The federal government’s Vulnerabilities Equities Process—albeit a heavily redacted version—was turned over more than a year ago, and despite that measure of visibility, privacy and security watchdogs still don’t have the transparency they seek with the regard to the unreported flaws the government has at its disposal.

On Monday during a panel hosted by the Open Technology Institute, security, privacy and policy experts debated a number of outstanding issues with regard to the VEP, and how the context of this year’s Apple-FBI and FBI-Tor incidents will impact vulnerability disclosure and usage going forward.

The policy, which governs the feds’ vulnerability use and disclosure, was released last September to the Electronic Frontier Foundation (EFF) through a Freedom of Information Act lawsuit. The document remains a divisive issue among policy wonks, many of who wrestle with the government’s need to use zero days in intelligence gathering operations versus the overall safety of the Internet and the need to patch bugs as they’re found.

“It’s not that the process buys us a ton of added security and we’ll all be safer; it really is about transparency,” said Jason Healey, senior research scholar at Columbia University’s School for International and Public Affairs. “Checks and balances can’t just happen among spies and the police. It will now be made at the White House.”

Healey assembled a team from Columbia that tried its best to approximate the number of zero-days in the government’s possession and bring some scale to the conversation. Healey said the results will be formally released in the coming weeks, but he did say that the number is likely not so large.

“It’s far lower than we thought,” Healey said, adding that he believes the NSA keeps zero days totaling in the single digits on a yearly basis, and that it has probably “dozens” of zero days overall at its disposal, which he likened more to a weapons locker than an arsenal.

This number, he argues, has gone down since a 2014 policy change by the White House that puts VEP on a default path to disclosure. From 2010 to 2014, the process involved notifying the NSA (the VEP’s Executive Secretariat) of a newly discovered vulnerability found by a government white hat or contractor. The zero day would ultimately go before an Equities Review Board chaired by the NSA and also including senior agency representatives who would make a decision to disclose the flaw to vendors, or retain it.

Post-Snowden, President Obama changed the policy making it disclose-by-default and to move decision-making authority from NSA to the White House.

NSA Director Admiral Michael Rogers recently said 93 percent of zero days have been disclosed through VEP, and while that’s a relatively large percentage, the panel argued that without more transparency, that revelation is meaningless.

“I think the number of vulnerabilities the NSA holds onto is relatively small. There are some numbers out there; in 2011 the NSA said they had somewhere between 300 or 400 vulnerabilities and almost all of them were disclosed. That’s a lot, but then you have to sit back and think one vulnerability puts how much of the Internet at risk?” said Heather West, senior policy manager at Mozilla. “Something like Heartbleed had the government known about it and decided to operationalize it, would have put almost every service provider at risk. Remediating that took a lot of resources.”

The risk is not only that the vulnerabilities the NSA may have at its disposal won’t get fixed, but how safe are they in the government’s possession. The origin of the recent ShadowBrokers’ dump of Equation Group exploits for Cisco, Juniper and other networking gear is still unknown. Some have speculated a NSA staging site hosting these exploits was hacked, while others wonder if an rogue insider was the cause of the leak.

“We shouldn’t think of holding on to vulnerabilities as this air-tight safe the government has, even if it’s a small number. The ShadowBrokers story demonstrates that there may have been an overconfidence in the government’s retention of vulnerabilities,” said Andrew Crocker, staff attorney at the EFF. “Whether they were stolen or leaked, it seems vulnerabilities the NSA was holding on to fell into the hands of someone else. There’s no reassuring version of that story.

“Either the NSA didn’t know they had been stolen for three years until they were put on the Internet, or the NSA knew about it and didn’t tell Cisco and presumably they were used by someone else for three years. I don’t think we should lose sight of that risk.”

Categories: Cryptography, Vulnerabilities