By: William Haynes, Columnist
Photo Credit: Wikimedia Commons
Established under President Barack Obama in 2014, the Vulnerabilities Equities Process (VEP) is an interagency framework used to determine whether the US government and its contractors should disclose software and hardware vulnerabilities to the public and private sector or foreign allies.[i] Prior to this, government agencies often made their disclosure decisions without consulting with one another.[ii] The VEP was intended to force agencies to work together to ensure vulnerabilities were disclosed if they posed significant risks. However, the VEP framework itself is not codified into law, and agencies are not legally required to vet vulnerabilities.[iii] The framework also contains significant loopholes and challenges that hinder both government transparency and operational efficiency.
Zero-day vulnerabilities are hardware or software vulnerabilities that have yet to be discovered and patched by the developer or manufacturer.[iv] When armed with this knowledge, governments or individuals can create code to exploit the vulnerability, potentially allowing for access to sensitive system information or parts, or the ability to control a system remotely.[v] The most famous zero-day exploit is Stuxnet, a joint US-Israeli cyber-physical operation that sabotaged Iranian nuclear centrifuges.[vi]
The potential to harness zero-days for governmental and criminal operations makes them extremely valuable. For this reason, a gray market has emerged for the buying and selling of zero-day vulnerabilities and exploits.[vii] Private companies and individual hackers sell exclusive rights to zero-days to militaries, criminals, and governments, and prices can reach up to $1 million depending on an exploit’s potential.[viii] Moreover, the price of zero-day vulnerabilities is justified because they remain undiscovered, on average, for seven years.[ix] While the vulnerability itself may not be useful for that long, governments often use known exploits over their zero-day capabilities because their investments becomes worthless the moment the zero-day is discovered and patched.[x] This means that under the VEP, the US government can hypothetically withhold knowledge of vulnerabilities indefinitely, providing the time and opportunity for others to discover and potentially exploit these zero-days first.
The public and private sector have increasingly called for full transparency of the VEP and disclosure of all known exploits. According to the National Security Agency (NSA) Director Admiral Michael Rogers, the NSA shares more than 90% of the vulnerabilities it discovers.[xi] However, the VEP currently provides a loophole that exempts any vulnerabilities discovered before 2014 from the vetting process. This is problematic for transparency given the long shelf life of a zero-day. The VEP also allows agencies to retain knowledge of vulnerabilities for monitoring and intelligence gathering, such as the NSA’s use of the Cisco vulnerability that was leaked to the public in 2016.[xii] Moreover, the VEP framework fails to provide a timeframe for disclosure of vulnerabilities.[xiii] A RAND study of 200 zero-days discovered between 2002 to 2016 found that only roughly 40% of these vulnerabilities were disclosed or detected.[xiv] A serious undisclosed vulnerability could provide malicious actors with the opportunity to create damage and devastation, such as cyber-physical attacks on critical US infrastructure.
From an intelligence and operational perspective, the VEP framework hinders the use of exploits in cyber operations. As vulnerabilities are used offensively and defensively, governmental agencies use their own internal equity process before reporting vulnerabilities to the interagency body responsible for the VEP.[xv] This creates a web of bureaucratic oversight, where some agencies may lack the appropriate training or knowledge of specific intelligence, offensive, or defensive operations to make an appropriate disclosure decision.[xvi] This bureaucracy puts US cyber operations at an immediate disadvantage because adversaries are unlikely to face similar roadblocks in deploying their cyber capabilities.[xvii] Additionally, the United States’ zero-days arsenal remains relatively small, and calls by the public to disclose all known vulnerabilities jeopardizes their future in cyber operations.[xviii] Full transparency and disclosure of all known vulnerabilities would also create a disincentive for future US government purchases of zero-days, as there would be no return on investment. This would mean that even less vulnerabilities would be disclosed and patched, and it would give adversaries or malicious actors first pick of newly discovered zero-days for sale on the gray market.
There is room to increase the efficiency of the VEP while supporting transparency in the system. Codifying the VEP into law would provide a greater level of trust in the system. It will also ensure that defensive and offensive cyber capabilities and needs are weighed against other national security priorities.[xix] Greater transparency and reporting is needed to help the public and private sector understand the VEP decision-making process. While the VEP has its flaws, it must be noted that it is the only review process of its kind in the world.[xx] The United States is in a position to establish strong disclosure and transparency norms in handling zero-day exploits if it can manage to codify the VEP into law, simplify the process, and bolster public trust.
[i] National Security Agency, “Commercial and Government Information Technology and Industrial Control Product or System Vulnerabilities Equities Policy and Process,” Washington, DC, https://www.eff.org/files/2015/09/04/document_71_-_vep_ocr.pdf
[ii] Jason Healey, “The U.S. Government and Zero Day Vulnerabiliites: From Pre-Heartbleed to Shadow Brokers,” Journal of International Affairs, November 01, 2016, https://jia.sipa.columbia.edu/online-articles/healey_vulnerability_equities_process
[iv] Stephen M. Maurer, “A market-based approach to cyber defense: Buying zero-day vulnerabilities,” Bulletin of Atomic Scientist, March 14, 2017, http://thebulletin.org/market-based-approach-cyber-defense-buying-zero-day-vulnerabilities10621
[v] Lillion Ablon and Andy Bogart, “Zero Days, Thousand Nights,” RAND Corporation, March 9, 2017, http://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf
[vi] Joseph Menn, “NSA says how often, not when, it discloses software flaws.”
[vii]Lillion Ablon and Andy Bogart, “Zero Days, Thousand Night.”; Joseph Menn, “NSA says how often, not when, it discloses software flaws,” Reuters, November 6, 2015, http://www.reuters.com/article/us-cybersecurity-nsa-flaws-insight-idUSKCN0SV2XQ20151107;
[x] Stephen M. Maurer, “A market-based approach to cyber defense: Buying zero-day vulnerabilities.”; Jason Healey, “The U.S. Government and Zero Day Vulnerabiliites: From Pre-Heartbleed to Shadow Brokers.”
[xi] Joseph Menn, “NSA says how often, not when, it discloses software flaws,” Reuters, November 6, 2015, http://www.reuters.com/article/us-cybersecurity-nsa-flaws-insight-idUSKCN0SV2XQ20151107
[xii] Michelle Drolet, “Does the NSA have a duty to disclose zero-day exploits,” Network World, September 12, 2016, www.networkworld.com/article/3118735/security/does-the-nsa-have-a-duty-to-disclose-zero-day-exploits.html
[xiv] Lillion Ablon and Andy Bogart, “Zero Days, Thousand Night.”;
[xv] Jason Healey, “The U.S. Government and Zero Day Vulnerabiliites: From Pre-Heartbleed to Shadow Brokers.”
[xvi] Dave Aitel and Matt Tait, “Everything You Know About the Vulnerabiltiies Equity Process is Wrong,” Lawfare, August 18, 2016, https://www.lawfareblog.com/everything-you-know-about-vulnerability-equities-process-wrong
[xviii] Dave Aitel and Matt Tait, “Everything You Know About the Vulnerabiltiies Equity Process is Wrong.”; Jason Healey, “The U.S. Government and Zero Day Vulnerabiliites: From Pre-Heartbleed to Shadow Brokers.”
[xix] Jason Healey, “The U.S. Government and Zero Day Vulnerabiliites: From Pre-Heartbleed to Shadow Brokers.”