ]
Twisted logic
[ link to this | view in thread ]
I mean I guess that is a step to real transparency.
[ link to this | view in thread ]
Counterproductive?
If NSA or other government agencies are aware of a vulnerability, so are numerous hackers, particularly those working for foreign governments. Those hackers can then use those vulnerabilities to break into secure systems to acquire high value IP. These agencies could prevent many instances of IP theft (theft meaning the initial illegal acquisition of privileged or non-public IP) by simply revealing knowledge of these vulnerabilities, allowing companies to patch their systems. Not to mention this would help protect against numerous other potentially costly attacks against US companies and infrastructure.
[ link to this | view in thread ]
Hence we now have weapons that aren't physical but ones that corporations can really rake in the dough on as it is a result of labor with no manufacturing costs and very little distribution costs.
It seems in the process of arming up, our government doesn't care about it's economy, nor the citizens that are paying the tab. None of this is good news.
It has created an atmosphere of large distrust by these and other actions against it by the very citizens it depends on to support and finance these operations.
The push back has started. Many are now having to defend these actions that once they never had to udder a word in public about. As the time passes, the pressure becomes ever greater to terminate these insane schemes.
[ link to this | view in thread ]
Whose intellectual property again?
No. It is most emphatically not "our nation's intellectual property." It belongs to Disney, Universal, Fox, etc. etc. Multinationals all of them, with no real allegiance to "our nation."
What rot.
[ link to this | view in thread ]
Vulnerabilities for IP theft?
Oh, you mean the other IP? Aren't patents posted online just so one can read them?
Anyway, we don't have any IP as valuable as that protected by the MAFIAA (who don't actually produce anything), though there are a couple of celebrities exerting their publicity rights that I think a consensus could be formed which would allow us to ship them right on over to Bejing.
[ link to this | view in thread ]
Re: Vulnerabilities for IP theft?
Suckers.
[ link to this | view in thread ]
Re: Vulnerabilities for IP theft?
[ link to this | view in thread ]
Re: Twisted logic
This article/blog isn't about privacy, otherwise Masnick would rail every day on Google's privacy-killing business model. It's about Pirate Mike getting mad at the idea of pirates getting busted. Duh.
[ link to this | view in thread ]
Re: Re: Twisted logic
[ link to this | view in thread ]
Let existing vulnerabilities go unpatched and open to attack by hackers so the government can perhaps discover other, "more dangerous" vulnerabilities in the future? Yah. That makes a lot of sense.
[ link to this | view in thread ]
Re: Re: Re: Re: In short...
[ link to this | view in thread ]
Re: Wow, such gonads
[ link to this | view in thread ]
what an absolutely ridiculous statement! the only reason they would hang on to something is because they have been told to by the entertainment industries and it doesn't want to bite the hand that feeds it! piss poor excuse, again, for the government to be able to shit on citizens!!
[ link to this | view in thread ]
Re: Whose intellectual property again?
[ link to this | view in thread ]
Re: Vulnerabilities for IP theft?
[ link to this | view in thread ]
[ link to this | view in thread ]
White house hacking for Hollywood?
[ link to this | view in thread ]
[ link to this | view in thread ]
Who is the largest intellectual property thief?
The government has stolen the intellectual property that it has promised the artist to deliver into the public domain and handed it to the big companies. By now the U.S.A. has robbed the graves of deceased artists and stolen about 70 years worth of culture from the general public in order to line the pockets of entertainment industry members in return for lobbying bribes.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
http://archive.wired.com/entertainment/music/news/2003/06/59298
[ link to this | view in thread ]
I certainly don't. It's a catch-22 to say that your withholding vital computer security-related vulnerability information to protect people, when that same withholding puts the same people at greater risk as a result. What does the US government consider all of the actual and potential innocent victims of these practices -- collateral damage?
[ link to this | view in thread ]
Re: Whose intellectual property again?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Another excuse
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
No words written out by intelligence officials are ever "very generic, shorthand sense." They choose words and terms very explicitly. This was not an off-the-cuff remark. What he established is a broad and dangerous rule.
For example, unpublished technical information associated with the design, development, manufacture, use and maintenance of defense systems.
