The US Government only holds “dozens” of vulnerabilities at any one time.
Speaking at Def Con in Las Vegas, Jason Healey from Columbia University conducted a research project on how many vulnerabilities that the government decides to retain or disclose. Asking the audience how many felt it was hundreds or thousands (to which the majority of the audience raised their hands), Healey said that there is evidence that very few are kept.
“I don’t know if I have the answer, but I have got information,” he said. “I tried to make a judgement based on my judging of evidence on technology and the policy side, and the reason we are suspicious has given us reason to research. I am not convince all of you and that is ok, what I prefer is be convinced that we did the best job we could and if I got wrong, someone can come on and give better answers.”
He said that the Government has two rules with vulnerabilities: agencies use and keep zero-days open, as we saw with Apple v FBI; while others are equities who want to be closed down.
“The government has been using and sharing vulnerabilities back to the 1990s; the offensive part of the air force said ‘tell us first’ and they kept them for offensive purposes,” he said. “Nothing was decreed from the White House until 2002, when came out with classified NSPD-16 on “guidelines for offensive cyber warfare. There was no policy or process to deal with this, but definitely was in the NSA in the equities process, but the decision is up to the director of the NSA and doesn’t need advice or anyone outside NSA to be part of this.”
Formal processes were introduced in 2010 and decisions were made to disclose or notify vendors, but Healey claimed that it did not appear to have ever been fully implemented. Post Snowden, President Obama determined a better disclosure policy and process in January 2014 to disclose by default.
Healey said: “In March 2014, NSA said it had always done this with hardware and software vulnerabilities, and if retain it use signal intelligence to see if anyone else has the bug. For a policy guy, that is as strong as it gets, the President himself made the decision.”
His research found that 91% of vulnerabilities over the history of the NSA were disclosed, while the remaining nine percent were fixed by the vendor before they were notified, or not disclosed for national security purposes.
With a budget of $25.1 million for covert purchases, Healey believed that if 250 important vulnerabilities were bought at $100Keach, and if 25 were retained and others patched, you end up with 75, but that is too simplistic for that amount of spend. In another example, if they bought 12 critical commercial vulnerabilities at $1 million each and five critical at $2M, and only five were patched, the total retained is 15.
“Today, it is probably single digits,” he said. “So with only 50 in the wild, so single digits probably right.”
Referring to the Apple vs FBI case, Healey claimed that current policies determine that the FBI should have to submit the zero-day based on its criteria, while the FBI claims contractual IP restrictions as it doesn’t know what the vulnerability is.
“What is the next president going to do, as this is based on the current President! There is no role for Congress as it is just a policy and there needs to be a mandate added until after the vulnerability has gone through process, and we need other countries to get involved.”
He concluded by encouraging delegates to disclose vulnerabilities to vendors, as that will disarm the government. “If you are out discovering vulnerabilities, make sure you tell the vendor as we need more attention on the vendor and decent process on disclosing,” he said.
Picture courtesy of https://www.twitter.com/rapid7