海角大神

Heartbleed: What it told us about US stockpiling of potential cyber-weapons

The US says it is shifting its policy over when to keep cyber-vulnerabilities such as Heartbleed secret 鈥� to be exploited by government spies only 鈥� and when to disclose and fix them.

Heartbleed, the recently divulged cyber-vulnerability that exposed websites to a gaping hole in computer security across half the Internet, exposed something else: a shift in US policy over when to keep such vulnerabilities secret 鈥� to be exploited by government spies only 鈥� and when to disclose and fix them.

Just hours after the National Security Agency was accused in a news report on April 11 of knowing all about Heartbleed two years earlier 鈥� and using it to spy while leaving US businesses on the Internet vulnerable 鈥� the Obama administration struck back in a statement denying that the NSA knew about it or used it.

The NSA soon tweeted the same. Tweets by spy agencies defending themselves against charges of conducting a global cyber-espionage game 鈥� with little regard for the privacy and economic well-being of America鈥檚 Internet-dependent society 鈥� almost seem the new normal.

What鈥檚 become clear, cyber-experts say, is that the NSA and other US spy agencies have long stockpiled cyber-vulnerabilities 鈥� identifying, purchasing, or otherwise acquiring obscure flaws in computer code. Those vulnerabilities are then used to craft 鈥渆xploits鈥� 鈥� cyber-weapons or spying tools used to sneak into and spy on, or damage, computer networks worldwide, cyber-security experts say.

But that rampant gathering of cyber-vulnerabilities for weapons and spying may be changing. Nearly a year after former NSA contractor Edward Snowden leaked top-secret documents detailing the agency鈥檚 global cyber-surveillance practices, senior White House officials say the Obama administration will soon begin a new evaluation process that more routinely reveals, rather than keeps hidden, the majority of cyber-vulnerabilities, thereby boosting the nation鈥檚 cyber-defenses.

鈥淚n the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest,鈥� Michael Daniel, the president鈥檚 cyber-security coordinator, wrote in an April 28 White House blog post. 鈥淏uilding up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest.鈥�

That is not the same, he notes, 鈥渁s arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run.鈥� Mr. Daniel continues: 鈥淲eighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area.鈥�

His online comments corroborate those of two other executive branch officials on how the government expects to shift its handling of cyber-vulnerabilities that, like Heartbleed, are among the most potent variety of cyber-threats. They are the 鈥渮ero day鈥� vulnerabilities, so called because software developers have zero days to patch the vulnerability before attacks based on those flaws begin.

A key example of zero-day use was as part of the Stuxnet cyber-weapon developed, reportedly by the US and Israel, to digitally identify and then wreck Iran鈥檚 nuclear fuel refining program. Stuxnet used at least four zero-day exploits just to access the Iranian centrifuge facility. It used other previously undisclosed vulnerabilities to do the damage to the facility鈥檚 centrifuges.

Notably, a White House review panel on surveillance practices recommended in December 鈥渢hat US policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks.鈥�

That view was echoed, too, by the NSA鈥檚 new director, Vice Admiral Michael Rogers, in written testimony at his March confirmation hearings. An 鈥渋nter-agency process鈥� would be used for evaluating cyber-vulnerabilities, he wrote. 鈥淭he default is to disclose vulnerabilities in products and systems used by the US and its allies.鈥�

It鈥檚 a delicate balancing act that requires weighing whether a vulnerability is needed to infiltrate legitimate intelligence targets like terrorist communications networks 鈥� or whether keeping it hidden will leave US businesses and networks open to attack from cyber-criminals and foreign intelligence services.

In his much-parsed blog, Daniel listed a variety of tests the new interagency review will use to determine whether cyber-vulnerabilities are to be revealed in order to be patched, or kept for cyber-weapons and spying. Criteria for evaluating vulnerabilities would, he wrote, include the following:

鈥� How much is the vulnerable system used in the core Internet infrastructure, in other critical infrastructure systems, in the US economy and in national security systems?

鈥� Does the vulnerability, if left unpatched, impose significant risk?