As we mentioned late in the post -- which, clearly, you did not choose to read, as per usual.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Clever redefinitions
This is yet another example wherein we now have confirmation of what was suspected in the mid-2000's. Back then however, those who suspected the entertainment industry would be asking the government to penetrate citizens' computers and violate their 4th Amendment rights were derided by the industry shills posting right here on Techdirt that all-purpose catcall..."tinfoil hat"
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Whose intellectual property again?
[ link to this | view in thread ]
Re: Re:
As for your snarky remark, I did read your entire article and presented my comment entirely in good faith and without any deprecatory motivation in mind. I wish I could say the same for you, but it seems you simply will never consider good faith as a possibility when perusing whatever I may happen to say.
[ link to this | view in thread ]
Re: Re: Re:
Having dealt directly with senior officials at federal agencies and at the WH over the course of many years, my experience has been that IP is almost always used as a shorthand for non-public, technical data and computer software...
1. As I stated, and you totally ignored, this was not an off-hand comment, but a public statement on an issue that people are following closely -- meaning that the words were chosen especially carefully.
2. Here's the hypocritical part: whenever *we* use a simple "short-hand" in this area, you immediately take offense. For example, when we talk about bad patents, you acted all indignant about how you have no idea what a "bad" patent is because it's not defined anywhere and you only know of valid or invalid patents.
Similarly, when we've spoken of software patents, you again go into an astounding huff about how there's no definition of software patent, so you can't possibly understand what we're talking about.
Yet, when it comes to your buddies in the national security space, you're suddenly willing to grant them whatever leeway possible, and assuming that any statement is fine because it's the shorthand they use.
I did read your entire article and presented my comment entirely in good faith and without any deprecatory motivation in mind
If you hadn't spent the last 5 years on this site commenting on nearly every article with the clear intent to mock my position on damn near everything, you might be believable.
But you have... and you're not.
it seems you simply will never consider good faith as a possibility when perusing whatever I may happen to say
I assume everyone has good faith until they prove otherwise. You proved otherwise long ago.
[ link to this | view in thread ]
Re:
It was stolen by the IP thieves.
[ link to this | view in thread ]
PULEEZE!
Now, can we PLEASE get away from the term "Intellectual Property"? It ain't "property", and considering most of the patents granted recently, it's far from "intellectual".
[ link to this | view in thread ]
Re: Re: Re: Re:
Yes, tell me what is a "software" patent. Apparently the view here is that a patent that in any way involves software is a software patent. Heck, no need to review the claims in any detail...that would be such drudgery.
Re national security...no, I am not a friend of the NSA, or Clapper, or anyone else associated with our intelligence services. I am merely one who has worked around highly classified information for many years and who recognizes that the seemingly logical solutions offered here (and elsewhere) oftentimes are not solutions at all because of other considerations unknown to those who do not work with classified information. This is in part what motivated my comments anent Wyden and Clapper.
Re commenting on articles, a believe you will find that I comment on only a very few. What I do find interesting is that virtually everything I may say is responded to by you, almost as if I am challenging your integrity, knowledge, etc. This is not, and never has been, my intent. My interest is invariably to provide some perspective that might otherwise not arise during the course of article commentary. For example, the original SOPA had a third party right of action. Even though it was later removed from the bill, one would never know that reading articles here and elsewhere because they kept talking about the issue as if it was still an issue. The same can be said of the re-direct that was initially proposed, but then removed since the bill's proponents finally admitted that the concept had some problems requiring a much closer look.
My good faith continues with every comment I may submit. You are mistaken to believe otherwise, which would be readily apparent were we ever to meet. If you plan a trip to Central Florida anytime soon, let me know. I do not bite.
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
Incredible that you still don't see this as hypocrisy.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
Wait. So now you're claiming that you DO understand what bad patent means?
So you were lying before when you claimed it had no meaning?
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
I have no problem having interesting discussions with others. Perhaps the problem is that you love to put on your pedantic "but only I am so wise to possibly understand these kinds of complex issues -- and until you, too, have been a lawyer held in the sort of esteem as I once was, all your piddling comments are nothing more than dust in the wind that I and my knowledgeable cohorts from the defense industry spit at."
