Modern field guide to security and privacy

Opinion: NSA hack reveals flaws in White House zero-day process

A potentially damaging hacking tool revealed in the apparent National Security Agency breach includes a zero-day vulnerability – or previously unknown security hole – in Cisco software. The government should have already disclosed that flaw.

Kevin Lamarque/Reuters
Adm. Michael Rogers, head of the National Security Agency and commander of US Cyber Command, testified on Capitol Hill in April. 2016. REUTERS/Kevin Lamarque

Earlier this week, a group calling itself the Shadow Brokers released a cache of military-grade computer hacking tools. Since then, experts and former agency employees have substantiated that the tranche of custom-made malware originated from the National Security Agency.

Now, the dump is raising serious questions about the nature of the US government's cyberweapons arsenal. Chief among those questions is whether or not the US government should withhold information about potentially damaging flaws in software programs widely used by American companies. 

One of the most potentially damaging exploits that the Shadow Brokers revealed is a so-called "zero-day" vulnerability in a Cisco security product common in many American critical infrastructure facilities. Zero-days are security flaws that the affected company doesn't know about. 

Is that the kind of flaw that the NSA should keep secret from American businesses? Should it have told Cisco?

At the recent DEF CON hacker convention in Las Vegas, I presented research conducted with students at the Columbia University School of International and Public Affairs on the Vulnerabilities Equities Process (VEP), a White House procedure to determine when the government should retain – and when it should disclose – such vulnerabilities.

Our best estimate is that the government probably retains a small arsenal of dozens of such zero-days, far fewer than the hundreds or thousands that many experts estimated. It appears they add to that arsenal only by drips and drabs, perhaps by single digits every year.  

However, before President Obama "reinvigorated" the VEP in January 2014, the NSA probably kept many more: probably dozens per year, rather than single digits. In those days, the NSA largely made its own decisions, without having to consult with other parts of the government. 

Today, however, the president has made clear the default decision should be to disclose flaws. While the Shadow Brokers' revelations haven't changed our estimate of the number of zero-days in the NSA's arsenal, a former NSA cyber operator told the Washington Post there were "hundreds" of such vulnerabilities at the agency and none of those were disclosed to companies.

But beyond the specific number of vulnerabilities at the NSA's disposal, the dump casts doubt on the effectiveness of the government's VEP process. Is it actually sufficient?  

Based on the policies in place today, the NSA almost certainly should have disclosed the Cisco vulnerability – just as FBI should have told Apple about the iPhone vulnerability it relied on to unlock the phone recovered after the San Bernardino, Calif., terrorist attack.

If any agency wants to keep a zero-day, it has to argue its case to the National Security Council (NSC) and other agencies such as the Department of Homeland Security and the Department of Commerce that are concerned primarily with securing US critical infrastructure.

According to many people we interviewed for our zero-day research, participants in the equities review process are senior members of the administration and meet frequently. It's an active process. 

Furthermore, the Obama administration's criteria is clear that the default position is to tell vendors and the NSC. If a vulnerability affects US critical infrastructure or imposes a high risk, the government should not keep it. That's certainly the case with the Cisco security bug.

The president's policy doesn't apply to bugs discovered prior to 2010. So, the NSA was not in violation of the policy’s wording, but it certainly seems against the president’s intent.

The best case for NSA retaining the Cisco vulnerability is that it was monitoring signals intelligence for signs that others knew about it. And, possibly, if the agency discovered that it was being deployed, it would inform Cisco.

Still, the Shadow Brokers leak makes it more clear than ever that the president needs to strengthen the equities review process to close the apparent loopholes that the NSA and FBI may rely on to keep its zero-days hidden.

Former White House staffers Rob Knake and Ari Schwartz have published a great list of recommendations: Formalize the process as an executive order, make it more transparency through an annual report, periodically review retained vulnerabilities (including those from before 2010), and create a watchdog similar to the Privacy and Civil Liberties Oversight Board.

The Shadow Brokers revelations give the impression of an NSA that's out of control. The Vulnerability Equities Process is meant to put some restraints on the agency when it comes to its hacking tools – it's a good process designed to govern an incredibly critical function of the agency. 

But the government should act quickly – and transparently – to reform this process to retain the trust of American technologists, the US public, and our allies.

Jason Healey is a senior research scholar at Columbia University’s School of International and Public Affairs and a senior fellow at the Atlantic Council. Follow him on Twitter @Jason_Healey.

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.