The Vulnerabilities Equities Process is Unaccountable, Secretive, and Nonbinding

A group calling itself the Shadow Brokers recently released powerful surveillance tools publicly on the Web and promises to publish more dangerous tools for the price of one million bitcoin – or to whomever makes the best offer, if they can’t get to a million.

The Intercept has confirmed that at least one of the surveillance tools released online is “covered with the NSA’s virtual fingerprints,” making it all but certain that this tool and the others released by the Shadow Brokers came from within the agency. The SECONDDATE program, which the Intercept analyzed and compared to information in an NSA manual provided to them by whistleblower Edward Snowden, is designed to redirect a target’s browser to an NSA controlled server which then infects the target computer with malware.

The hacking tools in question rely on zero day vulnerabilities, i.e. vulnerabilities in software that the vendor doesn’t know about and has had “zero days” to fix. In particular, the tools were exploiting zero day vulnerabilities in Cisco and Fortinet firewalls.

We don’t know how these sophisticated surveillance tools got out. Shadow Brokers —which some speculate is working for or on behalf of the Russian government—claim to have broken into the NSA (or rather, into Equation Group, an offensive hacking group within the NSA). Shadow Brokers wrote:

We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons.

That’s one possibility. Others, like James Bamford, have speculated that the tools may have come from an internal leak, an employee or contractor at NSA who decided to take the tools. Edward Snowden, who knows a bit about this sort of thing, suggests that this leak may be at least in part the result of NSA agents failing to clean up old servers.

Lots of people want to speculate on how this leak could have happened and on whether there are more powerful hacking tools that will go public soon. But that’s missing the bigger question: is it time to create a real process that could, in some circumstances, force the NSA to disclose security flaws to American companies, so vulnerable systems can get patched?

The United States government has been using offensive hacking techniques for decades, but there’s been remarkably little public debate on the matter, either in Congress or the media. And it’s no wonder: for the most part, the NSA’s digital attacks are shrouded in secrecy, and only a handful of attacks ever see the light of day.

The federal government says that it does tend to disclose software vulnerabilities, but the process now is so shrouded in secrecy that there’s no way for investigative journalists or the public to verify that assertion. But even Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator, has acknowledged that, "Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest."

The Equation Group hack underscores the fact that the NSA is not a perfect fortress. A future leak like the Shadow Brokers’ could lead to even more harmful security vulnerabilities being made public. Or perhaps disclosure won’t happen publicly online: powerful nation-states may hack into NSA systems to steal this information–or offer significant financial compensation to insiders willing to pass on secrets–and then use it secretly. Even if that doesn’t happen, without public data on the so-called rate of “bug collision”, we have to take the NSA’s word that the security vulnerabilities it uncovers will never be discovered by an unfriendly government and used for spying, or by criminals and used for malicious hacking.

Ari Schwartz, the former White House National Security Council Senior Director for Cybersecurity, told FedScoop that he expected another incident of software vulnerabilities leaking online in the "near future." He also indicated that there was another route: "It would be better to have vulnerabilities shared with vendors directly from the U.S. government rather than having them leak out from other sources attributed to the U.S. government."

The current—nonbinding—process for assessing whether a given security vulnerability should be disclosed is known as the Vulnerabilities Equities Process, some details of which EFF has obtained through a FOIA suit. The government is supposed to follow this process to decide whether to tell tech companies about their security flaws, or hang onto the knowledge and try to exploit the flaws in the future. But the current process is broken: even strong NSA proponents admit as much. There is no reporting requirement that would allow the American public to know what percentage of the vulnerabilities discovered are sent on to the software vendors, and no way for us to know whether high profile security vulnerabilities ever go through this process. Even Congress is kept largely in the dark.

We are not saying that the U.S. government shouldn’t ever keep and use security vulnerabilities for intelligence purposes, or that the U.S. government shouldn’t purchase zero day exploits. These can and have been powerful tools for our intelligence agencies to safeguard our country. But like any intelligence tool, transparency and strong accountability are necessary to prevent abuse and unintended consequences. And when it comes to security vulnerabilities, it’s impossible to tell whether the NSA is going too far because they’ve gone to great lengths to block public and Congressional oversight of this matter.

Whenever the NSA decides to exploit a security vulnerability instead of disclosing it to the software vendor, it’s making a bet that another nation-state or malicious hacking group like the Shadow Brokers won’t also find it. With the currently available data, the public has no way of analyzing whether that’s a good bet. Even worse, the NSA isn’t just wagering their own money in this high stakes poker game: they’re betting with the computer security of hundreds of millions of computer users.

The Equation Group leak should be a wake up call to decision makers that we need to publicly debate the issue of government hacking, and that should start with a Congressional hearing that includes testimony from cybersecurity experts and civil society. Unless civil society and the information security community speak up now, we run the risk that these decisions will be made without our input. It’s time to roll up our sleeves and get to work.