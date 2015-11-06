(Fixes typographical error in headline)
By Joseph Menn
SAN FRANCISCO Nov 6 The U.S. National Security
Agency, seeking to rebut accusations that it hoards information
about vulnerabilities in computer software, thereby leaving U.S.
companies open to cyber attacks, said last week that it tells
U.S. technology firms about the most serious flaws it finds more
than 90 percent of the time.
The re-assurances may be misleading, because the NSA often
uses the vulnerabilities to make its own cyber-attacks first,
according to current and former U.S. government officials. Only
then does NSA disclose them to technology vendors so that they
can fix the problems and ship updated programs to customers, the
officials said.
At issue is the U.S. policy on so-called "zero-days," the
serious software flaws that are of great value to both hackers
and spies because no one knows about them. The term zero-day
comes from the amount of warning users get to patch their
machines protectively; a two-day flaw is less dangerous because
it emerges two days after a patch is available.
The best-known use of zero-days was in Stuxnet, the attack
virus developed by the NSA and its Israeli counterpart to
infiltrate the Iranian nuclear program and sabotage centrifuges
that were enriching uranium.
Before its discovery in 2010, Stuxnet took advantage of
previously unknown flaws in software from Microsoft Corp and
Siemens AG to penetrate the facilities without triggering
security programs.
A shadowy but robust market has developed for the buying and
selling of zero-days, and as Reuters reported in May 2013, the
NSA is the world's top buyer of the flaws.[here
] The NSA also discovers flaws through its own cyber programs,
using some to break into computer and telecommunications systems
overseas as part of its primary spying mission.
Some zero-days are worth more than others, depending on such
factors as the difficulty in finding them and how widespread the
targeted software is. While some can be bought for as little as
$50,000, a prominent zero-day broker said this week that he had
agreed to pay $1 million to a team that devised a way to break
into a fully updated Apple iPhone. Chaouki Bekrar, of the firm
Zerodium, told Reuters the iPhone technique would "likely be
sold to U.S. customers only," including government agencies and
"very big corporations."
Government officials say there is a natural tension as to
whether zero-days should be used for offensive operations or
disclosed to tech companies and their customers for defensive
purposes.
In the wake of revelations by former NSA contractor Edward
Snowden and a Reuters report that detailed how the government
paid security firm RSA to include NSA-tainted encryption in its
software, [here
] a White House review panel recommended tilting government
policy more towards defense. [here
]
President Barack Obama's cybersecurity coordinator, Michael
Daniel, then said he had "reinvigorated" the review process that
decides what to do about each flaw that comes to government
attention. The details of that process remain classified, but
interviews show that the changes sharply elevated the role of
the Department of Homeland Security, which is responsible for
defense and had not previously been at the center of
inter-governmental debates on the issue.
After Daniel described the revamped process broadly, the
activist Electronic Frontier Foundation sued for documents about
it under the Freedom of Information Act.
The most significant release in that case came in September,
with an undated and partly redacted 13-page memo outlining how
agencies should handle knowledge about software vulnerabilities.
The memo [here
] states that the NSA's defensive arm, the Information Assurance
Directorate, served as the executive secretariat for the
process.
HOMELAND SECURITY
A redacted portion of the memo lists the agencies that
participated in the process as a matter of course. An unredacted
part refers to other agencies that can ask to participate on a
case-by-case basis, and the Department of Homeland Security
appears in that section, along with the departments of State,
Justice, Treasury and Commerce.
Two former White House officials said that the memo referred
to the old system, before Daniel reorganized it about a year and
a half ago.
In an interview, Daniel told Reuters that DHS was a key part
of the new system, which is run by the White House's National
Security Council.
"DHS is at the table in the process I'm running," Daniel
said.
An NSA spokeswoman referred questions about its policy to
the NSC, where a spokesman referred Reuters back to the NSA.
The NSA says on its website that it understands the need to
use most flaws for defense.
"In the vast majority of cases, responsibly disclosing a
newly discovered vulnerability is clearly in the national
interest," according to the website. [here
]
"But there are legitimate pros and cons to the decision to
disclose vulnerabilities, and the trade-offs between prompt
disclosure and withholding knowledge of some vulnerabilities for
a limited time can have significant consequences.
"Disclosing a vulnerability can mean that we forgo an
opportunity to collect crucial foreign intelligence that could
thwart a terrorist attack, stop the theft of our nation's
intellectual property, or discover even more dangerous
vulnerabilities that are being used to exploit our networks."
The agency said: "Historically, NSA has released more than
91 percent of vulnerabilities discovered in products that have
gone through our internal review process and that are made or
used in the U.S."
It said the rest included some that had already been fixed
as well as those held back "for national security reasons."
One former White House official noted that the NSA did not
say when the disclosures were made, adding that it would be "a
reasonable assumption" to conclude that much of that 91% covers
flaws the NSA had already used to gather intelligence before
alerting the companies. He also said the figure includes those
bought from outside entities. NSA and NSC officials declined to
address those assertions.
It is anyone's guess how long the average gap is between
offensive use and defensive disclosure, said Denelle
Dixon-Thayer, chief legal and business officer of Firefox
browser maker the Mozilla Foundation.
The bigger that gap is, the greater the likelihood that
other countries or hackers using similar hunting techniques have
also discovered it. Even if they haven't, the target of a U.S.
cyber attack can detect what technique was used and repurpose it
against the U.S. and others.
"If it's disclosed after it's already been executed against,
that's a really important question," Dixon-Thayer said.
In the revamped U.S. evaluation process, another former
official said that the Department of Homeland Security is often
the most vigorous "dove" in the discussions, arguing for
disclosures before others find the same flaw and exploit it.
A current official administration official said that the
proportion of serious flaws disclosed to vendors did not jump
after the NSC took control of the process. "It's still early,
but the trend has not significantly changed," the official said.
The growing discussion about U.S. policy on vulnerability
disclosure comes as House and Senate leaders prepare to
fine-tune three related bills on cybersecurity
information-sharing, which are designed to give companies legal
protection for reporting attacks to the government.
Mozilla and many other technology companies oppose those
bills because they will give the government more information
about customers and attacks without requiring the government to
give more information to the companies.
Dixon-Thayer said officials could even take what they learn
about new techniques from the industry to launch their own
attacks instead of helping defenders.
(Reporting by Joseph Menn in Washington; Editing by Jonathan
Weber and John Pickering)