Why The NSA's Vulnerability Equities Process Is A Joke (And Why It's Unlikely To Ever Get Better)

from the 'national'-security-still-the-best-kind-of-security,-apparently dept

Two contributors to Lawfare -- offensive security expert Dave Aitel and former GCHQ information security expert Matt Tait -- take on the government's Vulnerability Equities Process (VEP), which is back in the news thanks to a group of hackers absconding with some NSA zero-days.

The question is whether or not the VEP is being used properly. If the NSA discovered its exploits had been accessed by someone other than its own TAO (Tailored Access Operations) team, why did it choose to keep its exploits secret, rather than inform the developers affected? The vulnerabilities exposed so far seem to date as far back as 2013, but only now, after details have been exposed by the Shadow Brokers are companies like Cisco actually aware of these issues.

According to Lawfare's contributors, there are several reasons why the NSA would have kept quiet, even when confronted with evidence that these tools might be in the hands of criminals or antagonistic foreign powers. They claim the entire process -- which is supposed to push the NSA, FBI, et al towards disclosure -- is broken. But not for the reasons you might think.

The Office of the Director of National Intelligence claimed last year that the NSA divulges 90% of the exploits it discovers. Nowhere in this statement were any details as to what the NSA considered to be an acceptable timeframe for disclosure. It's always been assumed the NSA turns these exploits over to developers after they're no longer useful. The Obama administration may have reiterated the presumption of openness when reacting to yet another Snowden leak, but also made it clear that national security concerns will always trump personal security concerns -- even if the latter has the potential to affect more people.

The main thrust of the Lawfare article is that the "broken" part of the equities process is that there should be a presumption of disclosure at all. The authors point out that it might take years to discover or develop a useful exploit and -- given the nature of the NSA's business -- it should be under no pressure to make timely disclosures to developers whose software/hardware the agency is exploiting.

[F]rom an operational standpoint, it takes about two years to fully utilize and integrate a discovered vulnerability. For the intelligence officer charged with managing the offensive security process, the VEP injects uncertainty by requiring inexpert intergovernmental oversight of the actions of your offensive teams, effectively subjects certain classes of bugs to time limits and eventual public exposure—all without any strategic or tactical thought governing the overall process.

[...]

Individual exploitable software vulnerabilities are difficult to find in the first place. But to engineer the discovered vulnerability into an operationally deployable exploit that can bypass modern anti-exploit defenses is far harder. It is a challenge to get policymakers to appreciate how rare the skills are for building operationally reliable exploits. The skillset exists almost exclusively within the IC and in a small set of commercial vendors (many of whom were originally trained in intelligence). This is not an area where capacity can be easily increased by throwing money at it—meaningful development here requires monumental investment of time and resources in training and cultivating a workforce, as well as crafting mechanisms to identify traits of innate talent.

The authors do point out that disclosure can also be useful to intelligence services. If these disclosures result in safer computing for everyone else, then that's apparently an acceptable side effect.

[T]here are three major, non-technical reasons for vulnerability disclosure.

First, disclosure can provide cover in the event that an OPSEC failure leads you to believe a zero-day has been compromised—if there is a heightened risk of malicious use, it allows the vendor time to patch. Second, disclosing to vendors allows the government to out an enemy’s zero-day vulnerability without disclosing how it was found. And third, government disclosure can form the basis of building a better relationship with Silicon Valley.

Saddling intelligence agencies with a presumption of disclosure is possibly a dangerous idea. Less-than-useful exploits that could be divulged to developers might be tied to other exploits still being deployed by intelligence services. Any suggested timeframe for mandatory disclosure would likely cause further harm by forcing the NSA, FBI, etc. to turn over exploits just as they're generating optimal results. On top of that, the authors point out that a push towards disclosure hamstrings US intelligence services as agencies in unfriendly nations will never be constrained by requirements to put the public ahead of their own interests.

But the process is definitely broken, no matter whose side of the argument you take. The NSA says it discloses 90% of the vulnerabilities it discovers, but former personnel involved in these operations note they've never seen a vulnerability disclosed during their years in the agency.

It's unlikely that the process will ever be fixed to everyone's satisfaction. The most likely scenario is that the VEP will continue to trundle along doing absolutely nothing while being ineffectually attacked by those opposing intelligence community secrecy. As it stands now, the presumption of disclosure is completely subject to any national security concerns raised by intelligence and law enforcement agencies. Occasional political climate shifts may provoke transparency pledges from various administrations, but those should be viewed as sympathetic noises -- presidential pats on the head meant to fend off troubling questions and legislative pushes to put weight behind the administration's words.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Uriel-238 (profile), 19 Aug 2016 @ 6:52pm

    So what is our scenario for an agency going rogue?

    What does it look like when our branches of government decide the NSA has gone rogue and is operating not in the best interests of the United States, neither its people nor the government system that runs them?

    I must only assume the NSA has dirt on everyone in office and that's why they are silent from one end to the next.

    This is ridiculous.

    reply to this | link to this | view in chronology ]

    • icon
      Padpaw (profile), 20 Aug 2016 @ 12:40am

      Re: So what is our scenario for an agency going rogue?

      the whole bloody government's gone rogue at this point barring a patriotic government official here or there

      reply to this | link to this | view in chronology ]

      • icon
        Bergman (profile), 20 Aug 2016 @ 12:38pm

        Re: Re: So what is our scenario for an agency going rogue?

        Made obvious by the fact that our government considers patriotism and a belief in the Constitution being the highest law of the land to be extremism and an active threat to governance.

