|
 The re-assurances may be misleading, because the NSA often uses the
vulnerabilities to make its own cyber-attacks first, according to
current and former U.S. government officials. Only then does NSA
disclose them to technology vendors so that they can fix the
problems and ship updated programs to customers, the officials said.
At issue is the U.S. policy on so-called "zero-days," the serious
software flaws that are of great value to both hackers and spies
because no one knows about them. The term zero-day comes from the
amount of warning users get to patch their machines protectively; a
two-day flaw is less dangerous because it emerges two days after a
patch is available.
The best-known use of zero-days was in Stuxnet, the attack virus
developed by the NSA and its Israeli counterpart to infiltrate the
Iranian nuclear program and sabotage centrifuges that were enriching
uranium.
Before its discovery in 2010, Stuxnet took advantage of previously
unknown flaws in software from Microsoft Corp and Siemens AG to
penetrate the facilities without triggering security programs.
A shadowy but robust market has developed for the buying and selling
of zero-days, and as Reuters reported in May 2013, the NSA is the
world's top buyer of the flaws. The NSA also discovers flaws
through its own cyber programs, using some to break into computer
and telecommunications systems overseas as part of its primary
spying mission.
Some zero-days are worth more than others, depending on such factors
as the difficulty in finding them and how widespread the targeted
software is. While some can be bought for as little as $50,000, a
prominent zero-day broker said this week that he had agreed to pay
$1 million to a team that devised a way to break into a fully
updated Apple iPhone. Chaouki Bekrar, of the firm Zerodium, told
Reuters the iPhone technique would "likely be sold to U.S. customers
only," including government agencies and "very big corporations."
Government officials say there is a natural tension as to whether
zero-days should be used for offensive operations or disclosed to
tech companies and their customers for defensive purposes.
In the wake of revelations by former NSA contractor Edward Snowden
and a Reuters report that detailed how the government paid security
firm RSA to include NSA-tainted encryption in its software, a
White House review panel recommended tilting government policy more
towards defense.
President Barack Obama's cybersecurity coordinator, Michael Daniel,
then said he had "reinvigorated" the review process that decides
what to do about each flaw that comes to government attention. The
details of that process remain classified, but interviews show that
the changes sharply elevated the role of the Department of Homeland
Security, which is responsible for defense and had not previously
been at the center of inter-governmental debates on the issue.
After Daniel described the revamped process broadly, the activist
Electronic Frontier Foundation sued for documents about it under the
Freedom of Information Act.
The most significant release in that case came in September, with an
undated and partly redacted 13-page memo outlining how agencies
should handle knowledge about software vulnerabilities. The memo
[https://www.eff.org/document/vulnerabilities-equities-process-redactions]
states that the NSA's defensive arm, the Information Assurance
Directorate, served as the executive secretariat for the process.
HOMELAND SECURITY
A redacted portion of the memo lists the agencies that participated
in the process as a matter of course. An unredacted part refers to
other agencies that can ask to participate on a case-by-case basis,
and the Department of Homeland Security appears in that section,
along with the departments of State, Justice, Treasury and Commerce.
Two former White House officials said that the memo referred to the
old system, before Daniel reorganized it about a year and a half
ago.
In an interview, Daniel told Reuters that DHS was a key part of the
new system, which is run by the White House's National Security
Council.
"DHS is at the table in the process I'm running," Daniel said.
[to top of second column] |
An NSA spokeswoman referred questions about its policy to the NSC,
where a spokesman referred Reuters back to the NSA.
The NSA says on its website that it understands the need to use most
flaws for defense.
"In the vast majority of cases, responsibly disclosing a newly
discovered vulnerability is clearly in the national interest,"
according to the website.
"But there are legitimate pros and cons to the decision to disclose
vulnerabilities, and the trade-offs between prompt disclosure and
withholding knowledge of some vulnerabilities for a limited time can
have significant consequences.
"Disclosing a vulnerability can mean that we forgo an opportunity to
collect crucial foreign intelligence that could thwart a terrorist
attack, stop the theft of our nation's intellectual property, or
discover even more dangerous vulnerabilities that are being used to
exploit our networks."
The agency said: “Historically, NSA has released more than 91
percent of vulnerabilities discovered in products that have gone
through our internal review process and that are made or used in the
U.S."
It said the rest included some that had already been fixed as well
as those held back "for national security reasons."
One former White House official noted that the NSA did not say when
the disclosures were made, adding that it would be “a reasonable
assumption” to conclude that much of that 91% covers flaws the NSA
had already used to gather intelligence before alerting the
companies. He also said the figure includes those bought from
outside entities. NSA and NSC officials declined to address those
assertions.
It is anyone's guess how long the average gap is between offensive
use and defensive disclosure, said Denelle Dixon-Thayer, chief legal
and business officer of Firefox browser maker the Mozilla
Foundation.
The bigger that gap is, the greater the likelihood that other
countries or hackers using similar hunting techniques have also
discovered it. Even if they haven't, the target of a U.S. cyber
attack can detect what technique was used and repurpose it against
the U.S. and others.
"If it's disclosed after it's already been executed against, that's
a really important question," Dixon-Thayer said.
In the revamped U.S. evaluation process, another former official
said that the Department of Homeland Security is often the most
vigorous “dove” in the discussions, arguing for disclosures before
others find the same flaw and exploit it.
A current official administration official said that the proportion
of serious flaws disclosed to vendors did not jump after the NSC
took control of the process. "It's still early, but the trend has
not significantly changed," the official said.
The growing discussion about U.S. policy on vulnerability disclosure
comes as House and Senate leaders prepare to fine-tune three related
bills on cybersecurity information-sharing, which are designed to
give companies legal protection for reporting attacks to the
government.
Mozilla and many other technology companies oppose those bills
because they will give the government more information about
customers and attacks without requiring the government to give more
information to the companies.
Dixon-Thayer said officials could even take what they learn about
new techniques from the industry to launch their own attacks instead
of helping defenders.
(Fixes typographical error in headline)
(Reporting by Joseph Menn in Washington; Editing by Jonathan Weber
and John Pickering)
[© 2015 Thomson Reuters. All rights
reserved.] Copyright 2015 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
 |
