Why The NSA's Vulnerability Equities Process Is A Joke (And Why It's Unlikely To Ever Get Better)

from the 'national'-security-still-the-best-kind-of-security,-apparently dept

Two contributors to Lawfare — offensive security expert Dave Aitel and former GCHQ information security expert Matt Tait — take on the government’s Vulnerability Equities Process (VEP), which is back in the news thanks to a group of hackers absconding with some NSA zero-days.

The question is whether or not the VEP is being used properly. If the NSA discovered its exploits had been accessed by someone other than its own TAO (Tailored Access Operations) team, why did it choose to keep its exploits secret, rather than inform the developers affected? The vulnerabilities exposed so far seem to date as far back as 2013, but only now, after details have been exposed by the Shadow Brokers are companies like Cisco actually aware of these issues.

According to Lawfare’s contributors, there are several reasons why the NSA would have kept quiet, even when confronted with evidence that these tools might be in the hands of criminals or antagonistic foreign powers. They claim the entire process — which is supposed to push the NSA, FBI, et al towards disclosure — is broken. But not for the reasons you might think.

The Office of the Director of National Intelligence claimed last year that the NSA divulges 90% of the exploits it discovers. Nowhere in this statement were any details as to what the NSA considered to be an acceptable timeframe for disclosure. It’s always been assumed the NSA turns these exploits over to developers after they’re no longer useful. The Obama administration may have reiterated the presumption of openness when reacting to yet another Snowden leak, but also made it clear that national security concerns will always trump personal security concerns — even if the latter has the potential to affect more people.

The main thrust of the Lawfare article is that the “broken” part of the equities process is that there should be a presumption of disclosure at all. The authors point out that it might take years to discover or develop a useful exploit and — given the nature of the NSA’s business — it should be under no pressure to make timely disclosures to developers whose software/hardware the agency is exploiting.

[F]rom an operational standpoint, it takes about two years to fully utilize and integrate a discovered vulnerability. For the intelligence officer charged with managing the offensive security process, the VEP injects uncertainty by requiring inexpert intergovernmental oversight of the actions of your offensive teams, effectively subjects certain classes of bugs to time limits and eventual public exposure—all without any strategic or tactical thought governing the overall process.


Individual exploitable software vulnerabilities are difficult to find in the first place. But to engineer the discovered vulnerability into an operationally deployable exploit that can bypass modern anti-exploit defenses is far harder. It is a challenge to get policymakers to appreciate how rare the skills are for building operationally reliable exploits. The skillset exists almost exclusively within the IC and in a small set of commercial vendors (many of whom were originally trained in intelligence). This is not an area where capacity can be easily increased by throwing money at it—meaningful development here requires monumental investment of time and resources in training and cultivating a workforce, as well as crafting mechanisms to identify traits of innate talent.

The authors do point out that disclosure can also be useful to intelligence services. If these disclosures result in safer computing for everyone else, then that’s apparently an acceptable side effect.

[T]here are three major, non-technical reasons for vulnerability disclosure.

First, disclosure can provide cover in the event that an OPSEC failure leads you to believe a zero-day has been compromised—if there is a heightened risk of malicious use, it allows the vendor time to patch. Second, disclosing to vendors allows the government to out an enemy’s zero-day vulnerability without disclosing how it was found. And third, government disclosure can form the basis of building a better relationship with Silicon Valley.

Saddling intelligence agencies with a presumption of disclosure is possibly a dangerous idea. Less-than-useful exploits that could be divulged to developers might be tied to other exploits still being deployed by intelligence services. Any suggested timeframe for mandatory disclosure would likely cause further harm by forcing the NSA, FBI, etc. to turn over exploits just as they’re generating optimal results. On top of that, the authors point out that a push towards disclosure hamstrings US intelligence services as agencies in unfriendly nations will never be constrained by requirements to put the public ahead of their own interests.

But the process is definitely broken, no matter whose side of the argument you take. The NSA says it discloses 90% of the vulnerabilities it discovers, but former personnel involved in these operations note they’ve never seen a vulnerability disclosed during their years in the agency.

