The documents shed little light on how many unknown vulnerabilities the intelligence agency retains and how well it vets the damage they might cause.
WikiLeaks’ massive release of CIA cyber exploits this week produced more questions than answers about the government’s shadowy procedure for hoarding damaging digital vulnerabilities that remain unknown even to a system's manufacturer.
These bugs—called zero days because industry has had zero days to create and promulgate a software patch—can be goldmines for U.S. intelligence agencies looking to sneak undetected into the computers, phones and other electronic devices of terrorists and officials of adversary nation-states.
These glitches can be extremely dangerous, however, if those same terrorists or other nations’ intelligence agencies discover them independently and use them to spy on Americans. If discovered by cyber criminals, they might also be used to steal money or information from American citizens or U.S. companies.
How Many Zero Days Does the Government Have?
WikiLeaks describes the leaked documents, which it has dubbed Vault 7, as containing “dozens of zero days.” If true, that would almost certainly raise the best estimate to date, by Columbia University Senior Research Scholar Jason Healey, which puts the government’s entire zero-day arsenal at around 60 or 70, rather than in the hundreds or thousands as previously estimated.
If WikiLeaks’ “dozens” figure is correct, it’s a good assumption that only represents a portion of the CIA’s zero-day arsenal and that the National Security Agency and a handful of other agencies possess additional zero-day troves that aren’t actively retained by CIA, Healey, a former White House cyber official, told Nextgov.
That would mean Healey’s estimate of 60 to 70 would have to be adjusted up, he said.
It’s also possible, however, Healey’s initial estimate remains sound and the WikiLeaks figure is exaggerated.
When a group known as Shadow Brokers released an NSA hacking toolkit in October, Healey expected he’d have to rejigger his estimate, he said, but the trove turned out to contain only a handful of genuine zero days.
Without examining the underlying code, which WikiLeaks did not release, it’s difficult to tell which of the more than 8,000 documents disclosed by the renegade transparency group contain genuine zero days and which exploit vulnerabilities are already known but not reliably patched.
It’s also not clear when CIA discovered the vulnerabilities, so it’s possible some were once zero days that have since been discovered independently, said Ross Schulman, co-director of the Cybersecurity Initiative at the New America think tank’s Open Technology Institute.
Some of the tools may also exploit known vulnerabilities in outdated software versions guaranteed to remain because the company has stopped issuing patches for that version, Schulman said.
Vulnerability Equities Review
The government has never disclosed how many zero days it retains at any given time. However, NSA Director Adm. Michael Rogers boasted in 2015 the government has historically shared over 90 percent of vulnerabilities it discovers with manufacturers because NSA judges those vulnerabilities would do more harm if found by an adversary than good if exploited by the agency.
That system was codified during the Obama administration in a review known as the Vulnerability Equities Process, which considers an exploit’s value to intelligence agencies, how much damage it could do if discovered by someone else and how likely that discovery is to happen.
Government officials have indicated that review process may be retained under the Trump administration, though, as with most cybersecurity questions, the president has made no firm commitments yet.
Even if the Trump administration rejiggers its calculations for retaining or disclosing zero days, it’s unlikely the arsenal will greatly expand, Obama’s Cybersecurity Coordinator Michael Daniel told Nextgov.
That’s because the number of zero-day vulnerabilities the government encounters that are genuinely useful for intelligence work is quite limited, he said, so greatly expanding the percentage the government retains would serve little useful purpose.
The most important question for both Healey and Schulman is not the raw number of zero days the Vault 7 documents reveal, but whether those zero days were appropriately vetted through the equities review process—and, again, there’s no firm answer.
“If we thought the government kept dozens and it turned out to be in the low hundreds, is that bad?" Healey asked. "We can decide what’s big or what’s not and how many is too many. I’d be much more worried if these didn’t go through the vulnerabilities equities process … that’s a deeper governance issue.”
If nothing else, Schulman said, he hopes the WikiLeaks release will spur the government to ensure its vulnerabilities vetting process is firmly in place.
“What this does show with regard to VEP is its importance,” he said. “There are still a lot of open questions and now would be a great time for Congress to step in and codify the VEP to be sure that it’s a law and that it’s followed.”
For others, however, the Vault 7 trove itself is an indictment of the equities process.
The documents include hacks of Apple’s iPhone and Google’s Android platforms as well as Microsoft Windows, products used by millions of Americans. It’s not clear those exploits rely on zero days but if they do, that suggests the CIA was willing to endanger those Americans’ privacy for the sake of foreign intelligence gathering, Electronic Frontier Foundation Staff Technologist Cooper Quintin told Nextgov.
“It’s our opinion that we are all made less safe by CIA’s decision to keep these vulnerabilities rather than disclose them and help companies fix them,” he said.
Why Zero Days Are Valuable
Zero days are a strange sort of weapon.
They’re highly powerful, the crown jewels of any intelligence agency, and can sell for thousands or, in rare circumstances, more than $1 million on the open market. The average zero-day vulnerability and the exploit that makes use of it lasts nearly seven years, according to a comprehensive report out this week from the Rand Corporation. One-quarter of zero days last nearly a decade, the report found.
Yet, their value dissipates as soon as they’re used because security researchers can reverse engineer them once discovered and sell that knowhow—either to nefarious hackers or to the company whose technology is being exploited so it can issue a patch.
As a result, intelligence agencies and criminal hackers are hesitant to use zero days if known exploits will get the job done. And they often will, because organizations are frequently slow to install software patches and, especially in the case of the U.S. government, rely on outdated systems.
Humans are also the weakest cyber link in any organization and can frequently be conned into clicking on a phishing link and allowing an intruder into a network where fancy exploits are less necessary.
WikiLeaks founder Julian Assange announced Thursday he plans to share information about the Vault 7 vulnerabilities with manufacturers so they can patch them. Healey, on Twitter, urged the CIA to share those vulnerabilities first to deny WikiLeaks the public-relations victory.
The CIA has declined to comment on the authenticity of the Vault 7 documents, but savaged Assange and WikiLeaks in two statements.
“CIA’s mission is to aggressively collect foreign intelligence overseas” and to be “innovative, cutting edge and the first line of defense in protecting this country from enemies abroad,” a spokesman said, adding that “CIA’s activities are subject to rigorous oversight to ensure that they comply fully with U.S. law and the Constitution.”