Wikileaks’ “Vault7” disclosure last month of apparent CIA hacking tools marked the third recent incident in which an inadvertent public release of alleged government hacking techniques has sent the private sector scrambling to protect users.
The two others involved a release of alleged NSA tools by group that calls itself Shadow Brokers and the publication of a vulnerability used by an unknown law enforcement agency to deanonymize Tor users. These incidents have raised further questions about whether and when the U.S. government should be required to disclose zero-day vulnerabilities, meaning, secret, previously undisclosed flaws for which no ready-made patches exist.
Past debate about vulnerability disclosure has focused on the potential for independent discovery, meaning that if the U.S. government knows about an unpatched vulnerability in, for example, an electronic device’s source code, that vulnerability could be independently discovered by a foreign adversary – an event known as a collision – and used by that adversary. If such collisions happen often, that would suggest the U.S. government should err on the side of disclosing vulnerabilities to ensure that U.S. citizens are protected from those adversaries.
But what recent incidents show is that much of the risk of non-disclosure of zero-day vulnerabilities stems from the use and mismanagement of those vulnerabilities, rather than from independent discovery. The NSA and CIA apparently mismanaged their hacking tools, resulting in leaks of those tools to an adversary. Instead of asking whether vulnerabilities can be independently discovered, the intelligence community should be asking whether vulnerabilities can too easily be stolen or leaked. Indeed, zero-day vendors – gray-market entrepreneurs who discover vulnerabilities in systems and sell information about those flaws to the government or others – have acknowledged that they are targets of attack and that they have valuable assets that malicious actors want to steal.
The same is true for intelligence agencies, which in recent years have not proven to be great at protecting their classified information and capabilities.
With both the Vault7 and Shadow Brokers disclosures, there has been public speculation that Russian intelligence services played a role in the release of this information. It is worth considering for a moment the implications of Russian involvement, if true. It would mean that, possibly for a period of years, foreign adversaries were in possession of knowledge about vulnerabilities that they somehow obtained from U.S. intelligence agencies. Those agencies would then be culpable in any harm those adversaries did to U.S. persons or interests using those vulnerabilities.
I point this out not to heap further acrimony on intelligence agencies. Rather, I’m engaging in this thought experiment to demonstrate the acute nature of the risk when government agencies retain possession of data on zero-day vulnerabilities.
The basic point is this: these are not typical government secrets. Files on vulnerabilities are a unique class of classified information held by the government, different from the top secret and compartmented information that many people across the intelligence community access on a daily basis.
When information on vulnerabilities leaks or is stolen, agencies might quickly lose any access gained by the exploitation of these vulnerabilities. But more than just putting intelligence capabilities at risk, leaked or stolen vulnerabilities can be weaponized quickly and put millions or tens of millions product users at risk. Even assuming companies learn about a leak, weaponization can still occur more quickly than companies can develop and deploy patches to the affected population. Anybody within the government with access to non-disclosed zero-day vulnerabilities is in a position to cause immediate harm, either through mistake or malice, both to U.S. national security and to the public at large. This potential for harm is fundamentally different from the harm that can be caused by the theft or leak of other types of classified information.
The unique nature of these secrets means that intelligence agencies have a responsibility to mitigate that potential harm, both proactively and reactively
First, intelligence agencies should redouble their commitment to the Vulnerabilities Equities Process (VEP). Anytime they believe a vulnerability should be exploited rather than disclosed, they should have a clear, articulated reason for why the benefits of non-disclosure outweigh the potential costs. They should be willing to submit that reasoning to independent scrutiny, and the VEP is the right forum to apply that scrutiny.
The VEP is inherently going to be a fragile process. It involves a complex, qualitative analysis that is made even more difficult by the fact that affected agencies’ interests will almost always run counter to disclosure. But a VEP that fails on occasion is preferable to an approach that ignores entirely the broader risks created by the non-disclosure of zero-day vulnerabilities.
Second, any hacking tools and techniques need to be treated as some of the most sensitive classified information in the U.S government’s possession. That might strikes some as an obvious statement, but the Shadow Brokers and Vault7 disclosures would suggest that this information has not been treated with the highest level of care in the past. In the wake of those disclosures, intelligence agencies should be conducting a thorough review of the security practices they have in place to govern the protection and use of zero-day vulnerabilities. The new administration should be insisting that such a review take place. While they are at it, the agencies should also examine the security practices of the VEP itself, as that strikes me as an attractive target for attackers looking for a single point of access to critical vulnerabilities in possession of the U.S. government.
And third, when unauthorized leaks of zero-days occur, the first action of those implicated agencies should be to coordinate with the private sector to ensure that companies have all the necessary information to patch their systems and products. The priority should be mitigation, and any operational interests at stake should take a backseat to immediate needs to protect the broader public. Companies will be in a race against time to develop and deploy patches. Any leg up that the U.S. government can provide to those companies could prove valuable. When agencies have not met their responsibility to protect non-disclosed vulnerabilities, they then have a secondary responsibility to help mitigate any harm they may have caused.