It’s unlikely that the process will ever be fixed to everyone’s satisfaction. The most likely scenario is that the VEP will continue to trundle along doing absolutely nothing while being ineffectually attacked by those opposing intelligence community secrecy. As it stands now, the presumption of disclosure is completely subject to any national security concerns raised by intelligence and law enforcement agencies. Occasional political climate shifts may provoke transparency pledges from various administrations, but those should be viewed as sympathetic noises — presidential pats on the head meant to fend off troubling questions and legislative pushes to put weight behind the administration’s words.

Filed Under: , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Why The NSA's Vulnerability Equities Process Is A Joke (And Why It's Unlikely To Ever Get Better)”

Subscribe: RSS Leave a comment
Uriel-238 (profile) says:

So what is our scenario for an agency going rogue?

What does it look like when our branches of government decide the NSA has gone rogue and is operating not in the best interests of the United States, neither its people nor the government system that runs them?

I must only assume the NSA has dirt on everyone in office and that’s why they are silent from one end to the next.

This is ridiculous.

Bergman (profile) says:

Re: Re: So what is our scenario for an agency going rogue?

Made obvious by the fact that our government considers patriotism and a belief in the Constitution being the highest law of the land to be extremism and an active threat to governance.

When a government official can publicly announce such beliefs and act upon them and NOT wind up at least investigated for wrongdoing, you know the government as a whole has gone rogue.

John Fenderson (profile) says:

Two years?

[F]rom an operational standpoint, it takes about two years to fully utilize and integrate a discovered vulnerability.

Wait a minute. The two years the authors are talking about is not the time to develop a new attack, it’s the time it takes from once they have code in hand that performs the attack.

Two years? That seems like an incredibly long time. I’ve never worked for or with a company that would consider that acceptable.

I’m actually disappointed.

That One Guy (profile) says:

Re: Two years?

Yeah, there is no way it takes them that long to exploit a found vulnerability, instead I imagine that’s just an excuse not to report it sooner.

‘It takes us two years to really begin to fully exploit a vulnerability, and after that it might be good for a few more years, which means reporting it sooner would take a valuable tool away from us before we can really use it. You don’t want us to be unable to protect the public, do you?’

Alternatively they’re all so incredibly incompetent that it does indeed take them that long to figure out how to use an exploit, though that’s not much better really.

severed_dong says:

wonder what’s in the other file, Cisco has a business interest, perhaps NSA should just buy Cisco? I say that jokingly…as who would buy their hardware after that, or now for that matter. I rather have some obscure proprietary re-purposed crap giving just enough resistance that I can spot when she’s getting attacked. I used to have a box you could actually HEAR The FAN change sound. I don’t care how smart these NSA guys requirements are with math and science, what I just saw was completely pathetic, it frankly looked. but also it has more balls than I do. I don’t have the balls to just screw up an innocent’s box. I actually have a fucking conscious.

PS: I do hope that anonymous drunk guy in the other thread “Crackdown on Deez Nutz” quits drinking. There are people who are not brainwashed masses, we kind of not sure where to put the pressure. Maybe if you quit drinking you can bring us all up to speed with what our brainwashed fucking problem is. I been saying it’s TREASON for the past few years. Maybe if enough of us keep saying it it will actually materialize into the END of this shit show, like it should.

God bless and quit hatin TEACH INSTEAD!

rasz_pl says:

Here is one of those old NSA exploits being disclosed ….4 years after Intel stopped manufacturing vulnerable CPUs: https://www.blackhat.com/us-15/briefings.html#the-memory-sinkhole-unleashing-an-x86-design-flaw-allowing-universal-privilege-escalation

“independently” discovered by Christopher Domas, employee of non profit think tank that just happens to be a CIA cover operation full of ‘ex’ spies (Battelle Memorial Institute)

anon says:

The other side of that argument is that the intel they do collect, will NEVER be shared with the public.

Either they don’t want to disclose a source, disclose that they have gotten into a source, disclose that they are vulnerable to diversion or false info, or even that they have an interest in a source.

The Nigerian mall attack was actually pre-warned by Israeli intel agency, tho that may have been a miss-direction from US.

In other words, the only real value of this info is commercial and treaty negotiation.Well, and monitoring regular citizens for any crime they may use for asset forfeiture.

Where is the value in that?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...