WikiLeaks Dump Shines Light on Government's Shadowy Zero-Day Policy

BeeBright/Shutterstock.com

The documents shed little light on how many unknown vulnerabilities the intelligence agency retains and how well it vets the damage they might cause.

WikiLeaks’ massive release of CIA cyber exploits this week produced more questions than answers about the government’s shadowy procedure for hoarding damaging digital vulnerabilities that remain unknown even to a system's manufacturer.

These bugs—called zero days because industry has had zero days to create and promulgate a software patch—can be goldmines for U.S. intelligence agencies looking to sneak undetected into the computers, phones and other electronic devices of terrorists and officials of adversary nation-states.

These glitches can be extremely dangerous, however, if those same terrorists or other nations’ intelligence agencies discover them independently and use them to spy on Americans. If discovered by cyber criminals, they might also be used to steal money or information from American citizens or U.S. companies.

How Many Zero Days Does the Government Have?

WikiLeaks describes the leaked documents, which it has dubbed Vault 7, as containing “dozens of zero days.” If true, that would almost certainly raise the best estimate to date, by Columbia University Senior Research Scholar Jason Healey, which puts the government’s entire zero-day arsenal at around 60 or 70, rather than in the hundreds or thousands as previously estimated.

If WikiLeaks’ “dozens” figure is correct, it’s a good assumption that only represents a portion of the CIA’s zero-day arsenal and that the National Security Agency and a handful of other agencies possess additional zero-day troves that aren’t actively retained by CIA, Healey, a former White House cyber official, told Nextgov.

That would mean Healey’s estimate of 60 to 70 would have to be adjusted up, he said.

It’s also possible, however, Healey’s initial estimate remains sound and the WikiLeaks figure is exaggerated.

When a group known as Shadow Brokers released an NSA hacking toolkit in October, Healey expected he’d have to rejigger his estimate, he said, but the trove turned out to contain only a handful of genuine zero days.

Without examining the underlying code, which WikiLeaks did not release, it’s difficult to tell which of the more than 8,000 documents disclosed by the renegade transparency group contain genuine zero days and which exploit vulnerabilities are already known but not reliably patched.

It’s also not clear when CIA discovered the vulnerabilities, so it’s possible some were once zero days that have since been discovered independently, said Ross Schulman, co-director of the Cybersecurity Initiative at the New America think tank’s Open Technology Institute.

Some of the tools may also exploit known vulnerabilities in outdated software versions guaranteed to remain because the company has stopped issuing patches for that version, Schulman said.

Vulnerability Equities Review

The government has never disclosed how many zero days it retains at any given time. However, NSA Director Adm. Michael Rogers boasted in 2015 the government has historically shared over 90 percent of vulnerabilities it discovers with manufacturers because NSA judges those vulnerabilities would do more harm if found by an adversary than good if exploited by the agency.

That system was codified during the Obama administration in a review known as the Vulnerability Equities Process, which considers an exploit’s value to intelligence agencies, how much damage it could do if discovered by someone else and how likely that discovery is to happen.

Government officials have indicated that review process may be retained under the Trump administration, though, as with most cybersecurity questions, the president has made no firm commitments yet.

Even if the Trump administration rejiggers its calculations for retaining or disclosing zero days, it’s unlikely the arsenal will greatly expand, Obama’s Cybersecurity Coordinator Michael Daniel told Nextgov.

That’s because the number of zero-day vulnerabilities the government encounters that are genuinely useful for intelligence work is quite limited, he said, so greatly expanding the percentage the government retains would serve little useful purpose.

The most important question for both Healey and Schulman is not the raw number of zero days the Vault 7 documents reveal, but whether those zero days were appropriately vetted through the equities review process—and, again, there’s no firm answer.

“If we thought the government kept dozens and it turned out to be in the low hundreds, is that bad?" Healey asked. "We can decide what’s big or what’s not and how many is too many. I’d be much more worried if these didn’t go through the vulnerabilities equities process … that’s a deeper governance issue.”

If nothing else, Schulman said, he hopes the WikiLeaks release will spur the government to ensure its vulnerabilities vetting process is firmly in place.

“What this does show with regard to VEP is its importance,” he said. “There are still a lot of open questions and now would be a great time for Congress to step in and codify the VEP to be sure that it’s a law and that it’s followed.”

For others, however, the Vault 7 trove itself is an indictment of the equities process.

The documents include hacks of Apple’s iPhone and Google’s Android platforms as well as Microsoft Windows, products used by millions of Americans. It’s not clear those exploits rely on zero days but if they do, that suggests the CIA was willing to endanger those Americans’ privacy for the sake of foreign intelligence gathering, Electronic Frontier Foundation Staff Technologist Cooper Quintin told Nextgov.

“It’s our opinion that we are all made less safe by CIA’s decision to keep these vulnerabilities rather than disclose them and help companies fix them,” he said.

Why Zero Days Are Valuable

Zero days are a strange sort of weapon.

They’re highly powerful, the crown jewels of any intelligence agency, and can sell for thousands or, in rare circumstances, more than $1 million on the open market. The average zero-day vulnerability and the exploit that makes use of it lasts nearly seven years, according to a comprehensive report out this week from the Rand Corporation. One-quarter of zero days last nearly a decade, the report found.

Yet, their value dissipates as soon as they’re used because security researchers can reverse engineer them once discovered and sell that knowhow—either to nefarious hackers or to the company whose technology is being exploited so it can issue a patch.

As a result, intelligence agencies and criminal hackers are hesitant to use zero days if known exploits will get the job done. And they often will, because organizations are frequently slow to install software patches and, especially in the case of the U.S. government, rely on outdated systems.

Humans are also the weakest cyber link in any organization and can frequently be conned into clicking on a phishing link and allowing an intruder into a network where fancy exploits are less necessary.

WikiLeaks founder Julian Assange announced Thursday he plans to share information about the Vault 7 vulnerabilities with manufacturers so they can patch them. Healey, on Twitter, urged the CIA to share those vulnerabilities first to deny WikiLeaks the public-relations victory.

The CIA has declined to comment on the authenticity of the Vault 7 documents, but savaged Assange and WikiLeaks in two statements.

“CIA’s mission is to aggressively collect foreign intelligence overseas” and to be “innovative, cutting edge and the first line of defense in protecting this country from enemies abroad,” a spokesman said, adding that “CIA’s activities are subject to rigorous oversight to ensure that they comply fully with U.S. law and the Constitution.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.