The White House’s directive to limit the use of software flaws by U.S. intelligence agencies could require the disclosure of thousands of precious exploits now in the hands of elite spying units, intelligence professionals say.
The stockpile of exploits is derived from vulnerabilities not just in ordinary computer software, but also in industrial controllers, heating and cooling systems, printers, anti-virus software, video conferencing systems and encryption protocols.
The exploits, typically based on simple oversights and flaws in computer code that hackers can use to take control of most anything that runs with the help of a computer chip, are considered essential to gathering some of the most valuable U.S. intelligence.
Richard Clarke, a member of a presidential panel reviewing National Security Agency practices, said the White House issued guidance to the entire intelligence community three weeks ago largely in line with his panel’s earlier recommendation that the vulnerabilities be used rarely and only for the most important intelligence goals. Otherwise, the security flaws could be disclosed to protect computer users everywhere from rogue hackers.
The presidential guidance was made public for the first time on April 11 in response to a Bloomberg News report that the agency had been using a type of flaw called Heartbleed and leaving consumers vulnerable in their Web communications.
Compliance with the directive will be a challenge within the NSA, a highly compartmentalized agency with elite groups who work on different missions and who guard their tools jealously.
Perhaps the biggest question is how much will change given the broad exception in the new policy that allows a computer vulnerability to be kept secret if it is justified for critical intelligence and law enforcement purposes.
Limiting the use of such exploits “would hamstring the ability of the intelligence organizations to do their mission,” said Jason Syversen, who formerly worked on cyberwar projects for the Pentagon and now runs a New Hampshire company called Siege Technologies that develops cyberwar tools. “That’s like saying spies are only allowed to lie some of the time but still have to do their job.”
The NSA review panel, which was created after leaks by former contractor Edward Snowden, released its recommendations in January. Although some of the recommendations were adopted quickly, the subject of disclosing flaws prompted an extensive debate that has continued.
The presidential guidance led to a high-level re-assessment of the policy, but substantive change in the process will be a task for the new NSA director, Admiral Michael S. Rogers, according to a senior administration official who declined to be quoted by name when discussing the process. The specific text of the guidance hasn’t been released. The panel’s suggestion was that the flaws be used only for short periods before being made public.
“We endorsed that recommendation and explained that we would use an NSC-led process to review and, as necessary, adjust existing processes related to this topic,” Caitlin Hayden, a spokeswoman for the National Security Council, said in a statement today. “That review is complete.”
Until now, NSA’s elite cyberspies have had great leeway to develop, stockpile and use vulnerabilities, according to three people familiar with the process. The agency’s main unit for gathering intelligence through hacking, Tailored Access Operations, or TAO, is among the groups that spend heavily to research and develop the flaws. It does so with the support of in-house experts as well as military contractors who use expensive and sophisticated tools that scan billions of lines of code.
These zero-day flaws, so named because zero days pass between the attack and the public discovery, help government hackers to remain undetected and to proceed quickly if needed. Using other methods to hack systems stalls the process, and security experts warn that lag could be detrimental in a national emergency.
Some of these flawed systems go to the heart of the way any computer user communicates. In response to questions from Bloomberg News about the new presidential guidance, the NSA issued a statement again Sunday that it had never used the so-called Heartbleed bug, a glitch in a widely used form of Internet traffic called OpenSSL. “That is the ground truth,” said Vanee Vines, the agency’s spokeswoman.
Two people familiar with the matter said that the agency was aware of the flaw and had used it as part of the intelligence gathering toolkit, as reported by Bloomberg News last week.
Information released previously by Snowden showed that the agency had a program, codenamed BULLRUN, to try to crack SSL.
The NSA has more than one way to circumvent the security of SSL and OpenSSL, a free version of the protocol, according to new information provided by the two people, who asked not to be identified because they were not authorized to speak about it.
One work-around involves not defeating the SSL software itself but breaking into a different system on the targeted computer on which the software depends, according to one of the people. While disclosing that method might increase computer security generally, the NSA might consider that a hacking technique instead of an SSL vulnerability.
NSA spokeswoman Vines declined to comment on the NSA’s intelligence-gathering methods.
The matter is further complicated because a bug like Heartbleed has to be turned into a specific exploit, a process that can branch out quickly, creating a class of vulnerabilities rather than just a single one. Small differences in the way a platform like OpenSSL is exploited could lead to differing conclusions about whether the exploits are the same.
“Maybe it’s not Heartbleed, maybe it’s what they call alpha green, and alpha green is something that sends a packet to OpenSSL and creates an information leak,” said Syversen. “It’s going to be challenging to conclude whether it’s the exact same technique or not.”
Implementing the new guidelines -- described by the White House as reinvigorating an existing process for determining when zero days should be disclosed -- will require institutional barriers to be swept away, said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council in Washington.
TAO, for example, is not required to share all the exploits it uses, even with other units in the NSA, according to two people familiar with the procedures, who asked not to be named because they weren’t authorized to speak on the matter. That includes the NSA Threat Operations Center, which is responsible for protecting government and military computers.
Vines declined to comment on the NSA’s disclosure rules or changes planned as part of the new guidance.
The White House discussion about the government’s policy for its arsenal of zero days represents a major step forward despite shortcomings in the policy itself, said Christopher Soghoian, principal technologist with the American Civil Liberties Union. The government has reserved the right to stockpile bugs that it believes are in the interest of national security or law enforcement.
“The policy has a loophole so big that you could drive a truck through it,” Soghoian said in a telephone interview. Still, he said the presidential acknowledgment of the policy and the discussion about it is “a really big shift.”
Additionally, it’s unclear whether the agency will apply the new guidance only to newly discovered vulnerabilities or whether it will also include the existing stockpile, which represents millions of dollars of research and development, the Atlantic Council’s Healey said. “I could see them grandfathering all of that in,” he said.
If those vulnerabilities are disclosed, it will be discreetly, through direct contacts with software and hardware vendors, Healey said.
The only way to detect that may be through a sudden uptick in software patches from major vendors who are suddenly fixing flaws only known previously by the NSA, he said.