WikiLeaks Dump Shines Light On US Intelligence’s Zero-Day Policy

WikiLeaks’ massive release of CIA cyber exploits produced more questions than answers about the US government and it’s intelligence agencies' shadowy procedure for hoarding damaging digital vulnerabilities that remain unknown even to a system’s manufacturer.

These bugs, called zero days because industry has had zero days to create and promulgate a software patch, can be goldmines for US intelligence agencies looking to sneak undetected into the computers, phones and other electronic devices of terrorists and officials of adversary nation-states.

These glitches can be extremely dangerous, however, if those same terrorists or other nations’ intelligence agencies discover them independently and use them to spy on Americans. If discovered by cyber criminals, they might also be used to steal money or information from American citizens or US companies.

How Many Zero Days Does the Government Have?

WikiLeaks describes the leaked documents, which it has dubbed Vault 7, as containing “dozens of zero days.” If true, that would almost certainly raise the best estimate to date, by Columbia University Senior Research Scholar Jason Healey, which puts the government’s entire zero-day arsenal at around 60 or 70, rather than in the hundreds or thousands as previously estimated.

If WikiLeaks’ “dozens” figure is correct, it’s a good assumption that only represents a portion of the CIA’s zero-day arsenal and that the National Security Agency and a handful of other agencies possess additional zero-day troves that aren’t actively retained by CIA, Healey, a former White House cyber official, told the Nextgov website.

That would mean Healey’s estimate of 60 to 70 would have to be adjusted up, he said. It’s also possible, however, Healey’s initial estimate remains sound and the WikiLeaks figure is exaggerated.

When a group known as Shadow Brokers released an NSA hacking toolkit in October, Healey expected he’d have to rejigger his estimate, he said, but the trove turned out to contain only a handful of genuine zero days.

Without examining the underlying code, which WikiLeaks did not release, it’s difficult to tell which of the more than 8,000 documents disclosed by the renegade transparency group contain genuine zero days and which exploit vulnerabilities are already known but not reliably patched.

It’s also not clear when CIA discovered the vulnerabilities, so it’s possible some were once zero days that have since been discovered independently, said Ross Schulman, co-director of the Cybersecurity Initiative at the New America think tank’s Open Technology Institute.

Some of the tools may also exploit known vulnerabilities in outdated software versions guaranteed to remain because the company has stopped issuing patches for that version, Schulman said.

Vulnerability Equities Review

The government has never disclosed how many zero days it retains at any given time. However, NSA Director Adm. Michael Rogers boasted in 2015 the government has historically shared over 90 percent of vulnerabilities it discovers with manufacturers because NSA judges those vulnerabilities would do more harm if found by an adversary than good if exploited by the agency.

That system was codified during the Obama administration in a review known as the Vulnerability Equities Process, which considers an exploit’s value to intelligence agencies, how much damage it could do if discovered by someone else and how likely that discovery is to happen.

Government officials have indicated that review process may be retained under the Trump administration, though, as with most cybersecurity questions, the president has made no firm commitments yet.

Even if the Trump administration rejiggers its calculations for retaining or disclosing zero days, it’s unlikely the arsenal will greatly expand, said Obama’s Cybersecurity Coordinator Michael Daniel.

That’s because the number of zero-day vulnerabilities the government encounters that are genuinely useful for intelligence work is quite limited, he said, so greatly expanding the percentage the government retains would serve little useful purpose.

The most important question for both Healey and Schulman is not the raw number of zero days the Vault 7 documents reveal, but whether those zero days were appropriately vetted through the equities review process, and, again, there’s no firm answer.

“If we thought the government kept dozens and it turned out to be in the low hundreds, is that bad?” Healey asked. “We can decide what’s big or what’s not and how many is too many. I’d be much more worried if these didn’t go through the vulnerabilities equities process … that’s a deeper governance issue.”

If nothing else, Schulman said, he hopes the WikiLeaks release will spur the government to ensure its vulnerabilities vetting process is firmly in place.

“What this does show with regard to VEP is its importance,” he said. “There are still a lot of open questions and now would be a great time for Congress to step in and codify the VEP to be sure that it’s a law and that it’s followed.”

For others, however, the Vault 7 trove itself is an indictment of the equities process.

The documents include hacks of Apple’s iPhone and Google’s Android platforms as well as Microsoft Windows, products used by millions of Americans. It’s not clear those exploits rely on zero days but if they do, that suggests the CIA was willing to endanger those Americans’ privacy for the sake of foreign intelligence gathering, Electronic Frontier Foundation Staff Technologist Cooper Quintin told Nextgov.

