With the seemingly constant barrage of leaks revealing the U.S. intelligence community’s hacking capabilities, many are wondering where government draws the line between priorities of intelligence collection versus assisting companies to secure their products in order to keep the digital lives of U.S. citizens and companies secure. The Cipher Brief spoke with Ari Schwartz, the managing director of Cybersecurity Services at Venable LLP and former Senior Director for Cybersecurity at the National Security Council during the Obama administration, about the current state of U.S. vulnerability disclosure policy.
The Cipher Brief: What are zero-day vulnerabilities – zero days, for short – and how often are they used by criminals and nation-states as opposed to already known vulnerabilities? How often are zero days found and used by more than one actor?
Ari Schwartz: Zero days are previously unknown vulnerabilities that researchers and others find. They are called “zero days” because there has been no time for security experts to create and release a patch for the vulnerabilities and therefore very seldom is there a way to stop it. These vulnerabilities are often paired with existing known vulnerabilities to create an exploit of a system, meaning an attack technique to take advantage of a weakness within a system. Studies suggest that between 80 to 99 percent of incidents rely on known vulnerabilities, and the rest use some kind of zero-day.
TCB: Once a vulnerability is discovered in a system, how is it commonly reported and how long does it normally take companies to patch it?
AS: Patching times vary greatly, depending on the type of system that is exploited. Browser companies can usually turn a patch around very quickly, within hours or days. Hardware companies can take much longer because they have to be concerned with the impact on all of the critical software running on that equipment. Specialized equipment can take many months to patch, even with multiple engineers working full time on a fix.
TCB: Does the intelligence community and law enforcement have a responsibility to disclose zero-day vulnerabilities to private companies rather than hold onto the exploits to facilitate targeted espionage? Could you describe some of the cost-benefit analysis involved in making the decision?
AS: The intelligence community has a responsibility to weigh the pros and cons of releasing a vulnerability versus keeping it. These considerations include:
- How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
- Does the vulnerability, if left unpatched, impose significant risk?
- How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
- How likely is it that we would know if someone else were exploiting it?
- How badly do we need the intelligence we think we can get from exploiting the vulnerability?
- Are there other ways we can get it?
- Could we utilize the vulnerability for a short period of time before we disclose it?
- How likely is it that someone else will discover the vulnerability?
- Can the vulnerability be patched or otherwise mitigated?
TCB: What is the Vulnerabilities Equities Process (VEP) and how does it dictate vulnerabilities disclosure for the intelligence community and law enforcement?
AS: The VEP is a process created by the Bush administration that serves as an oversight function for agencies that use vulnerabilities. Its function is to make sure that agencies are considering the cost-benefit of keeping or releasing to the whole government, not just within individual agencies. During the Obama administration, a presidential advisory group made a recommendation that the White House run the VEP and that the default be to disclose vulnerabilities to the companies whose software or equipment is most affected. The National Security Council later made the existence of the process public, and recent FOIA requests have provided more information about it. Reports suggest that the VEP continues to meet under the Trump administration.
TCB: Is the VEP working as intended, particularly following the disclosure of tools used to exploit vulnerabilities allegedly belonging to the NSA by a group calling itself the Shadow Brokers as well as the allegedly CIA hacking tools released by WikiLeaks?
AS: The recent high-profile leaks demonstrate the reason for the VEP’s importance and explain the push to re-establish and strengthen it during the Obama administration. It is much more difficult to keep secrets than it used to be. Government agencies should not assume that they will be the only ones that know about a particular vulnerability for years, as was true in the past. Leaks are much more common now. It is difficult to know if the VEP didn’t work in these cases because there is still so much classified information related to what the VEP does and the details about these vulnerabilities.
TCB: It has been reported that the CIA knew about the loss of its hacking tools before the WikiLeaks release earlier this month. If this is the case, should the CIA have disclosed the vulnerabilities, given that it knew the tools were in the hands of another actor?
AS: Supposedly the CIA didn’t know exactly what was taken. However, officials could have made some educated guesses and at least informed companies of what had happened so those named in the documents would not be surprised about the announcement.
TCB: What can be done to improve the VEP?
AS: A lot of things could be done to make the VEP better. This would include:
- Making public the high-level criteria that will be used to determine whether to disclose to a vendor a zero-day vulnerability in its product or to retain the vulnerability for government use.
- Defining clearly the process to be followed in making a disclosure decision with respect to a zero-day vulnerability.
- Ensuring that any decision to retain a zero-day vulnerability for government use is subject to periodic review.
- Transferring the Executive Secretary function that can have greater public accountability than the NSA.
- Directing the Executive Secretary to issue a public report on an annual basis on the status of the program
It would be a mistake to say that, because the VEP is not perfect, we should get rid of it. We need to continually try to improve it.