AROUND THE SAME time the US and Israel were already developing and unleashing Stuxnet on computers in Iran, using five zero-day exploits to get the digital weapon onto machines there, the government realized it needed a policy for how it should handle zero-day vulnerabilities, according to a new document obtained by the Electronic Frontier Foundation.
The document, found among a handful of heavily redacted pages released after the civil liberties group sued the Office of the Director of National Intelligence to obtain them, sheds light on the backstory behind the development of the government’s zero-day policy and offers some insight into the motivations for establishing it. What the documents don’t do, however, is provide support for the government’s assertions that it discloses the “vast majority” of zero-day vulnerabilities it discovers instead of keeping them secret and exploiting them.
“The level of transparency we have now is not enough,” says Andrew Crocker a legal fellow at EFF. “It doesn’t answer a lot of questions about how often the intelligence community is disclosing, whether they’re really following this process, and who is involved in making these decisions in the executive branch. More transparency is needed.”
The timeframe around the development of the policy does make clear, however, that the government was deploying zero-days to attack systems long before it had established a formal policy for their use.
Task Force Launched in 2008
Titled “Vulnerability Equities Process Highlights,”(.pdf) the document appears to have been created July 8, 2010, based on a date in its file name. Vulnerability equities process in the title refers to the process whereby the government assesses zero-day software security holes that it either finds or buys from contractors in order to determine whether they should be disclosed to the software vendor to be patched or kept secret so intelligence agencies can use them to hack into systems as they please. The government’s use of zero-day vulnerabilities is controversial, not least because when it withholds information about software vulnerabilities to exploit them in targeted systems, it leaves every other system that use the same software also vulnerable to being hacked, including U.S. government computers and critical infrastructure systems.
According to the document, the equities process grew out of a task force the government formed in 2008 to develop a plan for improving its ability “to use the full spectrum of offensive capabilities to better defend U.S. information systems.”
Making use of offensive capabilities likely refers to one of two things: either encouraging the intelligence community to share information about its stockpile of zero-day vulnerabilities so the holes can be patched on government and critical infrastructure systems; or using the NSA’s cyber espionage capabilities to spot and stop digital threats before they reach U.S. systems. This interpretation seems to be supported by a second document (.pdf) released to EFF, which describes how, in 2007, the government realized it could strengthen its cyber defenses “by providing insight from our own offensive capabilities” and “marshal our intelligence collection to prevent intrusions before they happen.”
One of the recommendations the task force made was to develop a vulnerabilities equities process. Some time in 2008 and 2009 another working group, led by the Office of the Director of National Intelligence, was established to address this recommendation with representatives from the intelligence community, the U.S. attorney general, the FBI, DoD, State Department, DHS and, most notably, the Department of Energy.
The Department of Energy might seem the odd-man-out in this group, but the DoE’s Idaho National Lab conducts research on the security of the nation’s electric grid and, in conjunction with DHS, it also runs a control system security assessment program that involves working with the makers of industrial control systems to uncover vulnerabilities in their products. Industrial control systems are used to manage equipment at power and water plants, chemical facilities and other critical infrastructure.
Although there have long been suspicions that the DoE program is used by the government to uncover vulnerabilities that the intelligence community then uses to exploit in the critical infrastructure facilities of adversaries, DHS sources have insisted to WIRED on a number of occasions that the assessment program is aimed at getting vulnerabilities fixed and that any information uncovered is not shared with the intelligence community for purposes of exploiting vulnerabilities. When a significant vulnerability in an industrial control system is discovered by the Idaho lab, it’s discussed with members of an equities group—formed by representatives of the intelligence community and other agencies—to determine if any agency that might already be using the vulnerability as part of a critical mission would suffer harm if the vulnerability were disclosed. Of course, it should be noted that this also allows such agencies to learn about new vulnerabilities they might want to exploit, even if that’s not the intent.
Following the working group’s discussions with DoE and these other agencies throughout 2008 and 2009, the government produced a document titled “Commercial and Government Information Technology and Industrial Control Product or System Vulnerabilities Equities Policy and Process.” Note the words “Industrial Control” in the title, signaling the special importance of these types of vulnerabilities.
The end result of the working group’s meetings was the creation of an executive secretariat within the NSA’s Information Assurance Directorate, which is responsible for protecting and defending national security information and systems, as well as the creation of the vulnerabilities equities process for handling the decision-making, notification procedures and the appeals process around the government’s use and disclosure of zero-days.
We now know, however, that the equities process established by the task force was flawed, due to statements made last year by a government-convened intelligence reform board and by revelations that the process had to undergo a reboot or “reinvigoration” following suggestions that too many vulnerabilities were being withheld for exploitation rather than disclosed.
