The recent Wikileaks dump of more than 8,700 documents on the Central Intelligence Agency’s cyber-spying capabilities—the “Vault 7” leak—may have fizzled from the perspective of Wikileaks head, Julian Assange. After getting paid by Russian propaganda outlet RT to host “The Julian Assange Show” and publishing emails stolen from the Hillary Clinton campaign by Russian military intelligence, Assange’s anti-American antipathy is clear. Yet if Assange hoped to embarrass the CIA in the same way the Snowden leaks cast doubt on the vast scope of the National Security Agency’s collection practices, he must be sorely disappointed: there has been no hint the CIA’s hacking targeted US citizens.
As a former CIA case officer, I am not surprised; I recall how strict the prohibition against spying on US citizens was during my time there. Shortly after joining the CIA, one of my fellow new hires was called onto the carpet after trying to look himself up in CIA databases. To the CIA, not spying on Americans, even yourself, was and is taken quite seriously.
Unfortunately, the CIA’s adherence to the rules about not targeting Americans does not mean there was nothing problematic in those 8,700 documents. Of foremost concern to me and plenty of others worried about America’s deteriorating cyber-security situation is the collection and use of “zero-days” by the CIA, NSA, FBI, and other government agencies.
A “zero-day” vulnerability is a flaw in a piece of software or hardware that is unknown to the vendor selling it, and so the vendor has “zero days” to patch it. From the perspective of any hacker or cyber-spy, a zero-day can be a thing of beauty: a wide-open back door that lets you hack your opponents’ Internet-connected systems to steal their information, steal their money, put in booby traps to destroy the computer systems, or even destroy the real life things (think power, water, and chemical plants) those computer systems control. That destructive potential is why such vulnerabilities are simultaneously prized by intelligence agencies while posing grave danger to any high-tech society.
According to a November 2016 report from Columbia University’s School of International and Public Affairs, “The US Government and Zero Day Vulnerabilities,” the US government seeks to manage the inherent tension between “good for spying/bad for society,” through the Vulnerability Equities Process (VEP). The VEP is an executive branch review program in which representatives of various government agencies discuss whether zero-days should be disclosed to US companies that make the tech, so the holes can be patched, or quietly kept to boost intelligence collection capabilities.
The VEP was formally established in 2010, but quickly became dormant, and had to be “reinvigorated” in 2014. The policy guidance to agencies involved in the VEP was that the default action should be “to disclose vulnerabilities in products and systems used by the US and its allies.”
Yet just two years after the “reinvigoration,” in August 2016, the criminal hacking group Shadow Brokers offered to sell a cache of stolen NSA hacking tools. Per the Columbia report, “Out of the fifteen exploits in the cache, several appear to be previously unknown vulnerabilities (a so-called zero day)…in security products produced by Cisco, Juniper, and Fortinet, each widely used to protect US companies and critical infrastructure, as well as other systems worldwide.”
That the NSA did not disclose these crucial zero-days called into question how closely the NSA adhered to both the spirit and the letter of the VEP’s default-is-to-disclose policy.
Wikileaks claims the Vault 7 leak has “Dozens of ‘zero day’ exploits against a wide range of U.S. and European company products, include Apple’s iPhone, Google’s Android, Microsoft’’ Windows, and Samsung TVs.”
Coming on the heels of the Shadow Brokers, the Vault 7 leak hardly allays fears that the VEP has serious loopholes for secretly retaining zero-days should have been disclosed and patched.
Where is the Biggest Threat?
The NSA and CIA do critically important work, particularly in keeping us safe from terrorist groups and hostile nations. But when it comes deciding what Americans most need protection from, it’s no contest: the average American is far, far more likely to be a victim of cybercrime than to be a victim of a terror attack, and unpatched zero-days facilitate that victimization, particularly for the more sophisticated cybercriminals.
According to the National Cyber Security Alliance, one in five small businesses are cybercrime victims every year, and among those hacked, 60 percent go out of business within six months. According to a 2015 study from the Ponemon Institute, for large businesses, i.e. those with 1,000 or more employees, US businesses are more than twice as likely to be victims of hacking than the next-most-hacked country (Germany), and the average cost of remediation after a large business suffers a cyberattack was $15 million.
Per the US Census Bureau, 470,000 businesses die every year in the US. Even if only about one percent of the businesses that die were targeted with zero-days, that still means unpatched zero-days contribute to almost 5,000 business failures a year.
This estimate doesn’t capture the costs to individual Americans who have their money or identity stolen or their personal or work data destroyed by hackers. Add in those costs, and it becomes clear American are already paying steeply from being hacked. The idea that our own government is purposely leaving us open to more hacks begins to seem more than a little crazy.
On March 17, while analyzing the Vault 7 leaks, Cisco Systems, the Silicon Valley telecom hardware giant, announced a zero-day from Vault 7 which affects 300 different models of Cisco network switches, leaving them wide open to remote hacking that could take complete control of the switches. Quite aside from any risk of hacking, that revelation has not done Cisco’s stock price or public image any favors.
Should We Really Be Dealing with Cyber-Scumbags?
