EFF Sues NSA, ODNI Over Zero-Day Disclosure Processes

The EFF filed a FOIA lawsuit against the NSA and ODNI looking for more information on the government’s use and disclosure of zero-day vulnerabilities.

The Electronic Frontier Foundation wants a peek behind the curtain of the government’s Vulnerabilities Equities Process.

The advocacy group on Tuesday filed a Freedom of Information Act (FOIA) lawsuit against the National Security Agency and the Office of the Director of National Intelligence hoping to win a favorable ruling against the intelligence community that would result in the release of documents describing the processes behind the government’s handling of zero-day vulnerabilities.

The Vulnerabilities Equities Process is an interagency process for deciding when the government will share information about security vulnerabilities in critical software applications used not only by government agencies, but by businesses and consumers as well. In an April memo, cybersecurity coordinator Michael Daniel made it clear that buying and stockpiling zero-days has its place in national security considerations.

“Disclosing a vulnerability,” Daniel wrote, “can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.”

What riles the security community is that while the government buys zero days and secures its systems against the vulnerability in question, American companies and consumers remain exposed to the threat. Daniel said there is a decision-making process in place that takes into consideration how critical the vulnerability is to core Internet infrastructure, whether an adversary could cause harm with such a threat, the likelihood of its discovery by others and whether it can be mitigated, among other criteria.

The disclosure of the Heartbleed OpenSSL vulnerability really brought this discussion to a head. Daniel denied the government knew about and that it was exploiting Heartbleed before it was disclosed earlier this year, despite allegations from sources reported by Bloomberg News to the contrary.

“Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run,” Daniel wrote. “Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area.”

The EFF’s action on Tuesday follows a May 6 FOIA request to the NSA and ODNI for the records related to the government’s processes. The accepted 20-day deadline for a response passed, the EFF said in its complaint, prompting the action.

“This FOIA suit seeks transparency on one of the least understood elements of the U.S. intelligence community’s toolset: security vulnerabilities,” EFF Legal Fellow Andrew Crocker said in a statement. “These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country.”

The suit points out that the presidentially appointed Review Group on Intelligence and Communications Technologies report recommended that the government clarify its zero-day disclosure policies stressing the importance of patching these critical vulnerabilities on public sector and commercial networks.

While both the NSA and ODNI acknowledged receipt of the FOIA request, neither replied to the request, leading the EFF to accuse the two parties of wrongfully withholding the requested records, the suit says. Disclosures made in the numerous Snowden leaks allege the NSA of using zero days to compromise popular software packages and undermine encryption technologies safeguarding online communication and commerce.

“Since these vulnerabilities potentially affect the security of users all over the world, the public has a strong interest in knowing how these agencies are weighing the risks and benefits of using zero days instead of disclosing them to vendors,” Global Policy Analyst Eva Galperin said.

Suggested articles