The Government Says It Has a Policy on Disclosing Zero-Days, But Where Are the Documents to Prove It?

We have known for some time that the U.S. intelligence and law enforcement community looks to find and exploit vulnerabilities in commercial software for surveillance purposes. As part of its reluctant, fitful transparency efforts after the Snowden leaks, the government has even officially acknowledged that it sometimes uses so-called zero-days. These statements are intended to reassure the public that the government nearly always discloses vulnerabilities to software vendors, and that any decision to instead exploit the vulnerability for intelligence purposes is a thoroughly considered one. But now, through documents EFF has obtained from a Freedom of Information Act (FOIA) lawsuit, we have learned more about the extent of the government’s policies, and one thing is clear: there’s very little to back up the Administration’s reassuring statements. In fact, despite the White House’s claim that it had “reinvigorated” its policies in spring 2014 and “established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure,” none of the documents released in response to our lawsuit appear to be newer than 2010.

Last spring, the Office of the Director of National Intelligence (ODNI) issued a strong denial of press reports that the NSA knew about and exploited the Heartbleed vulnerability in the OpenSSL library. As part of that denial, the ODNI described the “Vulnerabilities Equities Process” (VEP), an “interagency process for deciding when to share vulnerabilities” with developers. EFF submitted a FOIA request to ODNI and NSA to learn more about the VEP and then sued to force the agencies to release documents.

ODNI has now finished releasing documents in response to our suit, and the results are surprisingly meager. Among the handful of heavily redacted documents is a one-page list of VEP “Highlights” from 2010. It briefly describes the history of the interagency working group that led to the development of the VEP and notes that the VEP established an office called the “Executive Secretariat” within the NSA. The only other highlight left unredacted explains that the VEP “creates a process for notification, decision-making, and appeals.”

And that’s it. This document, which is almost five years old, is the most recent one released. So where are the documents supporting the “reinvigorated” VEP 2.0 described by the White House in 2014? Nor do the documents we have seen do much to back up the claim that VEP 1.0 ever functioned as a guide for helping the government decide whether to disclose zero-days. Meanwhile, reports describing the CIA’s annual hacker “jamboree” instead suggest that there’s little stopping the government from exploiting vulnerabilities it comes across. Indeed, none of the documents describing the CIA’s jamboree contain the slightest suggestion that the VEP was actively considered.

Writing about the newly released documents in Wired, Kim Zetter places them in the context of the government’s development of the Stuxnet worm:

We know that Stuxnet, a digital weapon designed by the U.S. and Israel to sabotage centrifuges enriching uranium for Iran’s nuclear program, used five zero-day exploits to spread between 2009 and 2010—before the equities process was in place. One of these zero-days exploited a fundamental vulnerability in the Windows operating system that, during the time it remained unpatched, left millions of machines around the world vulnerable to attack. Since the equities process was established in 2010, the government has continued to purchase and use zero days supplied by contractors.

The older documents [.pdf] released to EFF by ODNI are so thoroughly redacted that it’s difficult to glean much from them, though they seem mainly to report progress made by the working group developing the VEP over the course of several months in 2008. One suggests that the working group recognized different considerations between the government’s “Offense” and “Defense” functions in dealing with zero-days. Another tantalizingly mentions that the working group asked stakeholders to begin “drafting of scenarios (vignettes)” to illustrate the policy issues involved in the VEP, but of course any such vignettes in the documents are redacted.

The core of the concern over the government’s use of zero-days is that these vulnerabilities often exist in products that are used widely by the general public. If the government keeps a vulnerability secret for intelligence purposes, it does not notify the developer, which would likely otherwise issue a patch and protect users from online adversaries such as identity thieves or foreign governments who may also be aware of the zero-day. Nevertheless, the Snowden leaks have shown that the government apparently routinely sits on zero-days, something that President Obama’s own Review Group strongly recommended against [.pdf]. The VEP is supposedly an answer to these concerns, but right now it looks like just so much vaporware.

All the documents released in response to EFF’s FOIA suit so far are available here. We’re still awaiting documents from NSA due to be released in the next three weeks.