August 30, 2016

FedScoop interviews Ari Schwartz on federal software vulnerabilities and Shadow Brokers

2 min

Ari Schwartz, Venable's managing director of cybersecurity services, was interviewed in an August 30, 2016 FedScoop article on a recent incident where government software vulnerabilities were posted online by a secret group known as the Shadow Brokers. Schwartz said he expects a similar to occur again in the "near future" because the government is likely aware of never before disclosed software flaws.

"It would be better to have vulnerabilities shared with vendors directly from the U.S. government rather than having them leak out from other sources attributed to the U.S. government," Schwartz said while discussing the disclosure of stolen NSA-owned cyber weapons by the Shadow Brokers. "It is dangerous to see a leak like this with literally no time to patch."

Schwartz also discussed White House efforts to change a secretive software exploit disclosure process known as Vulnerability Equities Process (VEP). Following the Shadow Brokers incident, VEP has faced criticism that Schwartz call unfair because the process was not supposed to be "backward looking." He added, "There are only a limited number of individuals that work on vulnerabilities issues. To have all of those experts spending time and effort looking through all of the old vulnerabilities to see which have been disclosed and which haven't and having the ensuing conversation about each one would be devotion of resources that could instead be better spent on new vulnerability issues."