A zero-day vulnerability refers to a penetrable hole in commercial software (like Windows) that is unknown to the vendor. These holes are then exploited by hackers before the vendor becomes aware of them and can respond with a fix.

In April 2014, the major U.S. technology vendors secured a commitment from the Obama administration that it would not hoard, but rather disclose on an ongoing basis, serious vulnerabilities, exploits, bugs or “zero days” to Apple, Google, Microsoft, and other U.S.-based manufacturers.

If we somehow managed to get the intel agencies to disclose these vulnerabilities as promised, we would have far fewer of our own attack surfaces to worry about, but so then would our adversaries.

Close

The point is that serious vulnerabilities, known yet not disclosed to the vendors of the products, places all end-user businesses, customers, and critical infrastructure at risk to cyber criminals who discover and figure out how to attack these holes for information theft, manipulation, or destruction. This results in the dramatic increase in cyberattacks and data breaches that we have seen over the last two years.

With the Vault 7 dump from WikiLeaks, we see clearly that the Obama administration’s 2014 commitments were nothing more than lip service to a constituency who needed to feel secure that the CIA and the NSA would “do the right thing” and disclose vulnerabilities — but if you parse the language, you will also see that the legal structure below the speechifying gave the agencies free rein to do whatever they pleased.

We have seen zero-day vulnerabilities in customer networks that have been dormant for years, and a recent study by RAND Corporation, which examined over 200 security flaws, 40 percent of which had been previously unknown, found that these holes can lie dormant for up to 10 years. That’s a lot of hoarding.

[lz_ndn video=32128938]

They also found that it only took an average of 22 days from discovery to successful breach.

By hoarding these vulnerabilities, the CIA is expanding the threat landscape for a broad variety of attackers, many of which have sophisticated exploit strategies that rely on continual exploitation of vulnerabilities over a lengthy time horizon. Morphing malware strains in order to avoid detection in the conduct of continuous ongoing data manipulation is one technique that is designed to leverage aging zero-day vulnerabilities. Watch your bank account balances closely.

A classic example of CIA malware revealed in the Vault 7 dump was an arsenal of 24 Android zero-day vulnerabilities that the agency had developed to penetrate and control the Android phone and related software like that which manages Twitter messaging. The obvious downside to the CIA stockpiling yet not disclosing these vulnerabilities is that cyber criminals are able to do the same thing. And faster.

Why this is desirable to some is based on the theory that if our intelligence agencies keep knowledge of these vulnerabilities secret, it prevents our adversaries from knowing about them and either correcting or protecting against inbound attacks.

Who do you think would win the Presidency?

By completing the poll, you agree to receive emails from LifeZette, occasional offers from our partners and that you've read and agree to our privacy policy and legal statement.

Keeping holes secret would allow our intelligence guys to retain an offensive advantage when going after other nation states. Stuxnet is the poster child for such a weapon. It was the first-known malware specifically designed to go after real-world infrastructure with attack mechanisms that targeted several previously unknown and unpatched (zero-day) vulnerabilities in Windows. In that case, the target was the Iran Nuclear program and the method was the disruption of their Uranium enrichment centrifuges.

If we somehow managed to get the intelligence agencies to disclose these vulnerabilities as promised, we would have far fewer of our own attack surfaces to worry about — but so then would our adversaries. This would make both life and mission very difficult for those charged with looking after our national defense. It would also greatly hinder our ability to launch cyberattacks like Stuxnet and cause the suctioning back of our offensive cyber-capabilities.

[lz_related_box id=377490]

I personally am a proponent of increased cyberwarfare capabilities, a better balanced battle-space, and the ability to gather as much intelligence about the bad guys as we can assemble. But we also need to recognize that we are in the middle of a complex and expanding digital puzzle where modern networking technology has made the world smaller and more immediate, and the increasing zeal by all nation-states to monitor their citizens and networks is threatening to destroy an open internet and the global economy along with it.

Our best hope is that the Trump administration sees this dilemma as a business problem and works to get the key players together on a single team. This means that the intel guys would forge a committed side-by-side working arrangement with the technology guys toward two important goals. One, we need a safer U.S. cyber landscape with an impenetrable, multi-layered cyberdefense shield to protect our critical infrastructure and two, we need a more secure U.S. business environment both for its direct participants whose cybersecurity is now continually at stake and our citizens whose personal and financial information is at an ever-increasing risk.

But moreover, we need a political decision. We need to decide that our intel agencies should be allowed to continue unabated in their quest for cyberwarfare superiority, unencumbered by constitutional oversight of their activities — or we need to insist that they stop withholding mutually destructive secrets, abide by the spirit of the privacy and transparency commitments that have been declared to the American public, and work with and not around the private sector.

We can’t have both.

Steve King is the COO and CTO of Netswitch Technology Management.