Little by little, the government is opening up about its use of computer security vulnerabilities. Last month, the NSA disclosed that it has historically “released more than 91% of vulnerabilities discovered in products that have gone through our internal review process and that are made and used in the United States.” There should probably be an asterisk or four accompanying that statement. But more on that in a minute. First, it’s worth examining why the government is being even the slightest bit forthcoming about this issue.
Since 2014, EFF has been suing under the Freedom of Information Act to get access to what the government calls the Vulnerabilities Equities Process (VEP). That’s the policy that lets the NSA, FBI and others decide whether to tell vendors and software developers about weaknesses in their products or whether to hold onto and “exploit” them.
We’ve had some real success. The government initially wasted months claiming that the VEP was entirely classified. Then, on the eve of a court battle, it changed course and released the foundational VEP document. As expected, the VEP details a process for handling competing government interests in security vulnerabilities. On one hand, disclosing the vulnerability will protect U.S. systems against hacking. This is especially important when the vulnerability exists in systems or products used by both the government and the public. Turns out that’s extremely common. As the Intercept pointed out, even the NSA’s super-secret XKEYSCORE tool “relies on an entirely open source stack.” But sometimes the intelligence community wants to use vulnerabilities to pursue its “offensive” mission—spying, law enforcement and even cyberattack. Especially valuable are zero days, previously unknown vulnerabilities, which can lead to fruitful hacks. The most famous in this category is the Stuxnet worm, which the U.S. and Israel reportedly built using a number of zero days and deployed to destroy centrifuges in Iranian nuclear facilities.
But in the VEP document released as part of EFF’s lawsuit, the government has been too coy about these offensive uses. In fact, it redacted every single reference to them. Like the earlier claims that the whole document was entirely classified, these redactions don’t hold up. Take a look at this two-word redaction on the first page of the VEP side by side with the previously released White House document it references:
Redacted text in the VEP Document released to EFF
The same words unredacted in an older document
The law simply doesn’t let the government get away with claiming that information it has already acknowledged verbatim is still secret. The same is true for the many other redacted references to offensive exploitation of vulnerabilities. Back in 2014, in the wake of the Heartbleed vulnerability and the Snowden revelations, the government was much more eager to talk about its process for handling vulnerabilities, including offensive uses. Now in the face of our lawsuit, it has changed its tune. On the very same day the NSA released the “91% disclosure” statistic, the government filed a motion for summary judgment in our case, arguing that disclosure of the redacted information in the VEP document would cause “serious damage to the national security.” But in light of the government’s extensive statements about its exploitation of zero days, that claim doesn’t hold water. We’ll file a brief saying as much in a few weeks.
So what to make of the NSA’s 91% statistic? There’s an awful lot left unsaid, as Joseph Menn from Reuters points out. Most obviously, there’s no explanation of whether the vulnerabilities in the 91% were exploited first and only then disclosed for patching. Then there’s the tricky wording of the statement itself. By its terms, the vulnerabilities included in the 91% had to reach some unspecified threshold of entering the NSA’s “internal review process.” Some were thus not reviewed at all and are uncounted. Finally, the vulnerabilities had to be “made and used” in the United States. No telling what that means for open source projects in which some or all of the collaborators were outside the US, for example.
All of this points to the need for much more transparency on the vulnerabilities process. From public government statements, we know that from 2010 to 2014 the VEP was something of a dead letter, and it appears that the NSA simply used its own, likely more permissive internal review process instead. Since Heartbleed, the segments of the government that are more interested in shoring up American security—the “defense”—have reportedly taken a more prominent role in the VEP. But the public has yet to see evidence of that. Releasing the full VEP without the indefensible redactions is a start.