Federal agencies served with a Freedom of Information Act request are refusing to release documents related to their purchase, use and disclosure of zero-day exploits, keeping the American public in the dark about a practice that leaves the Internet and its users less secure.
Zero-day exploits are special software programs that take advantage of security vulnerabilities in software that are unknown to the software’s manufacturer. These exploits are frequently used by intelligence agencies and the military as well as, we suspect, by federal law enforcement agencies. But they can be used by any hackers, whether they work for the U.S. government, a foreign government, a criminal group, or anyone else. Zero-day vulnerabilities and the tools that exploit them are extremely powerful, because there is very little that potential targets can do to protect themselves.
But the effectiveness of such exploits depends on their secrecy—if the companies that make the affected software are told about the flaws, they will issue software updates to fix them. Governments thus have a strong incentive to keep information about the exploits they have developed or purchased secret from both the public and the companies who create the software we all use.
On February 5, we received a response from the Office of the Director of National Intelligence (ODNI) to a Freedom of Information Act request we filed for the disclosure of guidance or directives related to the government’s policies for the purchase, discovery, disclosure and exploitation of zero-days. The ODNI claimed that these records are classified under Executive Order 13526, Section 1.4(c), which states that information can be considered for classification if its disclosure could reasonably be expected to cause damage to national security issues pertaining to “intelligence activities (including covert action), intelligence sources or methods, or cryptology.” This response is consistent with the Obama administration’s refusal to make public most information related to its surveillance and cybersecurity policies.
The formal United States policy regarding zero-day exploits, published in April 2014, states that federal agencies should reveal any major flaws in Internet security to companies in order to ensure that they are promptly resolved. However, this policy also carves out a broad exception for flaws that are being exploited for national security or law enforcement purposes—a loophole that effectively ensures that the government can and will continue to quietly exploit zero-days without warning companies or individuals of their existence. It is also unclear whether this policy only applies to zero days that government employees discover, or whether it also applies to vulnerabilities and exploits purchased from defense contractors, boutique security firms and exploit brokers.
While zero-day exploits are no doubt useful to U.S. law enforcement and intelligence agencies, their use raises serious public policy concerns. Zero-days are also regularly used by foreign, hostile governments, criminals and hackers engaging in cyberattacks. That means our government’s choice to purchase, stockpile and use zero-day exploits instead of promptly notifying manufacturers is effectively a choice to leave both the Internet and its users less secure.
This policy of prioritizing cyber offense over defense is highly problematic, particularly given Congress and the White House’s recent focus on cybersecurity. On February 2, Obama pledged $14 billion towards improving cybersecurity defenses, and proposed new legislation intended to help prevent cyberattacks, some form of which is expected to pass through Congress this legislative session. If, as we are told, cybersecurity is such a top priority for the government, federal agencies should be doing everything in their power to ensure that vulnerabilities are fixed as soon as they are discovered, not months or years later after they have been fully exploited by law enforcement and intelligence agencies.
At a time when cybersecurity legislation that would weaken existing privacy laws is being pushed through Congress, the American public deserves to know more about the government’s policies regarding the purchase, use and disclosure of zero days. There is an important public debate that must be had about the government’s role in cybersecurity, but without documents like the ones we have requested, this debate cannot take place.