鈥� How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?

鈥� How likely is it that we would know if someone else were exploiting it?

鈥� How badly do we need the intelligence we think we can get from exploiting the vulnerability?

鈥� Are there other ways we can get it?

鈥� Could we utilize the vulnerability for a short period of time before we disclose it?

鈥� How likely is it that someone else will discover the vulnerability?

鈥� Can the vulnerability be patched or otherwise mitigated?

鈥淭hese nine separate points, these questions, are very important because they鈥檙e not just about general transparency, but the actual balance that they have to establish in the process for a vulnerability to be kept close, or released,鈥� says Jason Healey, director of the Atlantic Council鈥檚 Cyber Statecraft Initiative.

But the many exceptions articulated by the administration so far have also sparked debate over how deep this change really goes, say several cyber-experts and a former government official.

鈥淭hey鈥檝e had a process for evaluating these vulnerabilities for a long time, and even this new variant has been normal practice for the White House, NSA and Department of Justice for years and years,鈥� says James Lewis, a cyber-security expert with the Center for Strategic and International Studies. 鈥淚 really don鈥檛 see things changing very much, if at all.鈥�

Even well-meaning attempts at better vetting of cyber-vulnerabilities may run up against systemic obstacles that limit any serious change, says Joel Brenner, former head of US counterintelligence in the Office of the Director of National Intelligence from 2006 to 2009.

鈥淕iven the list of criteria that has to be considered, given the massive number of vulnerabilities that could be involved, I cannot imagine that they will be dealt with individually at a high level in the interagency process,鈥� says Mr. Brenner, previously the NSA鈥檚 inspector general.

Some have speculated the new evaluation will end up undercutting the NSA鈥檚 capabilities, forcing it to throw away valuable exploits from its trove.

鈥淭here鈥檚 catalogs and catalogs and catalogs, volumes in their stockpile,鈥� says John Bumgarner, a former intelligence officer and cyber-conflict expert. 鈥淪o who is going to go through all those to weed out those more strategic ones?鈥�

Some civil libertarians applaud the Obama administration鈥檚 moves so far, but remain skeptical how much impact they will have.

鈥淭he bias toward disclosure they are talking about is a good thing,鈥� says Daniel Gillmor, a technology fellow at the American Civil Liberties Union. 鈥淏ut they鈥檝e carved out some exceptions so large you can drive a truck through them. So while I鈥檓 glad to see the White House engaged on this, I remain concerned we won鈥檛 see much progress, and the Internet will be less secure as a result.鈥�

Even administration supporters say they are circumspect about whether well-meaning changes to the cyber-vulnerability vetting process will have any major impact that results in more systematic releases of critical vulnerabilities that make the country safer.

One fundamental reason that the Obama administration may find it difficult to release cyber-vulnerabilities: the process is stacked in favor of weaponizing them, says a former administration official, who requested anonymity so as not to burn bridges.

鈥淚鈥檓 afraid I really don鈥檛 think what we are seeing is a huge departure from the way things have been done in the past,鈥� the former official says. 鈥淚 think Michael Daniel and others in White House mean well ... but my sense is that it all ends up taking place after these tools are developed. So even if there is strong oversight of the tools themselves, a lot of key decisions will already be baked in 鈥� made earlier in development process.鈥�

Cyber-weapons development should probably be removed from military control and handed over to civilian agencies more responsive to privacy and cyber-defense concerns, the official argues.

鈥淩ight now the intelligence and defense communities are conducting the cyber-research and development,鈥� the official says. 鈥淪o they鈥檙e thinking military and intelligence first and foremost, as they should. But we鈥檝e given the military and the NSA a national burden that frankly is beyond their purview.鈥�

Something similar happened after World War II when control over development of nuclear weapons was removed from the Department of Defense and handed over to the Department of Energy and its national laboratories.

鈥淚f we are asking that economic and diplomatic and privacy concerns be factored in 鈥� well, then these issues have to be evaluated by a different group much earlier in the process for anything to really change,鈥� he says. 鈥淭hat鈥檚 just the way things are.鈥