“It’s our opinion that we are all made less safe by CIA’s decision to keep these vulnerabilities rather than disclose them and help companies fix them,” he said.

Why Zero Days Are Valuable

Zero days are a strange sort of weapon. They’re highly powerful, the crown jewels of any intelligence agency, and can sell for thousands or, in rare circumstances, more than $1 million on the open market. 

The average zero-day vulnerability and the exploit that makes use of it lasts nearly seven years, according to a recent comprehensive report from the Rand Corporation. One-quarter of zero days last nearly a decade, the report found.

Yet, their value dissipates as soon as they’re used because security researchers can reverse engineer them once discovered and sell that knowhow, either to nefarious hackers or to the company whose technology is being exploited so it can issue a patch.

As a result, intelligence agencies and criminal hackers are hesitant to use zero days if known exploits will get the job done. And they often will, because organizations are frequently slow to install software patches and, especially in the case of the US government, rely on outdated systems.

Humans are also the weakest cyber link in any organisation and can frequently be conned into clicking on a phishing link and allowing an intruder into a network where fancy exploits are less necessary.

WikiLeaks founder Julian Assange announced he plans to share information about the Vault 7 vulnerabilities with manufacturers so they can patch them. Healey, on Twitter, urged the CIA to share those vulnerabilities first to deny WikiLeaks the public-relations victory.

The CIA has declined to comment on the authenticity of the Vault 7 documents, but savaged Assange and WikiLeaks in two statements.

“CIA’s mission is to aggressively collect foreign intelligence overseas” and to be “innovative, cutting edge and the first line of defense in protecting this country from enemies abroad,” a spokesman said, adding that “CIA’s activities are subject to rigorous oversight to ensure that they comply fully with US law and the Constitution.”

NextGov:

Assange: The CIA Has Lost Control Of Its Cyber Weapons Documents:

CIA leak 'absolutely' an 'inside job':

Nation State Hacking Has A Big Commercial Impact:

Government In The Information Age:

 

« Board-level Cyber Literacy Is Low, Discomfort High
Hong Kong’s 3.7 Million Voters Exposed in Massive Breach »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

MarQuest

MarQuest

MarQuest provides services and systems to enhance network reliability and security.

Quality Professionals (Q-Pros)

Quality Professionals (Q-Pros)

QPros are a recognized leader in providing full-cycle software quality assurance and application testing services.

Steptoe & Johnson

Steptoe & Johnson

Steptoe is an international law firm with offices in the USA, Europe and China. Practice areas include Cybersecurity, Privacy & National Security.

XCure Solutions

XCure Solutions

XCure Solutions are a Finnish company specializing in data security, data protection and data recovery.

Fornetix

Fornetix

Fornetix is a cybersecurity platform enabling Zero Trust while delivering critical encryption automation, access controls, authorization services, machine identity, and ICAM solutions,

Cyber Wales

Cyber Wales

Cyber Wales provides a focus and forum for everyone in the industry, helping businesses come together and collaborate both within Wales and internationally.

Riskaware

Riskaware

CyberAware, by Riskaware, provides business-critical cyber attack analysis and impact assessments using NIST standards aligned with NCSC guidance.

Kratos Defense & Security Solutions

Kratos Defense & Security Solutions

The Kratos Space, Training, and Cybersecurity division addresses key cybersecurity challenges, including cloud security, continuous monitoring, IT security, and risk management.

CyberArmor

CyberArmor

Cyber Armor defend everyday IT and OT systems, from government agencies to critical infrastructure, from system integrators to small industries.

Private Client Cyber Security (PCCS)

Private Client Cyber Security (PCCS)

PCCS provides enterprise-grade cybersecurity consulting and services to professional practices, executives, athletes, and high net worth families.

Timus Networks

Timus Networks

Timus Networks enables today's work from anywhere organizations to secure their networks very easily and cost effectively.

Exalens

Exalens

With deep roots in AI-driven cyber-physical security research and intrusion detection, at Exalens, we are enhancing operational resilience for cyber-physical systems at the OT edge.

National Cybersecurity Agency (ACN) - Italy

National Cybersecurity Agency (ACN) - Italy

The ACN is the National Authority for Cybersecurity in Italy. the Agency promotes public-private initiatives to strengthen the national cybersecurity and resilience posture.

NuKuDo

NuKuDo

NukuDo redefine the boundaries of cybersecurity talent development. We are dedicated to cultivating top-tier professionals equipped to tackle the complex challenges of cybersecurity.

TeamT5

TeamT5

TeamT5 Inc. is a leading cybersecurity company dedicated to cyber threat research and solutions.

Lenze

Lenze

Lenze are an experienced partner for automation systems, digitalization and cyber security.