Opinion: NSA hack reveals flaws in White House zero-day process

A potentially damaging hacking tool revealed in the apparent National Security Agency breach includes a zero-day vulnerability – or previously unknown security hole – in Cisco software. The government should have already disclosed that flaw.

Adm. Michael Rogers, head of the National Security Agency and commander of US Cyber Command, testified on Capitol Hill in April. 2016. REUTERS/Kevin Lamarque

Kevin Lamarque/Reuters

August 18, 2016

Earlier this week, a group calling itself the Shadow Brokers released a cache of military-grade computer hacking tools. Since then, experts and former agency employees have substantiated that the tranche of custom-made malware originated from the National Security Agency.

Now, the dump is raising serious questions about the nature of the US government's cyberweapons arsenal. Chief among those questions is whether or not the US government should withhold information about potentially damaging flaws in software programs widely used by American companies. 

One of the most potentially damaging exploits that the Shadow Brokers revealed is a so-called "zero-day" vulnerability in a Cisco security product common in many American critical infrastructure facilities. Zero-days are security flaws that the affected company doesn't know about. 

Why many in Ukraine oppose a ‘land for peace’ formula to end the war

Is that the kind of flaw that the NSA should keep secret from American businesses? Should it have told Cisco?

At the recent DEF CON hacker convention in Las Vegas, I presented research conducted with students at the Columbia University School of International and Public Affairs on the Vulnerabilities Equities Process (VEP), a White House procedure to determine when the government should retain – and when it should disclose – such vulnerabilities.

Our best estimate is that the government probably retains a small arsenal of dozens of such zero-days, far fewer than the hundreds or thousands that many experts estimated. It appears they add to that arsenal only by drips and drabs, perhaps by single digits every year.  

However, before President Obama "reinvigorated" the VEP in January 2014, the NSA probably kept many more: probably dozens per year, rather than single digits. In those days, the NSA largely made its own decisions, without having to consult with other parts of the government. 

Today, however, the president has made clear the default decision should be to disclose flaws. While the Shadow Brokers' revelations haven't changed our estimate of the number of zero-days in the NSA's arsenal, a former NSA cyber operator told the Washington Post there were "hundreds" of such vulnerabilities at the agency and none of those were disclosed to companies.

Howard University hoped to make history. Now it’s ready for a different role.

But beyond the specific number of vulnerabilities at the NSA's disposal, the dump casts doubt on the effectiveness of the government's VEP process. Is it actually sufficient?  

Based on the policies in place today, the NSA almost certainly should have disclosed the Cisco vulnerability – just as FBI should have told Apple about the iPhone vulnerability it relied on to unlock the phone recovered after the San Bernardino, Calif., terrorist attack.

If any agency wants to keep a zero-day, it has to argue its case to the National Security Council (NSC) and other agencies such as the Department of Homeland Security and the Department of Commerce that are concerned primarily with securing US critical infrastructure.

According to many people we interviewed for our zero-day research, participants in the equities review process are senior members of the administration and meet frequently. It's an active process. 

Furthermore, the Obama administration's criteria is clear that the default position is to tell vendors and the NSC. If a vulnerability affects US critical infrastructure or imposes a high risk, the government should not keep it. That's certainly the case with the Cisco security bug.

The president's policy doesn't apply to bugs discovered prior to 2010. So, the NSA was not in violation of the policy’s wording, but it certainly seems against the president’s intent.

The best case for NSA retaining the Cisco vulnerability is that it was monitoring signals intelligence for signs that others knew about it. And, possibly, if the agency discovered that it was being deployed, it would inform Cisco.

Still, the Shadow Brokers leak makes it more clear than ever that the president needs to strengthen the equities review process to close the apparent loopholes that the NSA and FBI may rely on to keep its zero-days hidden.

Former White House staffers Rob Knake and Ari Schwartz have published a great list of recommendations: Formalize the process as an executive order, make it more transparency through an annual report, periodically review retained vulnerabilities (including those from before 2010), and create a watchdog similar to the Privacy and Civil Liberties Oversight Board.

The Shadow Brokers revelations give the impression of an NSA that's out of control. The Vulnerability Equities Process is meant to put some restraints on the agency when it comes to its hacking tools – it's a good process designed to govern an incredibly critical function of the agency. 

But the government should act quickly – and transparently – to reform this process to retain the trust of American technologists, the US public, and our allies.

Jason Healey is a senior research scholar at Columbia University’s School of International and Public Affairs and a senior fellow at the Atlantic Council. Follow him on Twitter @Jason_Healey.