We Can’t Rely on Our Own Governments to Practice Responsible Full Disclosure. Full Disclosure is Compromised.
Recorded Future, a Threat Intelligence provider, recently published a study that claims that China’s National Vulnerability Database acts as a clearing house for vulnerabilities of interest and with a high operational value for nation state hacking. The study makes for interesting reading. The high level summary is that in the process of analyzing the publication dates of vulnerabilities in the US National Vulnerability Database (NVD) and China’s National Vulnerability Database (CNNVD) to determine which one is faster in processing and releasing vulnerabilities. Overall, CNNVD was quicker for most vulnerabilities, with the exception of what RF in an initial analysis 6 months ago classified as statistical outliers. In a more recent analysis, Recorded Future noticed that the publication dates in CNNVD for the statistical outlier vulnerabilities had been tampered with and retroactively altered to better align with NVD publication dates. Many of these vulnerabilities were high severity vulnerabilities.
Recorded Future’s conclusion is that these vulnerabilities were purposefully delayed, with an effort to hide the delay. CNNVD has close ties with China’s Ministry of State Security (MSS), the intelligence agency responsible for counterintelligence, foreign intelligence and political security, so the assumption is that these vulnerabilities were evaluated for their potential value in intelligence operations. Recorded Future goes as far as stating that they believe that CNNVD is actively used as a mechanism to identify and collect vulnerabilities for the MSS.
China seems to be content with being able to weaponize the vulnerabilities discovered via CNNVD for a limited time until they disclose them. That limited time however, is all that is necessary to successfully hack a target or adversary to gain a foothold or exfiltrate data. It is exactly the time period after first discovery where the value of a vulnerability is highest and the risk of a 3rd party rediscovering it the lowest.
Undisclosed Zero days and the new normal
We know that China is not the only nation state actively engaged in finding and leveraging zero day vulnerabilities for intelligence work. EternalBlue, the windows vulnerability that was first publicly disclosed in the Shadow Brokers leak and was then implicated in the global WannaCry Ransomware Cryptoworm outbreak back in May 2017, was also known by at least one nation’s intelligence service, allegedly the U.S. National Security Agency, who had weaponized the vulnerability for deployment in offensive hacking. In the case of the USA however, there is a policy in place (the Vulnerability Equities Process, VEP) that generally, vulnerabilities should be disclosed to vendors to permit the development and publication of patches and to disclose the vulnerability. Intelligence agencies must argue their case to the Equities Review Board, chaired by the National Security Council (NSC) if they wish to keep a vulnerability secret. The process itself is opaque, with some indication that for specific vulnerabilities the rationale for decision making has erred on the side of incaution. The process was also not retroactively applied to vulnerabilities discovered before 2014, when the policy was strengthened.
In reality, we don’t know how many vulnerabilities are being hoarded by nation states and how much the full disclosure process has been undermined because of it. In the case of CNNVD and the MSS, we can infer that it is occurring on an industrial scale on China. How truly “independent” national vulnerability programs and CERT’s are elsewhere, and how autonomous they are from the intelligence agencies is a matter of speculation and will depend on the checks and balances that have been put in place. My own cynical view and estimate based on “real politik” is that responsible full disclosure of vulnerabilities has been undermined and co-opted wherever possible and feasible. We must assume that there are far more vulnerabilities than we are aware of.
The prisoner’s dilemma applied to vulnerability disclosure
It is understandable that nation state intelligence agencies are reluctant to share what they consider to be a competitive advantage that offers unique opportunities to conduct espionage and covert actions.
Of course, game theory features prominently in these scenarios. If you alone share you give up a competitive advantage. If your adversaries don’t, you have given away something for free without gaining anything in return. Even if all parties disclose some vulnerabilities, you can never know what is being kept back. It’s the typical prisoner’s dilemma problem applied to vulnerability disclosure.
Recent history has proven that this advantage is a double-edged sword. If one nation’s intelligence agencies have discovered a vulnerability, chances are high that other countries agencies have too, or will soon. A study released in 2017 by Trey Herr, Bruce Schneier and Christopher Morris analyzed the rate of rediscovery of vulnerabilities is an aggregated 12.7%, with a rediscovery rate of 16.9% for the highest severity bugs. A study along similar lines, from the RAND corporation, sadly based on an undisclosed data set, derived at a rediscovery rate of only 5.7%. A further analysis focused on windows vulnerabilities by Risk Based Security indicates an uptick in discovered vulnerabilities since 2014, something that they attribute to the increase in bug bounty and similar programs. All three indicate that there is a chance of independent vulner
The problem with these studies is that they rely on publicly available data to analyze the rediscovery rate after a vulnerability has been disclosed. RAND claims to have had access to “true” secret zero days, but without knowing the source the value of this is difficult to assess. The true rediscovery rate is something that only the intelligence services themselves would be able to answer, at least for their own zero day arsenals. In a best-case scenario, the competitive advantage has an expiration date. In a worst-case scenario, several nation state actors have knowledge of vulnerabilities that almost the entire rest of the world is susceptible to. So the competitive advantage is purely offensive. Theirs are vulnerable, but so are ours.
Full Disclosure is compromised
Zero days have always been the big elephant in the room. Many organizations are already challenged to fully mitigate and remediate known vulnerabilities due to their sheer volume and the overheads and limitations involved in patching. Adding Zero Days into the equation exceeds the cybersecurity maturity of many more.
What these findings indicate though, is that we can’t rely on our own governments to practice responsible full disclosure. Full Disclosure is compromised. We can’t really blame them. Either everyone discloses, or no-one does. The game theory here is clear. But this competitive advantage comes at a steep price. Their own citizens and businesses are left exposed, reducing herd immunity for when the next agency is hacked and the vulnerabilities are unceremoniously dumped on an unsuspecting internet.
We will have to ramp up our own efforts. As an added incentive, whenever someone discovers and publicizes a new vulnerability, they can bask in the knowledge that they have just frustrated and annoyed an intelligence agency somewhere.
Related: Responsible Disclosure – Critical for Security, Critical for Intelligence