WikiLeaks Dump Shines Light On US Intelligence’s Zero-Day Policy

WikiLeaks’ massive release of CIA cyber exploits produced more questions than answers about the US government and it’s intelligence agencies' shadowy procedure for hoarding damaging digital vulnerabilities that remain unknown even to a system’s manufacturer.

These bugs, called zero days because industry has had zero days to create and promulgate a software patch, can be goldmines for US intelligence agencies looking to sneak undetected into the computers, phones and other electronic devices of terrorists and officials of adversary nation-states.

These glitches can be extremely dangerous, however, if those same terrorists or other nations’ intelligence agencies discover them independently and use them to spy on Americans. If discovered by cyber criminals, they might also be used to steal money or information from American citizens or US companies.

How Many Zero Days Does the Government Have?

WikiLeaks describes the leaked documents, which it has dubbed Vault 7, as containing “dozens of zero days.” If true, that would almost certainly raise the best estimate to date, by Columbia University Senior Research Scholar Jason Healey, which puts the government’s entire zero-day arsenal at around 60 or 70, rather than in the hundreds or thousands as previously estimated.

If WikiLeaks’ “dozens” figure is correct, it’s a good assumption that only represents a portion of the CIA’s zero-day arsenal and that the National Security Agency and a handful of other agencies possess additional zero-day troves that aren’t actively retained by CIA, Healey, a former White House cyber official, told the Nextgov website.

That would mean Healey’s estimate of 60 to 70 would have to be adjusted up, he said. It’s also possible, however, Healey’s initial estimate remains sound and the WikiLeaks figure is exaggerated.

When a group known as Shadow Brokers released an NSA hacking toolkit in October, Healey expected he’d have to rejigger his estimate, he said, but the trove turned out to contain only a handful of genuine zero days.

Without examining the underlying code, which WikiLeaks did not release, it’s difficult to tell which of the more than 8,000 documents disclosed by the renegade transparency group contain genuine zero days and which exploit vulnerabilities are already known but not reliably patched.

It’s also not clear when CIA discovered the vulnerabilities, so it’s possible some were once zero days that have since been discovered independently, said Ross Schulman, co-director of the Cybersecurity Initiative at the New America think tank’s Open Technology Institute.

Some of the tools may also exploit known vulnerabilities in outdated software versions guaranteed to remain because the company has stopped issuing patches for that version, Schulman said.

Vulnerability Equities Review

The government has never disclosed how many zero days it retains at any given time. However, NSA Director Adm. Michael Rogers boasted in 2015 the government has historically shared over 90 percent of vulnerabilities it discovers with manufacturers because NSA judges those vulnerabilities would do more harm if found by an adversary than good if exploited by the agency.

That system was codified during the Obama administration in a review known as the Vulnerability Equities Process, which considers an exploit’s value to intelligence agencies, how much damage it could do if discovered by someone else and how likely that discovery is to happen.

Government officials have indicated that review process may be retained under the Trump administration, though, as with most cybersecurity questions, the president has made no firm commitments yet.

Even if the Trump administration rejiggers its calculations for retaining or disclosing zero days, it’s unlikely the arsenal will greatly expand, said Obama’s Cybersecurity Coordinator Michael Daniel.

That’s because the number of zero-day vulnerabilities the government encounters that are genuinely useful for intelligence work is quite limited, he said, so greatly expanding the percentage the government retains would serve little useful purpose.

The most important question for both Healey and Schulman is not the raw number of zero days the Vault 7 documents reveal, but whether those zero days were appropriately vetted through the equities review process, and, again, there’s no firm answer.

“If we thought the government kept dozens and it turned out to be in the low hundreds, is that bad?” Healey asked. “We can decide what’s big or what’s not and how many is too many. I’d be much more worried if these didn’t go through the vulnerabilities equities process … that’s a deeper governance issue.”

If nothing else, Schulman said, he hopes the WikiLeaks release will spur the government to ensure its vulnerabilities vetting process is firmly in place.

“What this does show with regard to VEP is its importance,” he said. “There are still a lot of open questions and now would be a great time for Congress to step in and codify the VEP to be sure that it’s a law and that it’s followed.”

For others, however, the Vault 7 trove itself is an indictment of the equities process.

The documents include hacks of Apple’s iPhone and Google’s Android platforms as well as Microsoft Windows, products used by millions of Americans. It’s not clear those exploits rely on zero days but if they do, that suggests the CIA was willing to endanger those Americans’ privacy for the sake of foreign intelligence gathering, Electronic Frontier Foundation Staff Technologist Cooper Quintin told Nextgov.

“It’s our opinion that we are all made less safe by CIA’s decision to keep these vulnerabilities rather than disclose them and help companies fix them,” he said.