Equities Process Not Transparent
The equities process was not widely known outside the government until last year when the White House publicly acknowledged for the first time that it uses zero-day exploits to hack into computers. The announcement came only after the infamous Heartbleed vulnerability was discovered andBloomberg erroneously reported that the NSA had known about the hole for two years and had remained silent about it in order to exploit it. The NSA and the White House disputed the story. The latter referenced the equities process, insisting that any time the NSA discovers a major flaw in software, it must disclose the vulnerability to vendors to be patched—that is, unless there is “a clear national security or law enforcement” interest in using it.
In a blog post at the time, Michael Daniel, special advisor on cybersecurity to President Obama, insisted that the government had a “disciplined, rigorous and high-level decision-making process for vulnerability disclosure” and suggested that more vulnerabilities are disclosed than not.
The assertion, however, raised a lot of questions about how long this equities process had existed and how many vulnerabilities the NSA had in fact disclosed or kept secret over the years.
Daniel, who is a member of Obama’s National Security Council, told WIRED in an interview last year that theequities process was formally established in 2010. That’s two years after the task force first recommended it in 2008. He also insisted that the “vast majority” of zero-days the government learns about are disclosed, though he wouldn’t say how many or whether this encompassed ones that were initially kept secret for exploitation purposes before the government disclosed them.
We know that Stuxnet, a digital weapon designed by the U.S. and Israel to sabotage centrifuges enriching uranium for Iran’s nuclear program, used five zero-day exploits to spread between 2009 and 2010—before the equities process was in place. One of these zero-days exploited a fundamental vulnerability in the Windows operating system that, during the time it remained unpatched, left millions of machines around the world vulnerable to attack. Since the equities process was established in 2010, the government has continued to purchase and use zero days supplied by contractors. We know, for example, from documents leaked by NSA whistleblower Edward Snowden that in 2013 alone the government spent more than $25 million to buy “software vulnerabilities” from private vendors. Zero-days can sell for anywhere from $10,000 to $500,000 or more. It’s not clear if $25 million refers to the purchase price of individual zero-days or if it refers to subscription costs that can give the government access to hundreds of zero-days from a single vendor for an annual price.
It was following the Snowden revelations that an intelligence reform board first recommended changes to the equities process. The President’s Review Group on Intelligence and Communications Technologies was convened to provide recommendations on how to reform the government’s surveillance programs in the wake of the Edward Snowden leaks. In its December 2013 report, the board asserted that the government should not be exploiting zero-days but should instead be disclosing all vulnerabilities to software makers and other relevant parties by default, except where there is a clear national security need to retain an exploit. Even then, however, the board said the timeframe for using a secret exploit should be limited, after which these too should be disclosed.
Peter Swire, a member of the review board, told WIRED last year that their comments were prompted by the fact that disclosures weren’t happening to the degree they should. The government was apparently finding too many exceptions whereby it deemed it necessary to keep a zero-day secret instead of disclosing it, and the review board felt the percentage of vulnerabilities being kept secret should be much smaller.
Daniel himself acknowledged problems with the equities process when he spoke to WIRED last year and said the equities process had not been implemented “to the full degree it should have been” since it was established in 2010. The relevant agencies had not been sufficiently communicating information about vulnerabilities and “ensuring that everybody had the right level of visibility across the entire government” about vulnerabilities.
But this wasn’t the only problem the review board had found with the equities process. They also implied that the oversight process for monitoring the equities process was flawed. Although the board members didn’t say it, their comments suggested that until last year, the NSA and other self-interested parties in the intelligence community had been the sole arbiters of decisions about when a zero-day vulnerability should be disclosed or kept secret. The implication was that this was one of the reasons too many vulnerabilities were still being kept secret.
To help fix this, the review board recommended that the National Security Council have dominion over the zero-day decision process to take it out of the hands of the intelligence agencies. The White House did implement this recommendation, and Daniel’s office at the National Security Council now oversees the equities process—a process that we can see from the document obtained by EFF traces back to 2008. This means it took six years since the equities process was first proposed by the task force to figure out that leaving the decision-making process about zero-days in the hands of the intelligence community that wants to exploit them was probably not a wise idea.
EFF’s Crocker says that none of the documents his group has received so far from the government give them confidence that the equities process is currently being handled in any wiser manner.
“Based on the documents they’ve released and withheld there’s really not a lot of paper to back up [the government’s claims about] this being a rigorous process with lots of actual considerations in it,” he says. “There just isn’t support for that in what they’ve released. It continues to raise questions about how thorough this process is and how much is there when the rubber meets the road.”