‘Cyber’ has now crept into every element of national security. Cybersecurity is “everything” security. But everything security is a recipe for insecurity if it results in a failure to prioritize and to focus resources where they can be used most effectively. This is the huge challenge for any organization working on this issue, including the congressional intelligence committees. If those committees want to make a singular, genuine impact on this emerging threat, they should focus on oversight of the Administration’s zero-day vulnerability disclosure process.
Zero-day vulnerabilities are flaws in software and hardware that aren’t known to the companies or developers that make the technology. Those vulnerabilities can provide a useful tool to intelligence services, as well as to criminal groups and other nefarious actors. The Stuxnet computer worm that attacked Iranian centrifuges in 2010 utilized several zero-day vulnerabilities. It has often been suggested that the National Security Agency (NSA) has a huge ‘stockpile’ of such vulnerabilities that it uses to conduct surveillance operations.
As valuable as these vulnerabilities might be to intelligence services, they can also become a threat to millions of computer and Internet users in the United States and around the globe if they are present in widely used software and hardware. This is why many have suggested that organizations like NSA should disclose the vulnerabilities they discover and allow the broader public to reap the security benefits of disclosures.
In April, in response to apparently unfounded concerns that NSA had known about the Heartbleed vulnerability, the White House Cybersecurity Policy Coordinator Michael Daniel commented publicly about the Administration’s zero-day disclosure process. Here is how he characterized the issues:
[T]here are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.
Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run. Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area.
Daniel went on to describe a “re-invigorated” interagency process put in place in 2014 dedicated to weighing the pros and cons and determining whether a zero-day known to the U.S. government should be disclosed. He also listed nine questions that need to be answered whenever an agency proposes withholding knowledge of a vulnerability. This new process apparently improved upon a process originally established in 2010 and run by NSA.
Zero-day vulnerability disclosure decisions require a careful balancing that will be difficult to achieve under the best of circumstances. This is made all the more difficult by the fact that, regardless of whatever process is put in place, incentives will still favor non-disclosure. The benefits of disclosure are broad and global while any cost will be felt acutely by intelligence services that will lose capabilities. The current process in essence depends on the benign hegemony of the executive branch in cyberspace.
This is why it is so important for the intelligence committees to engage on this issue and make it a top oversight priority; because those committees are the sole organizations that can do a thorough, independent review of the new policy process. They should seek to determine how well this new process is functioning by asking a few basic questions, such as:
How often do vulnerabilities come up for review? What are the answers to those questions Daniel posed? How often does this interagency process choose to withhold knowledge of a vulnerability? And, most importantly, do those answers suggest the Administration is achieving the ultimate goal of balancing vulnerability exploitation with disclosure?
Another good place to start on this issue would be to examine the vulnerability disclosure process that began in 2010. That earlier process wasn’t up to snuff and needed to be “re-invigorated.” Identifying the weaknesses in that earlier process might help improve the new one.
Because of the mismatch of incentives described above, we should expect the Administration’s new process to fail if left to its own designs. When cybersecurity is everything security, such a failure could have staggering implication. The intelligence committees need to exercise their oversight responsibilities to ensure this process succeeds.