The Dangers of Keeping Vulnerabilities Secret
Steve King, CISM, CISSP
Cybersecurity Marketing and Education Leader | CISM, Direct-to-Human Marketing, CyberTheory
A Zero-day vulnerability refers to a penetrable hole in commercial software (like Windows) that is unknown to the vendor. These holes are then exploited by hackers before the vendor becomes aware of them and can respond with a fix.
In April of 2014, the major U.S. technology vendors secured a commitment from the Obama administration that they would not hoard, but rather disclose on an ongoing basis, serious vulnerabilities, exploits, bugs or "zero days" to Apple, Google, Microsoft, and other US-based manufacturers.
The point of course is that serious vulnerabilities, known yet not disclosed to the vendors of the products, places all end-user businesses, customers and critical infrastructure at risk to cyber criminals who discover and figure out how to attack these holes for information theft, manipulation or destruction. This results in the dramatic increase in cyberattacks and data breaches that we have seen over the last two years.
With the Vault7 dump, we see clearly that the Obama administration's 2014 commitments were nothing more than lip service to a constituency who needed to feel secure that the CIA and the NSA would “do the right thing” and disclose vulnerabilities, but if you parse the language, you will also see that the legal structure below the speechifying gave the agencies free reign to do whatever they pleased.
We have seen zero-day vulnerabilities in customer networks that have been dormant for years and a recent study by Rand Corporation who examined over 200 security flaws, 40% of which had been previously unknown, found that these holes can lie dormant for up to 10 years. That’s a lot of hoarding.
They also found that it only took an average of 22 days from discovery to successful breach.
By hoarding these vulnerabilities, the CIA is expanding the threat landscape for a broad variety of attackers, many of which have sophisticated exploit strategies that rely on continual exploitation of vulnerabilities over a lengthy time horizon. Morphing malware strains in order to avoid detection in the conduct of continuous ongoing data manipulation is one technique that is designed to leverage aging zero-day vulnerabilities. Watch your bank account balances closely.
A classic example of CIA malware revealed in the Vault7 dump was an arsenal of 24 Android zero-day vulnerabilities that the agency had developed to penetrate and control the Android phone and related software like that which manages Twitter messaging.
The obvious downside to the CIA stockpiling yet not disclosing these vulnerabilities is that cybercriminals are able to do the same thing. And faster.
Why this is desirable to some is based on the theory that if our Intel agencies keep knowledge of these vulnerabilities secret, it prevents our adversaries from knowing about them and either correcting or protecting against inbound attacks.
Keeping holes secret would allow our Intel guys to retain an offensive advantage when going after other nation states. Stuxnet is the poster child for such a weapon. It was the first-known malware specifically designed to go after real-world infrastructure with attack mechanisms that targeted several previously unknown and unpatched (zero-day) vulnerabilities in Windows. In that case, the target was the Iran Nuclear program and the method was the disruption of their Uranium enrichment centrifuges.
If we somehow managed to get the Intel agencies to disclose these vulnerabilities as promised, we would have far fewer of our own attack surfaces to worry about, but so then would our adversaries. This would make both life and mission very difficult for those charged with looking after our national defense. It would also greatly hinder our ability to launch cyberattacks like Stuxnet and cause the suctioning back of our offensive cyber-capabilities.
I personally am a proponent of increased cyberwarfare capabilities, a better balanced battle-space and the ability to gather as much intelligence about the bad guys as we can assemble. But we also need to recognize that we are in the middle of a complex and expanding digital puzzle where modern networking technology has made the world smaller and more immediate, and the increasing zeal by all nation states to surveille their citizens and monitor their networks is threatening to destroy an open Internet and the global economy along with it.
Our best hope is that the current administration sees this dilemma as a business problem and works to get the key players together on a single team. This means that the Intel guys would forge a committed side-by-side working arrangement with the technology guys toward two important goals.
One, we need a safer U.S. sovereignty with an impenetrable, multi-layered cyber-defense shield to protect our critical infrastructure and two, we need a more secure U.S. business environment both for its direct participants whose cybersecurity is now continually at stake and our citizens whose personal and financial information is at an ever increasing risk.
But moreover, we need a political decision. We need to decide that our Intel agencies should be allowed to continue unabated in their quest for cyber-warfare superiority, unencumbered by constitutional oversight of their activities or we need to insist that they stop withholding mutually destructive secrets, abide by the spirit of the privacy and transparency commitments that have been declared to the American public and work with and not around the cyber-technology private sector.
We can’t have both.