        When a government official can publicly announce such beliefs and act upon them and NOT wind up at least investigated for wrongdoing, you know the government as a whole has gone rogue.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Aug 2016 @ 4:21am

      Re: So what is our scenario for an agency going rogue?

      They are already rogue. Just look at when congress questions them and they lie, stonewall, etc. Nothing is done about it. It is business as usual. So they apparently are an agency operating on their own, outside of any real oversight.

      reply to this | link to this | view in chronology ]

  • identicon
    Shilling, 19 Aug 2016 @ 6:58pm

    Hmm since these exploit kits are written by the government shouldn't they be shared with other agencies according to the federal source code policy? And 20% of it should be released as open source software 😉.

    Guess this is going to be another policy the NSA is going to skip.

    reply to this | link to this | view in chronology ]

  • icon
    John Fenderson (profile), 19 Aug 2016 @ 10:11pm

    Two years?

    [F]rom an operational standpoint, it takes about two years to fully utilize and integrate a discovered vulnerability.


    Wait a minute. The two years the authors are talking about is not the time to develop a new attack, it's the time it takes from once they have code in hand that performs the attack.

    Two years? That seems like an incredibly long time. I've never worked for or with a company that would consider that acceptable.

    I'm actually disappointed.

    reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 19 Aug 2016 @ 11:59pm

      Re: Two years?

      That sounds conspicuously untrue. A two-year old zero-day vulnerability is very much no longer zero day.

      I'd expect in most cases that it would be discovered independently by other interested parties, white hat or otherwise.

      reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 20 Aug 2016 @ 11:32am

      Re: Two years?

      Yeah, there is no way it takes them that long to exploit a found vulnerability, instead I imagine that's just an excuse not to report it sooner.

      'It takes us two years to really begin to fully exploit a vulnerability, and after that it might be good for a few more years, which means reporting it sooner would take a valuable tool away from us before we can really use it. You don't want us to be unable to protect the public, do you?'

      Alternatively they're all so incredibly incompetent that it does indeed take them that long to figure out how to use an exploit, though that's not much better really.

      reply to this | link to this | view in chronology ]

  • icon
    frank87 (profile), 20 Aug 2016 @ 12:06am

    Individual exploitable software vulnerabilities are difficult to find

    I guess there is a lot of luck involved. Maybe unhackable software isn't that impossible at all.

    reply to this | link to this | view in chronology ]

  • identicon
    severed_dong, 20 Aug 2016 @ 2:36am

    wonder what's in the other file, Cisco has a business interest, perhaps NSA should just buy Cisco? I say that jokingly...as who would buy their hardware after that, or now for that matter. I rather have some obscure proprietary re-purposed crap giving just enough resistance that I can spot when she's getting attacked. I used to have a box you could actually HEAR The FAN change sound. I don't care how smart these NSA guys requirements are with math and science, what I just saw was completely pathetic, it frankly looked. but also it has more balls than I do. I don't have the balls to just screw up an innocent's box. I actually have a fucking conscious.

    PS: I do hope that anonymous drunk guy in the other thread "Crackdown on Deez Nutz" quits drinking. There are people who are not brainwashed masses, we kind of not sure where to put the pressure. Maybe if you quit drinking you can bring us all up to speed with what our brainwashed fucking problem is. I been saying it's TREASON for the past few years. Maybe if enough of us keep saying it it will actually materialize into the END of this shit show, like it should.

    God bless and quit hatin TEACH INSTEAD!

    reply to this | link to this | view in chronology ]

  • identicon
    rasz_pl, 20 Aug 2016 @ 7:55am

    Here is one of those old NSA exploits being disclosed ....4 years after Intel stopped manufacturing vulnerable CPUs: https://www.blackhat.com/us-15/briefings.html#the-memory-sinkhole-unleashing-an-x86-design-flaw-allo wing-universal-privilege-escalation

    "independently" discovered by Christopher Domas, employee of non profit think tank that just happens to be a CIA cover operation full of 'ex' spies (Battelle Memorial Institute)

    reply to this | link to this | view in chronology ]

  • identicon
    T, 20 Aug 2016 @ 11:36am

    It's about time the government started paying more attention to Deez Nuts.

    reply to this | link to this | view in chronology ]

  • icon
    Ryunosuke (profile), 20 Aug 2016 @ 12:57pm

    something something backdoors are bad something....

    I am starting to look like one of the Blue Man Group here folks.

    reply to this | link to this | view in chronology ]

  • identicon
    anon, 20 Aug 2016 @ 2:28pm

    The other side of that argument is that the intel they do collect, will NEVER be shared with the public.

    Either they don't want to disclose a source, disclose that they have gotten into a source, disclose that they are vulnerable to diversion or false info, or even that they have an interest in a source.

    The Nigerian mall attack was actually pre-warned by Israeli intel agency, tho that may have been a miss-direction from US.

    In other words, the only real value of this info is commercial and treaty negotiation.Well, and monitoring regular citizens for any crime they may use for asset forfeiture.


    Where is the value in that?

    reply to this | link to this | view in chronology ]

  • icon
    David (profile), 20 Aug 2016 @ 4:15pm

    A better relationship

    with Silicon Valley? So, they release the less than useful exploits to enhance the relationship with SV.

    Sounds like an abusive relationship to me.

    Maybe they think a exploiting SV that they get their back doors because they were nice?

    reply to this | link to this | view in chronology ]

  • identicon
    Stosh, 21 Aug 2016 @ 11:52am

    Release any exploits immediately...it takes businesses and the general public at least two years to implement any software / hardware security patches.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.