One of the most problematic parts of the intelligence community’s love of zero-days is they don’t only find them, they spend millions of dollars buying them from Gamma Group, Vupen, ReVuln, and other international businesses charitably described as shady at best, and more typically as completely amoral. Businesses like Gamma Group have proved more than happy to sell zero-days, or exploit kits built on zero-days, to the most repressive regimes on Earth, where they are used to help ferret out dissidents for persecution and torture.
There is no data on how much the CIA spends on zero-days, but as noted in the VEP report from Columbia’s Journal of International Affairs, documents among the massive Snowden leaks suggested the NSA’s annual budget for them is $25 million. Regardless of anyone’s personal beliefs on the proper role of government, almost nobody of any political persuasion believes creating and sustaining a black market in computer attacks that can and will eventually be turned against US citizens is a legitimate government function.
Yet that is exactly what is going on.
Until recently, partially at least because cybercrime is so hard to track, the idea that Americans would be targeted because of deliberately unpatched zero days was theoretical, but that is starting to change. New reports have emerged about what was in the Shadow Brokers latest info dump, which happened in mid-April.
According to an April 21 article by Ars Technica’s Dan Goodin, “script kiddies,” i.e. novice hackers, may be using a just-released NSA “implant” dubbed DoublePulsar to plant a back door into older Windows machines running Windows XP or Windows 2003. Once infected, the back door leaves these older machines vulnerable to all manner of malware.
A variety of computer security researchers have used detection scans to identify computers infected with DoublePulsar. The infected figures run from around 10,000 computers at the low end, to an estimated 107,000 infected computers reported by Swiss research firm Binary Edge, which also reported that 90 percent of the infected computers were in the US.
As the single biggest and richest customer for zero-days, the US government is the biggest economic driver of the zero-day black market. As a consequence, every time a security researcher finds a zero-day, they have some version of this conversation in their head: “Do I disclose this serious vulnerability to Microsoft and get $15,000 for the ‘bug bounty’…or sell it to Vupen for $200,000?” Vupen would then be happy to sell it to the CIA or NSA for $500,000.
Remain Calm: Not all Hacks are From Zero-Days
To be fair, we can’t blame all or even most hacks on deliberately unpatched zero-days. The vast majority of people and businesses that fall victim to hackers do so because they opened a “phishing” email they shouldn’t have, they haven’t changed their passwords in years, they haven’t bothered to install security updates in their computers, or they use software so old it is no longer receiving patches, like Windows XP.
Precisely how much financial damage is inflicted on Americans through deliberately unpatched zero-days is unknown, not least because, per the Columbia report, once a zero-day has gone through the VEP and been retained for intelligence collection, there are no further reviews to decide whether it should be disclosed and patched in the future.
We should not be surprised the US intelligence community likes zero-days; it is their job to find and create tools that help them collect information. In fact, the United States government is the only government on earth that has anything like the VEP. Nevertheless, the VEP is still a largely untested, secretive, and poorly understood process.
Fixing the VEP
The Vault 7 leaks, whatever the negative ramifications for the CIA’s short-to-medium-term cyber capabilities, at least provide a useful occasion to give our government’s use of zero-days and the serious flaws of the VEP some long-overdue scrutiny. The Columbia report on zero-days had some excellent suggestions for how to turn the toothless VEP into a real regulatory process, as did a white paper from the non-partisan New American Foundation, “Bugs in the System.” The only thing that can allay the quite reasonable fears that institutions, businesses, and individuals are suffering damage from unpatched zero-days is if Americans know the VEP exists and that it can be trusted. The report’s suggestions included:
• Turn the VEP from a policy into an executive order that requires compliance.
• Switch administration of it from the offensively-minded NSA to the defensively-minded Department of Homeland Security.
• Initiate periodic reviews of zero-days retained for spying to revisit whether they should be disclosed and patched.
• Mandate that all vulnerabilities are disclosed, and no vulnerabilities can be used if they haven’t been through the VEP. No exceptions.
• Have real dialogue on whether we should be participating in the zero-day black market.
• Issue unclassified reports on the workings of the VEP.
• Make regular reports on all of the above to the House Permanent Select Committee on Intelligence and the Senate Select Committee on Intelligence. Exploits built on zero-days are weapons of cyber-war, and it is supposed to be the job of Congress, not the executive branch, to declare war.
To these suggestions I would add:
• Give the Department of Commerce, protector of US businesses, a bigger role in the VEP.
• Ditto the Consumer Financial Protection Bureau, protector of the pocketbook of the average Americans.
• Make sure the United States Computer Emergency Readiness Team (US-CERT), is aware of all the zero-days in the US arsenal, and works with the Department of Commerce to do financial damage assessments if and when unpatched zero days are used to target US citizens and businesses.
• If a zero-day is found in US manufactured product, mandate that it has to be disclosed for patching, unless retention is specifically authorized by the President or his designee.
At the end of the day, the public needs to understand that zero-days are not like any other threat we face. Every unpatched zero-day in products that Americans commonly use, be it Windows software, Android phones, or Cisco routers, may be successfully used by our national security establishment to target our adversaries…but only at the cost of leaving Americans wide open to reciprocal attack.