Those who believe the US federal government has stockpiled thousands of zero-day vulnerabilities, as a Def Con 24 audience estimated Friday, might be relieved and surprised to know (and likely a little more than incredulous) that the number of vulnerabilities in its arsenal is, according to Columbia University senior research scholar Jason Healey, in the dozens.
Healey, who will release the results of research done by his team at Columbia University this autumn, acknowledged that he wasn't “going to convince a lot of you” because government had “given us a lot of reason to be suspicious.”
But while Healey said, “I don't know if we got the right answer,” his team tried “to run down every line of evidence we can.”
And the results fall into line with what the US government has claimed and others have concluded. The US government's US$ 25 million (£19 million) budget for the cover purchase of vulnerabilities implies a more modest arsenal.
“If I had budget like that … I would [shop for] higher value vulnerabilities,” Healey said.
The government's dual roles regarding disclosure of vulnerabilities in the past has created discord among agencies – with law enforcement types keen on keeping and using zero days while departments focused on critical infrastructure and cyber-security like Commerce, State and even Homeland Security want the vulnerabilities to be disclosed to vendors quickly where they can be addressed.
“That's why you'd see tension between them,” Healey said.
That the US government stockpiles zero day vulnerabilities is nothing new, stretching back 15 to 20 years, but the policies surrounding the way it manages and discloses them have evolved.
What was essentially no policy at all – with a 2002 policy directive leaving disclosure up to the US National Security Agency's discretion – gave way to a more thoughtful and elaborate policy with the establishment of the Vulnerability Equity Process (VEP) in 2010.
“It really kicked in in 2010, with a document that says here's the process, how to do it ,” Healey said.
“As a policy guide, it was OK,” he said, explaining that it even included an appeals process although documents obtain through FOIA requests were so heavily redacted “we can't tell what it was.”
It likely “wasn't very fully implemented,” Healey said, noting that former NSA chief Gen. Michael Hayden said it wasn't fully operational. That might have led to tensions between the different bureaucracies, Healy explained.
“Imagine seeing departments like DHS and Commerce saying ‘you did what with Stuxnet and my agency had to deal with it,'” he said.
But those tensions have since dissipated after the Obama administration released a presidential directive with stronger and more definitive policy.
“Today don't see that disagreement, the lack of that is very telling,” said Healey. Now, “you disclose vulnerabilities to the vendor on default.” If an agency doesn't want to disclose, then it has to make a case for withholding that information.
“The president said it's just too damn important to leave for [just] anyone” to decide, he said.
Proposed exceptions to the disclosure default threatened to weaken the policy, though.
“Exceptions you can drive a truck through,” said Healey, leave intelligence agencies a lot of latitude. “If have that kind of exception, you know what intelligence agencies are going to do. They're going to take it to the edge.”
But three breakthroughs helped to turn things around – the Heartbleed vulnerability emerged. Calling it a “stunning” move, Healey said the NSA “came out and said we had no idea about this.”
The revelation forced the White House's hand and raised a number of questions, such as whether the vulnerability was something Russia would use against the US or was it “a routine bug.”
That, Healey said, “was not a bad analytical way to go about it. What questions do we need to answer?”
The second breakthrough came from efforts by the Electronic Frontier Foundation (EFF) to obtain additional information through FOIA. Healey gave the nod to the EFF for doing “a fantastic job on FOIA requests.”
The third breakthrough occurred when the NSA came out with additional information, saying that “91 percent of vulnerabilities that went through NSA process were disclosed to vendors,” Healey said, explaining that of the remaining nine percent, many had already been discovered by the vendors themselves.
Where the policy and transparency go from here depends on the steps taken by the next president. “Right now, there's no role for Congress in this,” said Healey. Existing policy “could be made stronger through Executive Order.”