Opinion: NSA hack reveals flaws in White House zero-day process
A potentially damaging hacking tool revealed in the apparent National Security Agency breach includes a zero-day vulnerability – or previously unknown security hole – in Cisco software. The government should have already disclosed that flaw.
Adm. Michael Rogers, head of the National Security Agency and commander of US Cyber Command, testified on Capitol Hill in April. 2016. REUTERS/Kevin Lamarque
Kevin Lamarque/Reuters
Earlier this week, a group calling itself the Shadow Brokers released a cache of military-grade computer hacking tools. Since then, experts and former agency employees haveÌýsubstantiated that the tranche of custom-made malware originated from the National Security Agency.
Now, the dump is raising serious questions aboutÌýtheÌýnature of the US government's cyberweapons arsenal. Chief amongÌýthose questionsÌýis whether or not the US government should withhold information about potentially damaging flaws in software programs widely used by American companies.Ìý
One of the most potentially damaging exploits that the Shadow Brokers revealedÌýis a so-called "zero-day" vulnerabilityÌýin a Cisco security productÌýcommonÌýin many American critical infrastructure facilities.ÌýZero-days are security flaws that the affected company doesn't know about.Ìý
Is that the kind of flaw that the NSA should keep secret from American businesses? Should it have told Cisco?
At the recent DEF CON hacker convention in Las Vegas,ÌýI presented researchÌýconducted with students at the Columbia University School of International and Public Affairs on theÌýVulnerabilities Equities Process (VEP), a White House procedure toÌýdetermine when the government should retain – and when it should disclose – such vulnerabilities.
Our best estimateÌýis that the government probablyÌýretainsÌýa small arsenal of dozens of such zero-days, far fewer than the hundreds or thousands that many experts estimated.ÌýIt appears they add to that arsenal only by drips and drabs, perhaps by single digits every year. Ìý
However, before President Obama "reinvigorated" the VEP inÌýJanuary 2014, the NSA probably kept many more: probably dozens per year, rather than single digits. In those days, the NSA largely made its own decisions, without having to consult with other parts of the government.Ìý
Today, however, the president has made clear the default decision should be to disclose flaws. While theÌýShadow Brokers' revelations haven't changed our estimate of the number of zero-days in the NSA's arsenal,Ìýa former NSA cyber operator told theÌýÌýthere wereÌý"hundreds" of such vulnerabilities at the agency and none of those were disclosed to companies.
But beyond the specific number of vulnerabilities at the NSA's disposal, the dump casts doubt on the effectiveness of the government'sÌýVEPÌýprocess. Is it actually sufficient?ÌýÌý
Based on the policies in place today, the NSA almost certainly should have disclosed the Cisco vulnerability – just asÌýFBI should have told AppleÌýabout the iPhone vulnerability it relied on to unlock the phone recovered after the San Bernardino, Calif., terrorist attack.
If any agency wants to keep a zero-day, it has to argue its case to the National Security Council (NSC) and other agencies such as the Department of Homeland Security and the Department of Commerce that are concerned primarilyÌýwithÌýsecuring US critical infrastructure.
According to many people we interviewed for our zero-day research, participants in the equities review process are senior members of the administration and meet frequently. It's an active process.Ìý
Furthermore, the Obama administration'sÌýÌýis clear that theÌýdefault position is to tell vendors and theÌýNSC.ÌýIfÌýa vulnerability affectsÌýUS critical infrastructure or imposes a high risk, the government should not keep it. That's certainly the case with the Cisco security bug.
The president's policy doesn't apply to bugs discovered prior to 2010. So, the NSA was not in violation of the policy’s wording, but it certainly seems against the president’s intent.
The best case for NSA retaining the Cisco vulnerability is that it was monitoring signals intelligence for signs that others knew about it.ÌýAnd, possibly, if the agency discovered that it was being deployed, it would inform Cisco.
Still, the Shadow Brokers leak makes it more clear than ever that the presidentÌýneeds to strengthen the equities review process to close the apparent loopholes that the NSA and FBI may rely on to keep its zero-days hidden.
Former White House staffers Rob Knake and Ari Schwartz haveÌýÌýa great list of recommendations: Formalize the process as an executive order, make it more transparency through an annual report, periodically review retained vulnerabilities (including those from before 2010), and create a watchdog similar to the Privacy and Civil Liberties Oversight Board.
The Shadow Brokers revelations give the impression of an NSA that's out of control. TheÌýVulnerability Equities Process is meant to put some restraints on the agency when it comes to its hacking tools – it's a good process designed to govern an incrediblyÌýcritical function of the agency.Ìý
But the government should act quickly – and transparently – to reform this process to retain the trust of American technologists, the US public, and our allies.
Jason Healey is a senior research scholar at Columbia University’s School of International and Public Affairs and a senior fellow at the Atlantic Council. Follow him on TwitterÌý.
Ìý