WikiLeaks Dump Shines Light On US Intelligence’s Zero-Day Policy

WikiLeaks’ massive release of CIA cyber exploits produced more questions than answers about the US government and it’s intelligence agencies' shadowy procedure for hoarding damaging digital vulnerabilities that remain unknown even to a system’s manufacturer.

These bugs, called zero days because industry has had zero days to create and promulgate a software patch, can be goldmines for US intelligence agencies looking to sneak undetected into the computers, phones and other electronic devices of terrorists and officials of adversary nation-states.

These glitches can be extremely dangerous, however, if those same terrorists or other nations’ intelligence agencies discover them independently and use them to spy on Americans. If discovered by cyber criminals, they might also be used to steal money or information from American citizens or US companies.

How Many Zero Days Does the Government Have?

WikiLeaks describes the leaked documents, which it has dubbed Vault 7, as containing “dozens of zero days.” If true, that would almost certainly raise the best estimate to date, by Columbia University Senior Research Scholar Jason Healey, which puts the government’s entire zero-day arsenal at around 60 or 70, rather than in the hundreds or thousands as previously estimated.

If WikiLeaks’ “dozens” figure is correct, it’s a good assumption that only represents a portion of the CIA’s zero-day arsenal and that the National Security Agency and a handful of other agencies possess additional zero-day troves that aren’t actively retained by CIA, Healey, a former White House cyber official, told the Nextgov website.

That would mean Healey’s estimate of 60 to 70 would have to be adjusted up, he said. It’s also possible, however, Healey’s initial estimate remains sound and the WikiLeaks figure is exaggerated.

When a group known as Shadow Brokers released an NSA hacking toolkit in October, Healey expected he’d have to rejigger his estimate, he said, but the trove turned out to contain only a handful of genuine zero days.

Without examining the underlying code, which WikiLeaks did not release, it’s difficult to tell which of the more than 8,000 documents disclosed by the renegade transparency group contain genuine zero days and which exploit vulnerabilities are already known but not reliably patched.

It’s also not clear when CIA discovered the vulnerabilities, so it’s possible some were once zero days that have since been discovered independently, said Ross Schulman, co-director of the Cybersecurity Initiative at the New America think tank’s Open Technology Institute.

Some of the tools may also exploit known vulnerabilities in outdated software versions guaranteed to remain because the company has stopped issuing patches for that version, Schulman said.

Vulnerability Equities Review

The government has never disclosed how many zero days it retains at any given time. However, NSA Director Adm. Michael Rogers boasted in 2015 the government has historically shared over 90 percent of vulnerabilities it discovers with manufacturers because NSA judges those vulnerabilities would do more harm if found by an adversary than good if exploited by the agency.

That system was codified during the Obama administration in a review known as the Vulnerability Equities Process, which considers an exploit’s value to intelligence agencies, how much damage it could do if discovered by someone else and how likely that discovery is to happen.

Government officials have indicated that review process may be retained under the Trump administration, though, as with most cybersecurity questions, the president has made no firm commitments yet.

Even if the Trump administration rejiggers its calculations for retaining or disclosing zero days, it’s unlikely the arsenal will greatly expand, said Obama’s Cybersecurity Coordinator Michael Daniel.

That’s because the number of zero-day vulnerabilities the government encounters that are genuinely useful for intelligence work is quite limited, he said, so greatly expanding the percentage the government retains would serve little useful purpose.

The most important question for both Healey and Schulman is not the raw number of zero days the Vault 7 documents reveal, but whether those zero days were appropriately vetted through the equities review process, and, again, there’s no firm answer.

“If we thought the government kept dozens and it turned out to be in the low hundreds, is that bad?” Healey asked. “We can decide what’s big or what’s not and how many is too many. I’d be much more worried if these didn’t go through the vulnerabilities equities process … that’s a deeper governance issue.”

If nothing else, Schulman said, he hopes the WikiLeaks release will spur the government to ensure its vulnerabilities vetting process is firmly in place.

“What this does show with regard to VEP is its importance,” he said. “There are still a lot of open questions and now would be a great time for Congress to step in and codify the VEP to be sure that it’s a law and that it’s followed.”

For others, however, the Vault 7 trove itself is an indictment of the equities process.

The documents include hacks of Apple’s iPhone and Google’s Android platforms as well as Microsoft Windows, products used by millions of Americans. It’s not clear those exploits rely on zero days but if they do, that suggests the CIA was willing to endanger those Americans’ privacy for the sake of foreign intelligence gathering, Electronic Frontier Foundation Staff Technologist Cooper Quintin told Nextgov.

