Opinion: NSA hack reveals flaws in White House zero-day process
Earlier this week, a group calling itself the Shadow Brokers released a cache of military-grade computer hacking tools. Since then, experts and former agency employees have听substantiated that the tranche of custom-made malware originated from the National Security Agency.
Now, the dump is raising serious questions about听the听nature of the US government's cyberweapons arsenal. Chief among听those questions听is whether or not the US government should withhold information about potentially damaging flaws in software programs widely used by American companies.听
One of the most potentially damaging exploits that the Shadow Brokers revealed听is a so-called "zero-day" vulnerability听in a Cisco security product听common听in many American critical infrastructure facilities.听Zero-days are security flaws that the affected company doesn't know about.听
Is that the kind of flaw that the NSA should keep secret from American businesses? Should it have told Cisco?
At the recent DEF CON hacker convention in Las Vegas,听I presented research听conducted with students at the Columbia University School of International and Public Affairs on the听Vulnerabilities Equities Process (VEP), a White House procedure to听determine when the government should retain 鈥 and when it should disclose 鈥 such vulnerabilities.
Our best estimate听is that the government probably听retains听a small arsenal of dozens of such zero-days, far fewer than the hundreds or thousands that many experts estimated.听It appears they add to that arsenal only by drips and drabs, perhaps by single digits every year. 听
However, before President Obama "reinvigorated" the VEP in听January 2014, the NSA probably kept many more: probably dozens per year, rather than single digits. In those days, the NSA largely made its own decisions, without having to consult with other parts of the government.听
Today, however, the president has made clear the default decision should be to disclose flaws. While the听Shadow Brokers' revelations haven't changed our estimate of the number of zero-days in the NSA's arsenal,听a former NSA cyber operator told the听听there were听"hundreds" of such vulnerabilities at the agency and none of those were disclosed to companies.
But beyond the specific number of vulnerabilities at the NSA's disposal, the dump casts doubt on the effectiveness of the government's听VEP听process. Is it actually sufficient?听听
Based on the policies in place today, the NSA almost certainly should have disclosed the Cisco vulnerability 鈥 just as听FBI should have told Apple听about the iPhone vulnerability it relied on to unlock the phone recovered after the San Bernardino, Calif., terrorist attack.
If any agency wants to keep a zero-day, it has to argue its case to the National Security Council (NSC) and other agencies such as the Department of Homeland Security and the Department of Commerce that are concerned primarily听with听securing US critical infrastructure.
According to many people we interviewed for our zero-day research, participants in the equities review process are senior members of the administration and meet frequently. It's an active process.听
Furthermore, the Obama administration's听听is clear that the听default position is to tell vendors and the听NSC.听If听a vulnerability affects听US critical infrastructure or imposes a high risk, the government should not keep it. That's certainly the case with the Cisco security bug.
The president's policy doesn't apply to bugs discovered prior to 2010. So, the NSA was not in violation of the policy鈥檚 wording, but it certainly seems against the president鈥檚 intent.
The best case for NSA retaining the Cisco vulnerability is that it was monitoring signals intelligence for signs that others knew about it.听And, possibly, if the agency discovered that it was being deployed, it would inform Cisco.
Still, the Shadow Brokers leak makes it more clear than ever that the president听needs to strengthen the equities review process to close the apparent loopholes that the NSA and FBI may rely on to keep its zero-days hidden.
Former White House staffers Rob Knake and Ari Schwartz have听听a great list of recommendations: Formalize the process as an executive order, make it more transparency through an annual report, periodically review retained vulnerabilities (including those from before 2010), and create a watchdog similar to the Privacy and Civil Liberties Oversight Board.
The Shadow Brokers revelations give the impression of an NSA that's out of control. The听Vulnerability Equities Process is meant to put some restraints on the agency when it comes to its hacking tools 鈥 it's a good process designed to govern an incredibly听critical function of the agency.听
But the government should act quickly 鈥 and transparently 鈥 to reform this process to retain the trust of American technologists, the US public, and our allies.
Jason Healey is a senior research scholar at Columbia University鈥檚 School of International and Public Affairs and a senior fellow at the Atlantic Council. Follow him on Twitter听.
听
