The White House wants you to know that it did not know about the OpenSSL Heartbleed vulnerability before you did. The White House also wants you to know that administration officials don’t think stockpiling zero days isn’t necessarily good for national security. That’s all well and good, except that it mostly doesn’t matter.

One of the results of the NSA revelations over the course of the last year is that intelligence officials–and even President Obama–have been forced to discuss publicly topics that always have been kept under wraps. The most interesting of these for our purposes is the discovery, use and disclosure by the United States government of new vulnerabilities in key software applications. This particular task has been part of the NSA’s mission for some time now, and the agency is known to be quite good at it. The NSA has an untold number of researchers working full time to find new vulnerabilities and develop exploits for them. It’s part of the agency’s bag of tricks for collecting foreign intelligence, and in today’s world, it’s among the more valuable ones.

There are separate teams at the NSA and other intelligence and defense agencies that have the job of exploiting those vulnerabilities, which they do quite well, too. But the NSA also is tasked with protecting U.S. government networks, a dichotomy that has not been lost on critics in the security community who worry about whether the agency prioritizes its defensive or offensive mission. Michael Daniel, special assistant to the president and cybersecurity coordinator, acknowledged that use of zero days is a vital part of the intelligence-collection process and one that the U.S. should not give up easily.

“Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks,” he wrote in a blog post yesterday.

“Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run.”

Here’s the problem, though: The government doesn’t necessarily need to stockpile zero days, because it has a cadre of contractors doing that job in its stead.

If the U.S. government decided today to stop all of its internal vulnerability and exploit development, it would have little effect.

If the U.S. government decided today to stop all of its internal vulnerability and exploit development, it would have little effect. The contractor community would be right there to fill the void. Many contractors have their own teams of vulnerability researchers and exploit developers and they would be more than capable–and more than happy–to step in and provide their services to the NSA, CIA and any other agency that had budget dollars to spend. There would be demand and no shortage of supply.

The concerning thing about the government’s zero-day program isn’t that it has one; it would be worrisome if the U.S. didn’t do this kind of research, because everyone else certainly is. The real issue is how the government handles the vulnerabilities it discovers. It’s not realistic to expect intelligence and defense agencies to spend millions of dollars and thousands of man-hours to find vulnerabilities and then disclose them immediately. That would defeat the purpose. But there needs to be a better process than the one we currently have, which is opaque but surely heavily influenced by intelligence agencies.

One of the conundrums of vulnerability research is that there’s no way to know whether the bug you just discovered is in fact new. The population of skilled researchers around the world is sufficiently large that it’s possible, if not probable, that someone else has found the same bug and is already using it. It’s tempting to think that you’ve discovered a special snowflake, but there’s a good chance someone on the other side of the Web has found the same snowflake. So the fact that the White House has a “disciplined, rigorous and high-level decision-making process for vulnerability disclosure” sounds nice, but it’s not enough.

As Mike Tyson once said, “Everybody has a plan until they get punched in the mouth.” U.S. networks are being punched in the mouth every day, and it’s cold comfort to know that government officials are carefully considering whether to disclose vulnerabilities that may already be in use against the country’s own assets.

Categories: Critical Infrastructure, Government, Vulnerabilities, Web Security

Comment (1)

  1. Timmy

    One of the consequences of the NSA valuing zero days so highly is that they must believe that it’s against the interests of national security for anyone to report a bug – particularly a bug the NSA is exploiting to observe a target. Reporting a bug means a bunch of NSA targets will update their systems and their activities will suddenly be outside of the NSA’s view. In theory, people reporting security bugs can thus be charged under the 1917 Espionage Act, and probably will be very soon, as this administration continues to get more and more aggressive. It wouldn’t surprise me if Mike Rogers starts pushing for charges like this.

Comments are closed.