“It’s our opinion that we are all made less safe by CIA’s decision to keep these vulnerabilities rather than disclose them and help companies fix them,” he said.

Why Zero Days Are Valuable

Zero days are a strange sort of weapon. They’re highly powerful, the crown jewels of any intelligence agency, and can sell for thousands or, in rare circumstances, more than $1 million on the open market. 

The average zero-day vulnerability and the exploit that makes use of it lasts nearly seven years, according to a recent comprehensive report from the Rand Corporation. One-quarter of zero days last nearly a decade, the report found.

Yet, their value dissipates as soon as they’re used because security researchers can reverse engineer them once discovered and sell that knowhow, either to nefarious hackers or to the company whose technology is being exploited so it can issue a patch.

As a result, intelligence agencies and criminal hackers are hesitant to use zero days if known exploits will get the job done. And they often will, because organizations are frequently slow to install software patches and, especially in the case of the US government, rely on outdated systems.

Humans are also the weakest cyber link in any organisation and can frequently be conned into clicking on a phishing link and allowing an intruder into a network where fancy exploits are less necessary.

WikiLeaks founder Julian Assange announced he plans to share information about the Vault 7 vulnerabilities with manufacturers so they can patch them. Healey, on Twitter, urged the CIA to share those vulnerabilities first to deny WikiLeaks the public-relations victory.

The CIA has declined to comment on the authenticity of the Vault 7 documents, but savaged Assange and WikiLeaks in two statements.

“CIA’s mission is to aggressively collect foreign intelligence overseas” and to be “innovative, cutting edge and the first line of defense in protecting this country from enemies abroad,” a spokesman said, adding that “CIA’s activities are subject to rigorous oversight to ensure that they comply fully with US law and the Constitution.”

NextGov:

Assange: The CIA Has Lost Control Of Its Cyber Weapons Documents:

CIA leak 'absolutely' an 'inside job':

Nation State Hacking Has A Big Commercial Impact:

Government In The Information Age:

 

« Board-level Cyber Literacy Is Low, Discomfort High
Hong Kong’s 3.7 Million Voters Exposed in Massive Breach »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CyberDefenses

CyberDefenses

CyberDefenses services combine best-in-class cybersecurity oversight, managed services and training to help our clients truly address their cybersecurity challenges.

Synopsys

Synopsys

Synopsys delivers trusted and comprehensive silicon to systems design solutions, from electronic design automation to silicon IP and system verification and validation.

Serena

Serena

Serena Software helps increase speed of the software development lifecycle while enhancing security, compliance, and performance.

Rockwell Automation

Rockwell Automation

Rockwell Automation offer industrial security solutions to protect the integrity and availability of your complex automation solutions.

Cross Identity

Cross Identity

Cross Identity (formerly Ilantus Technologies) is a complete IAM solution that is deep, comprehensive, and can be implemented even by non-IT persons.

UL Solutions

UL Solutions

UL Solutions is a safety, security and compliance consulting and certification company. Areas covered include cyber security.

Digittrade

Digittrade

Digittrade develop and produce external encrypted hard disks and secure communications apps.

Blue Cedar

Blue Cedar

Blue Cedar's mobile app security integration platform secures and accelerates mobile app deployment for enterprises and government organizations around the world.

Cypherix

Cypherix

Cypherix is tightly focused on cryptography and data security. We leverage our expertise to deliver state-of-the-art, world-class encryption software packages.

Virtue Security

Virtue Security

Virtue Security are specialists in web application penetration testing.

Canonic Security

Canonic Security

Canonic streamlines app review, continuously monitors apps, and reduces the risks involved in third-party access to your data.

HackEDU

HackEDU

HackEDU provides secure coding training to companies ranging from startups to the Fortune 500.

CyberUSA

CyberUSA

CyberUSA is a collaboration of leaders and states focused on a common mission purpose of enabling innovation, education, workforce development, enhanced cyber readiness and resilience.

EdgeWatch

EdgeWatch

EdgeWatch is a platform that helps information accredited security practitioners discover, monitor, and analyze devices that are accessible from the Internet.

Salus Cyber

Salus Cyber

Salus is a provider of world-class cyber security services, enabling our clients to identify and manage their cyber risks proactively and effectively.

TerraZone

TerraZone

TerraZone is a global cyber security and privacy solutions provider to governments and enterprises.