Cyber Security and Emerging Threats Eimi Harris

Cyber Vulnerability and Government Obligation: What To Do With Zero-Day Vulnerabilities

Does the US government have an obligation to disclose zero-day vulnerabilities it finds in cyber-based programs to private technology firms?

This question is just one part of the on-going conflict between Silicon Valley’s private tech firms and the US government; where both have interests in protecting consumer data and national security, tensions have been rising over which to prioritize. While cases like Apple v. FBI and Microsoft v. USA have depicted tech firms’ commitment to consumer security over claims of national security, a recent NSA leak has brought to light how zero-day vulnerabilities are used by the US government for intelligence purposes.

Zero-day vulnerabilities are flaws in a software that have been detected by a third-party before the developers themselves. For those seeking to exploit a certain program, finding a zero-day vulnerability presents a unique opportunity; you could develop a tool that uses the vulnerability to bypass or abuse whatever the original program was intended to do. Once that tool has been developed, it can be used on any other device utilizing that program until developers fix the zero-day themselves (if they ever detect it). With the right softwares targeted, zero-day vulnerabilities can ultimately lead to some incredibly powerful, invasive cyber weapons – this includes tools for espionage purposes.

To be clear: a zero-day vulnerability is not a threat on its own. It is how those who find the vulnerabilities choose to exploit it that holds the real danger. But how real is the impact of using a vulnerability? Looking at the tools revealed in the NSA leak, one exploiting a zero-day vulnerability in a Cisco firewall could “work to take over a firewall from the inside of a target network.” Though the leak only included exploits from as recently as 2013, a third-party confirmed that the Cisco exploit still works today (Cisco did advise those utilizing the affected program to update their software in response to the zero-day).

The danger of the NSA leak is different from the danger of withholding zero-day vulnerabilities entirely, but they are not completely unrelated. The problem with the NSA leak is that it has made some of the tools the NSA has used to exploit zero-day vulnerabilities available to countries like China and Russia (both very aggressive cyber-players on an international level). Many other companies implicated in the NSA leak have had to come forward and warn their own consumers and corporate clients that their products are vulnerable right now. The implications of the NSA leak are going to have real-world consequences on the data security of American consumers and companies.

On a broader scale, however, there is the question of which vulnerabilities get withheld and why. When government agencies find a zero-day (whether it buys the vulnerability or detects it on their own), there are two choices: disclose the vulnerability to the developer, or keep the zero-day to themselves for intelligence purposes. The decision is supposed to be determined through the Vulnerability Equities Process (VEP), in which the Information Assurance Directorate of the NSA and an interagency Equities Review Board review the vulnerability and vote to disclose or withhold.

But there are problems with the VEP. The problem right now is not that the government is stockpiling all the vulnerabilities it finds; the government currently discloses 91% of the vulnerabilities it finds, with the other 9% either used operationally or eventually corrected by the developers themselves. The problem is that the process of ‘withhold or disclose’ currently lacks transparency. The White House did release a blog post in 2014 outlining some basic considerations (such as how much the vulnerability affects major infrastructure, the likelihood other groups have found the vulnerability, the value of intelligence that could be collected through the vulnerability), the formal criteria used in the VEP to make that decision is not available to the public, making the process frustrating for technology firms advocating for greater disclosures.

With many advocating for a VEP reform increasing transparency, what we need to understand are what the consequences of disclosing or withholding are for the government and technology firms.

Disclosing a discovered zero-day vulnerability means a tech firm can fix the vulnerability. This translates greater security for consumers using the product in question, but the loss of an intelligence-gathering opportunity. Withholding the vulnerability allows the government intelligence-gathering opportunities, but leaves that vulnerability out in the open if another adversarial group finds that same zero-day and chooses to exploit it to harm American consumers and companies. Because of the risk to consumers, some are arguing that the government should disclose all the vulnerabilities it finds.

The major risk we seem to be contending with is the likelihood that an adversarial group finds the same zero-day that the US government had chosen to withhold. Where the reality is that few of the vulnerabilities the US government finds are rarely discovered by anybody else, this risk seems small. Coupled with the potential for great intelligence benefits, it is important to understand the strategic importance withholding some vulnerabilities have for national security purposes.

This is incredibly important to keep in mind when we think about international cyber-landscape. Where the US is withholding certain vulnerabilities for intelligence purposes, we can be fairly certain that China and Russia are doing the same. Because each country has different levels of cyber-development and cyber-integration into society, each country is going to have a different sense of which vulnerability needs to be fixed and which ones can be withheld. The US is particularly cyber-dependent, meaning it is going to have to be more cognizant of what damage can be caused by a particular zero-day vulnerability than not.

So does the US government have an obligation to disclose zero-day vulnerabilities it finds in cyber-based programs to private technology firms? It really depends, and that is something both the US government and tech firms are going to have to keep in mind as they move further in their own cyber-relationship. Despite the tensions growing between commitments to consumer data security and national security, this is one area that speaks to the importance of cooperation rather than antagonism.


Photo: By Mike Herbst via Wikimedia Commons. Licensed under CC BY 2.0. 

Disclaimer: Any views or opinions expressed in articles are solely those of the authors and do not necessarily represent the views of the NATO Association of Canada.

Eimi Harris
Eimi Harris is a student working towards her undergraduate degree in International Relations and Economics at the University of Toronto. Her main focus in international affairs is cybersecurity, particularly diplomatic relations and normative development in the cybersphere. On the side, she enjoys watching films and is also working towards her Cinema Studies degree.