Why Zero Days Are Valuable

Zero days are a strange sort of weapon. They’re highly powerful, the crown jewels of any intelligence agency, and can sell for thousands or, in rare circumstances, more than $1 million on the open market. 

The average zero-day vulnerability and the exploit that makes use of it lasts nearly seven years, according to a recent comprehensive report from the Rand Corporation. One-quarter of zero days last nearly a decade, the report found.

Yet, their value dissipates as soon as they’re used because security researchers can reverse engineer them once discovered and sell that knowhow, either to nefarious hackers or to the company whose technology is being exploited so it can issue a patch.

As a result, intelligence agencies and criminal hackers are hesitant to use zero days if known exploits will get the job done. And they often will, because organizations are frequently slow to install software patches and, especially in the case of the US government, rely on outdated systems.

Humans are also the weakest cyber link in any organisation and can frequently be conned into clicking on a phishing link and allowing an intruder into a network where fancy exploits are less necessary.

WikiLeaks founder Julian Assange announced he plans to share information about the Vault 7 vulnerabilities with manufacturers so they can patch them. Healey, on Twitter, urged the CIA to share those vulnerabilities first to deny WikiLeaks the public-relations victory.

The CIA has declined to comment on the authenticity of the Vault 7 documents, but savaged Assange and WikiLeaks in two statements.

“CIA’s mission is to aggressively collect foreign intelligence overseas” and to be “innovative, cutting edge and the first line of defense in protecting this country from enemies abroad,” a spokesman said, adding that “CIA’s activities are subject to rigorous oversight to ensure that they comply fully with US law and the Constitution.”

NextGov:

Assange: The CIA Has Lost Control Of Its Cyber Weapons Documents:

CIA leak 'absolutely' an 'inside job':

Nation State Hacking Has A Big Commercial Impact:

Government In The Information Age:

 

« Board-level Cyber Literacy Is Low, Discomfort High
Hong Kong’s 3.7 Million Voters Exposed in Massive Breach »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Industrial Networking Solutions (INS)

Industrial Networking Solutions (INS)

INS Services specializes in designing, deploying and providing on-going support for critical OT (Operational Technology) and IIoT (Industrial Internet of Things) networks.

Think Cyber Security (ThinkCyber)

Think Cyber Security (ThinkCyber)

ThinkCyber is a Tel Aviv-based Israeli company with a team of cybersecurity professionals who are experts in both information and operations technology.

NESECO

NESECO

NESECO is an IT security integration and consulting firm providing security products, solutions, support, consulting, and training services.

Standards Council of Canada (SCC)

Standards Council of Canada (SCC)

SCC leads and facilitates the development and use of national and international standards and accreditation services in Canada.

Port53 Technologies

Port53 Technologies

Port53 Technologies is focused on delivering enterprise-grade, cloud-delivered security solutions that are easy to deploy, simple to manage and extremely effective.

Forum Systems

Forum Systems

Forum Systems is a global leader in API Security Management with industry-certified, patented, and proven products deployed in the most rigorous and demanding customer environments.

SecZetta

SecZetta

SecZetta provides third-party identity risk solutions that are easy to use, and purpose built to help organizations execute risk-based identity access and lifecycle strategies.

Secure Systems Innovation Corp (SSIC)

Secure Systems Innovation Corp (SSIC)

SSIC is a cyber risk analytics firm whose mission is to improve how businesses manage cyber risk through the power of data analytics. SSIC developed the X-Analytics cyber risk decisioning platform.

Salem Cyber

Salem Cyber

Salem Cyber builds Artificial Intelligence (AI) solutions that work collaboratively with people to address scalability challenges in cybersecurity operations.

Quantum eMotion (QeM)

Quantum eMotion (QeM)

Quantum eMotion is a Montreal-based advanced developer leading the way towards a new generation of quantum-safe encryption for the quantum computing age.

Identity Digital

Identity Digital

Identity Digital simplifies and connects a fragmented online world with domain names and related technologies that allow people and businesses to build, market and own their digital identities.

Finesse Global

Finesse Global

Finesse is a global system integration and digital business transformation company.

National Cyber Security Agency (NCSA) - Thailand

National Cyber Security Agency (NCSA) - Thailand

National Cyber Security Agency of Thailand is responsible for coordinating and implementing national cybersecurity policies, strategies, and initiatives.

CYTUR

CYTUR

CYTUR provide trusted and secured maritime cybersecurity solutions to keep ships safe, protecting them, their crews, cargo and all stakeholders from maritime cyber threats.

RIoT Secure

RIoT Secure

RIoT Secure AB is a technology enabler within the IoT industry - created with a vision to ensure security technology exists in the foundations of software development for IoT solutions.

Blue Cloud Softech Solutions

Blue Cloud Softech Solutions

Blue Cloud Softech propels inspiring digital transformations. We provide AI products, cybersecurity, healthcare technology, and cloud solutions.