Unfortunately, and frustratingly for those of us who have dealt with matters such as these, a factual record counts. Arm waving does not. If people want to call something bad, then at the very least they should present relevant evidence, and then proceed to show how that relevant evidence compels a conclusion of obviousness (and this is done by claim analysis). Over my career I have been required to stake out positions that patents are obvious, and for the most part have been able to do so. Why? Because I read the patents, read their file histories, researched the relevant technical areas to identify the general state of the art at the time the application was filed and specific instances appearing at the time the invention was first made of acts, publications, etc. that all bear on the legal test for obviousness.
You approach it like a lawyer. Because the system is broken. If you actually spent any time with actual developers -- like I do -- you'd understand why basically every software developer hates patents. They know that patents (1) do not do what they're supposed to (i.e., disclose something new and non-obvious to those skilled in the art) and that (2) they almost always describe something that is quite obvious (and often done many times before).
So, yes, I speak to my audience from *my knowledge* and experience in the world of developers.
The problem, of course, is that you patent lawyers turned the patent system into something that only lawyers can play in -- what with your "claim construction" "file histories" and blah blah blah. You've purposely set up the system so that obvious ideas can be patents, and where they provide no value to the world whatsoever.
And when people WITH ACTUAL KNOWLEDGE OF THE TECHNOLOGY tell you that they're obvious because *everyone already does this* you suddenly freak out about your precious ability to bill, and you look down the bridge of your nose at THE PEOPLE WHO ACTUALLY KNOW THIS STUFF and start tsk tsking about how they need to follow your stupid process to say what is obvious: THIS IS OBVIOUS AND DONE A MILLION TIMES BEFORE.
[ link to this | view in thread ]
I have spent more time with developers than I can possibly begin to recall, but it should be noted that my time spent with them in many instances related to taking ideas to products/services and company launch, including securing needed private investment, market introduction, etc., those very activities associated with the creation of new businesses. Our experience likely diverges in one respect. The startups I have helped come to life have not faced many of the mundane issues associated with startups of the type that arise from humble beginnings such as one's garage or the like. The large majority of mine have begun from the transfer of sophisticated technical products and services (in some cases sunk costs amounting to hundreds of millions...which, BTW, imparts a tremendous competitive advantage, whether or not patents are a part of the deal) arising within the defense and aerospace industry into the commercial market. MMW systems used with helicopters were adapted to terrestrial and satellite civilian telecommunications. Image and signal processing systems were transformed into products for use by commercial broadcasters. Many of these products and systems were birthed by research programs under the auspices of the DOE, NASA, and the DOD, with DARPA being a major source for defining future technology needs.
As for your "when people with actual knowledge..." comment, your cocksureness belies a fundamental weakness in your argument, but most troubling of all your attitude. It has been my experience that many, perhaps even most, technologists do look at patents and exclaim "It's obvious. How did this ever issue?" It is here that you seem inclined to stop any further inquiry and proclaim "bad patent". Unlike you, however, I have sat down with technical subject matter experts (most of whom are among the very best...and recognized as such...in their technical fields) and discussed in detail what the described invention comprises, the claims, the cited prior art, any unknown art deemed particularly relevant by the technologist, and a host of other factors where the goal is to flesh out if the patent is likely valid or likely invalid. Quite surprisingly to almost all of them, they came to the eventual conclusion that their initial impressions were wrong. Of course, what this took was us rolling up our sleeves and actually developing facts necessary to arrive at an informed opinion. It is easy to spout initial impressions. It is quite another to dig into the subject matter to see if an initial impression is accurate.
Amazing just how often persons who are at the forefront of their fields, upon sitting down and actually studying materials to identify and understand relevant facts, do a complete 180. If it was necessary for them to do so in order to actually understand what was involved, then your imperious remarks about what you deem a stupid process rings hollow indeed.
[ link to this | view in thread ]
Re: Re: Whose intellectual property again?
That we let them get away with this is inexcusable; we know what the truth is.
As for the notion that any creative output belongs to the nation - that's just rot. Creative output is being locked away and the public domain diminished. That's where the theft is and that's what we should be calling out.
But first call the government out for lying about what is going on here.
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
And what a surprise, you can't stop being a whiny little jackass.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
Start a personal blog for god's sake.
That way, people who want to know about you can listen to you as much as they want to, somewhere else.
Unless of course, this is now your paying job.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]