How many zero-day vulns is Uncle Sam sitting on? Not as many as you think, apparently
DEF CON While some fear the US government is hoarding a vast pool of zero-day security vulnerabilities, the reality is that it probably holds just a few dozen, according to a study by Columbia University.
In a presentation at the DEF CON hacking conference in Las Vegas today, Jason Healey, senior research scholar in the university's faculty of international and public affairs, detailed his students' attempts to ascertain the number of critical bugs stockpiled in secret by the US.
By keeping details of software vulnerabilities under lock and key, developers aren't made aware that they need to patch their code, allowing government agents to exploit the holes to attack targets. One problem with that is private hackers can also find the bugs and exploit them for fun and profit.
Healey said he expected the amassed bugs to number in the thousands, but research suggests that it's likely to be fewer than 50 in all.
Healey was a founding member of the Joint Task Force–Computer Network Defense, the world's first joint cyber warfare unit, and has tabs on what is going on inside Washington DC. He acknowledged that we'll never know the true number of vulnerabilities, however released documents, Snowden leaks, interviews with intelligence staff, and presidential papers suggest the number of stored flaws is much lower than people think.
The use of computer vulnerabilities has split government departments, which is an advantage for researchers and both sides brief against each other. On one side, you have the Department of Defense and the intelligence community, which would like to hoard secret zero-days for spying and online war purposes. On the other side, the Department of Commerce, the Treasury, and the Department of Homeland Security want them fixed as soon as possible.
It's documented that the US has been using zero days since the early 1990s, Healey said. In the middle of that decade, the NSA opened its Information Operations Technology Center to manage its store of vulnerabilities and exploits. This was run under the Information Assurance Directorate (IAD) – which handles cyber defense – rather than the Tailored Access Operations (TAO) unit – which hacks opponents. Healey said this was an encouraging sign.
In 2002, National Security Presidential Directive 16 was issued, outlining guidelines for cyberwarfare. The unredacted sections of this still-classified directive make it clear that each intelligence agency's director is responsible for managing their stock of zero-day flaws and deciding whether or not to inform the manufacturer and get them fixed. However, this was never codified into formal instructions to government departments.
That changed with the Obama administration. In the wake of the Edward Snowden leaks, the White House set a policy that vulnerabilities were to be disclosed to manufacturers by default. If government departments wanted to keep them quiet, they had to make their case to the executive branch.
There was a move to make exceptions for national security issues and law enforcement, which Healey opined would have given the FBI and NSA carte blanche to ignore the rules. However, the discovery of the Heartbleed flaw seems to have stopped that. The NSA was forced to deny that it had prior knowledge of the exploitable programming blunder, a level of openness that Healey said "floored" him.
Documents obtained by the Electronic Frontier Foundation show that the NSA reported 91 per cent of its vulnerabilities to manufacturers after the presidential ruling. However, they only cover the NSA – who knows what the CIA and other agencies are holding, he said.
There are also ways around the new rules, Healey said. Based on interviews, it seems the FBI's method for hacking into the iPhone wouldn't be covered under the rules, since technically the Feds only purchased a tool to crack the smartphone, not the knowledge of how it was actually done.
We do know that in 2013, the NSA had a budget of $23.1m to purchase and manage computer vulnerabilities. Healey said that, given the going rate for such cracks, that would indicate the agency could afford about 75 critical zero days – but that figure could be larger.
Given that a large proportion of these would be disclosed, and many others would be independently discovered by researchers, that suggested the NSA was only holding a few dozen zero days. This was confirmed when Snowden, or persons unknown, leaked the TAO hacking catalogue, which listed 50 software flaws that it had on its books.
Healey said he had checked his figures with both the former head of the NSA, Michael Hayden, and the former head of the IAD, Dickie George. Both had confirmed that his figures looked accurate, with George saying the NSA only retained three or four a year.
Healey acknowledged that we'd probably never know the true number of zero days hoarded by all government agencies. Research shows it's probably not as many as people think. He also pointed out that other countries will also be harvesting these flaws, and ascertaining the number of those was even harder than doing so for the US government agencies. ®