Monday, March 30, 2015

US Used Zero-Day Exploits Before It Had Policies for Them

180809523Click to Open Overlay GalleryAround the same time the US and Israel were already developing and unleashing Stuxnet on computers in Iran, using five zero-day exploits to get the digital weapon onto machines there, the government realized it needed a policy for how it should handle zero-day vulnerabilities, according to a new document obtained by the Electronic Frontier Foundation.
The document, found among a handful of heavily redacted pages released after the civil liberties group sued the Office of the Director of National Intelligence to obtain them, sheds light on the backstory behind the development of the government’s zero-day policy and offers some insight into the motivations for establishing it. What the documents don’t do, however, is provide support for the government’s assertions that it discloses the “vast majority” of zero-day vulnerabilities it discovers instead of keeping them secret and exploiting them.
“The level of transparency we have now is not enough,” says Andrew Crocker a legal fellow at EFF. “It doesn’t answer a lot of questions about how often the intelligence community is disclosing, whether they’re really following this process, and who is involved in making these decisions in the executive branch. More transparency is needed.”
The timeframe around the development of the policy does make clear, however, that the government was deploying zero-days to attack systems long before it had established a formal policy for their use.

Task Force Launched in 2008

Titled “Vulnerability Equities Process Highlights,” (.pdf) the document appears to have been created July 8, 2010, based on a date in its file name. Vulnerability equities process in the title refers to the process whereby the government assesses zero-day software security holes that it either finds or buys from contractors in order to determine whether they should be disclosed to the software vendor to be patched or kept secret so intelligence agencies can use them to hack into systems as they please. The government’s use of zero-day vulnerabilities is controversial, not least because when it withholds information about software vulnerabilities to exploit them in targeted systems, it leaves every other system that use the same software also vulnerable to being hacked, including U.S. government computers and critical infrastructure systems.
According to the document, the equities process grew out of a task force the government formed in 2008 to develop a plan for improving its ability “to use the full spectrum of offensive capabilities to better defend U.S. information systems.”
Making use of offensive capabilities likely refers to one of two things: either encouraging the intelligence community to share information about its stockpile of zero-day vulnerabilities so the holes can be patched on government and critical infrastructure systems; or using the NSA’s cyber espionage capabilities to spot and stop digital threats before they reach U.S. systems. This interpretation seems to be supported by a second document (.pdf) released to EFF, which describes how, in 2007, the government realized it could strengthen its cyber defenses “by providing insight from our own offensive capabilities” and “marshal our intelligence collection to prevent intrusions before they happen.”
One of the recommendations the task force made was to develop a vulnerabilities equities process. Some time in 2008 and 2009 another working group, led by the Office of the Director of National Intelligence, was established to address this recommendation with representatives from the intelligence community, the U.S. attorney general, the FBI, DoD, State Department, DHS and, most notably, the Department of Energy.
The Department of Energy might seem the odd-man-out in this group, but the DoE’s Idaho National Lab conducts research on the security of the nation’s electric grid and, in conjunction with DHS, it also runs a control system security assessment program that involves working with the makers of industrial control systems to uncover vulnerabilities in their products. Industrial control systems are used to manage equipment at power and water plants, chemical facilities and other critical infrastructure.
Although there have long been suspicions that the DoE program is used by the government to uncover vulnerabilities that the intelligence community then uses to exploit in the critical infrastructure facilities of adversaries, DHS sources have insisted to WIRED on a number of occasions that the assessment program is aimed at getting vulnerabilities fixed and that any information uncovered is not shared with the intelligence community for purposes of exploiting vulnerabilities. When a significant vulnerability in an industrial control system is discovered by the Idaho lab, it’s discussed with members of an equities group—formed by representatives of the intelligence community and other agencies—to determine if any agency that might already be using the vulnerability as part of a critical mission would suffer harm if the vulnerability were disclosed. Of course, it should be noted that this also allows such agencies to learn about new vulnerabilities they might want to exploit, even if that’s not the intent.
Following the working group’s discussions with DoE and these other agencies throughout 2008 and 2009, the government produced a document titled “Commercial and Government Information Technology and Industrial Control Product or System Vulnerabilities Equities Policy and Process.” Note the words “Industrial Control” in the title, signaling the special importance of these types of vulnerabilities.
The end result of the working group’s meetings was the creation of an executive secretariat within the NSA’s Information Assurance Directorate, which is responsible for protecting and defending national security information and systems, as well as the creation of the vulnerabilities equities process for handling the decision-making, notification procedures and the appeals process around the government’s use and disclosure of zero-days.
We now know, however, that the equities process established by the task force was flawed, due to statements made last year by a government-convened intelligence reform board and by revelations that the process had to undergo a reboot or “reinvigoration” following suggestions that too many vulnerabilities were being withheld for exploitation rather than disclosed.

Equities Process Not Transparent

The equities process was not widely known outside the government until last year when the White House publicly acknowledged for the first time that it uses zero-day exploits to hack into computers. The announcement came only after the infamous Heartbleed vulnerability was discovered and Bloomberg erroneously reported that the NSA had known about the hole for two years and had remained silent about it in order to exploit it. The NSA and the White House disputed the story. The latter referenced the equities process, insisting that any time the NSA discovers a major flaw in software, it must disclose the vulnerability to vendors to be patched—that is, unless there is “a clear national security or law enforcement” interest in using it.
In a blog post at the time, Michael Daniel, special advisor on cybersecurity to President Obama, insisted that the government had a “disciplined, rigorous and high-level decision-making process for vulnerability disclosure” and suggested that more vulnerabilities are disclosed than not.
The assertion, however, raised a lot of questions about how long this equities process had existed and how many vulnerabilities the NSA had in fact disclosed or kept secret over the years.
Disqus Comments