A newly released document from the FBI sheds a little more light on the government's controversial policy around the use of zero-day exploits. Though there is still much we don't know, the question of when the secretive policy was put into place is finally answered: February, 2010.
It wasn't until last year that the government even admitted to using zero-day exploits for attack purposes. Following that disclosure, the White House then revealed that it had established an Equities process for determining when a zero-day software vulnerability it learns about should be disclosed to a vendor to be fixed or kept secret so that the NSA and other agencies can exploit it for intelligence or law enforcement purposes.
The question was when exactly the policy had been established.
Zero-day vulnerabilities are software security holes that are not known to the software vendor and are therefore unpatched and open to attack by hackers and others. A zero-day exploit is the malicious code crafted to attack such a hole to gain entry to a computer. When security researchers uncover zero-day vulnerabilities, they generally disclose them to the vendor so they can be patched. But when the government wants to exploit a hole, it withholds the information, leaving all computers that contain the flaw open to attack—including U.S. government computers, critical infrastructure systems and the computers of average users.
Michael Daniel, special advisor to the president on cybersecurity issues and a member of his National Security Council, told WIRED last year that the government had established a policy for using zero-days sometime in 2010, but wouldn't say more. Many speculated that the policy might have been established after the Stuxnet worm had been discovered and exposed in July 2010. Stuxnet used five zero-day exploits to gain access to computers at a facility in Iran and sabotage that country's nuclear enrichment program. But the FBI document newly obtained by the American Civil Liberties Union (.pdf) in a public records request refers to a written policy around the use of zero-days that existed in February 2010, five months before Stuxnet's discovery.
The policy document, titled "Commercial and Government Information Technology and Industrial Control Product or System Vulnerability Policy and Process," was dated February 16, 2010, according to the FBI.
A previous document obtained by the Electronic Frontier Foundation revealed that a task force had been created in 2008 to discuss developing the policy. The task force then recommended a vulnerabilities equities process be developed. Some time in 2008 and 2009 another working group, led by the Office of the Director of National Intelligence, was established to address the recommendation with representatives from the intelligence community, the U.S. attorney general, the FBI, DoD, State Department, DHS and the Department of Energy. Discussions with these agencies continued throughout 2008 and 2009, and eventually they agreed on a policy. The February 2010 date in the newly revealed document indicates when that policy was actually put in place throughout the government.
When the NSA or another agency discovers a software vulnerability, they use the Equities process to determine whether there is more to be gained from keeping the vulnerability secret or from disclosing it to be patched. That process was apparently weighted on the side of exploiting vulnerabilities over disclosing them until last year when the government had to "reinvigorate" the policy because it was not being implemented in the intended manner. The President's Privacy and Civil Liberties Oversight Board had determined that the Equities process wasn't being implemented as the board thought it should be, suggesting that more zero days were being kept secret than the board thought wise.
Information about vulnerabilities also wasn't being shared among all the agencies that needed to have a say in the decision-making process.
The new document, which is heavily redacted, provides little additional information about the Equities process or the government's use of zero-days. But it does describe the order of events after a zero-day vulnerability is discovered.
The vulnerability first undergoes a classification process to determine if it requires "special handling." If it reaches a certain "threshold"---the threshold isn't disclosed in the document---then the executive secretariat is notified immediately. The executive secretariat, for this purpose, is the NSA/Information Assurance Directorate. The NSA then notifies other agencies participating in the equities process to give them a chance to indicate if they "have an equity at stake" and want to participate in the decision process for determining if the vulnerability will be disclosed or kept secret.
What the document doesn't say, however, is whether all parties in the decision making process have equal input. The document notes that the purpose of the Equities process is to ensure that decisions are made in the "best interest of intelligence collection, investigative matters and information assurance. Understanding that in most circumstances all three interest [sic] will not be satisfied but the best resolution for the overall good will be put forth…"
Nathan Wessler, staff attorney for the ACLU, says this is the crux of the whole Equities process.
"How they make the decision about which interest to prioritize when they find the zero day vulnerability [is] the decision that everything rides on," he says. "But at no point …. have government officials ever explained how they're going to balance these competing interests and how they're going to ensure that the cybersecurity voices at the table will be as loud and respected as the law-enforcement voices."