The Obama administration is letting law enforcement keep computer-security flaws secret in order to further U.S. investigations of cyberspies and hackers.
The White House has carved out an exception for the Federal Bureau of Investigation and other agencies to keep information about software vulnerabilities from manufacturers and the public. Until now, most debate has focused on how the National Security Agency stockpiles and uses new-found Internet weaknesses, known as zero-day exploits, for offensive purposes, such as attacking the networks of adversaries.
The law enforcement operations expose a delicate and complicated balancing act when it comes to agencies using serious security flaws in investigations versus disclosing them to protect all Internet users, according to former government officials and privacy advocates.
“You might have a bad guy using a zero-day to attack a nuclear facility,” Steven Chabinsky, a former deputy assistant director in the FBI’s cybersecurity division, said in a phone interview. “The FBI doesn’t disclose that vulnerability because they don’t want to tip their hand.”
President Barack Obama’s administration is grappling with how to use Internet flaws for offensive and defensive purposes, and when they should be disclosed to software manufacturers or the public in order to be fixed. The debate became public after disclosures by Edward Snowden about NSA spying and intensified over questions whether the agency knew about the Heartbleed bug and kept it silent, which the government has denied.
Computer flaws that are unknown to software and hardware developers are referred to as zero-day, a reference to there having been no time yet to correct the vulnerabilities. When the Obama administration said April 11 that the U.S. government should disclose zero-day used in cyberspying, it left two exceptions including one for clear “law enforcement need.”
While the FBI doesn’t use zero-day, it does conduct extensive counter counterespionage, secretly watching the hackers of other nations as they attack U.S. computer networks, Chabinsky and other former agency cybersecurity officials said.
Some of those investigations can go on for years, which means U.S. law enforcement may leave global users of the Internet vulnerable for lengthy periods.
In that role, the bureau can see zero-day exploits being used by attackers, said Chabinsky, who is now an executive with the computer-security company CrowdStrike Inc. based in Laguna Niguel, California.
Law enforcement agencies should find ways to disclose zero-day flaws so they can be fixed and only keep them secret under extreme scenarios such as when it’s necessary to prevent the loss of lives, Jeremy Gillula, a staff technologist with the Electronic Frontier Foundation based in San Francisco, said in a phone interview.
“The default should be to disclose,” Gillula said. “If it’s super important intelligence and the vulnerability isn’t much of a risk to the core Internet infrastructure, then maybe they could consider not disclosing it right away. I would say those scenarios are few and far between.”
The Obama administration also should release more details about its policy for keeping the flaws secret, Gillula said.
“We’re not asking them to disclose the specifics of any particular investigation,” he said. “It’s the same way that it’s useful to know when the police have the authority to go get a warrant.”
Whenever the FBI receives and identifies credible intelligence about a computer vulnerability, it will “work proactively with other government agencies and private sector partners to mitigate such gaps and prevent crimes from occurring,” the bureau said in an e-mailed statement.
Disclosing a computer vulnerability could mean losing “an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks,” Michael Daniel, the White House cybersecurity coordinator, said in an April 28 blog.
“Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest,” he said.
“But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run,” Daniel said. “Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area.”
The administration has established “a disciplined, rigorous and high-level decision-making process” in deciding whether to disclose flaws, although “there are no hard and fast rules,” Daniel said.
Questions Daniel said he would want answered include how important a vulnerable system is to core Internet infrastructure or the U.S. economy, and could the flaw be used for a short period of time before it’s disclosed.
The FBI also hacks into computers and networks of adversaries using what are known as remote access operations coordinated by a team at the bureau’s facility in Quantico, Virginia, said a former government official. Most of the malware and computer exploits used are available for purchase online and the operations are authorized by warrants specifying devices targeted, the official said in a phone interview.
Chabinsky said zero-day flaws developed by the U.S. are considered classified and “there is no situation that I can imagine when the intelligence community would allow a classified tool to be used in a criminal investigation.”
The FBI has agents attached to NSA’s elite hacking units, a national security source has said. If those units detect an attack from outside the U.S., FBI liaisons can track possible targets on U.S. soil, which the NSA is prevented from doing, Chabinsky said.
The potential for law enforcement agencies to find and exploit zero-day flaws raises serious privacy and policy concerns, said Michael German, a fellow at the Brennan Center for Justice at the New York University School of Law.
“Certainly it appears inappropriate for a government agency responsible for all of our security to allow a security vulnerability to exist,” German, a former FBI agent, said in a phone interview.
Another concern is that other government agencies, like the Drug Enforcement Administration, Secret Service or state and local law enforcement, will obtain the capacity to exploit secret security gaps, Christopher Soghoian, principal technologist for the American Civil Liberties Union, said in a phone interview.
Agencies may mistakenly send malware to the computers of innocent users, with the potential to disrupt networks that operate power grids, banks or other critical infrastructure, Soghoian and German said.
“It’s something that fundamentally threatens the security of the Internet,” Soghoian said. “It’s a technique that puts the public at risk.”