Business Should Move to an Incident Response Security Posture and Accept that Governments Will Maintain Stockpiles of Zero-days
With surprising concurrency, the RAND Corporation has published a lengthy study into zero-day exploits stockpiled by government just two days after WikiLeaks released its batch of documents on CIA hacking tools. While many have been surprised and even appalled that the government should maintain a stockpile of zero-day vulnerabilities and exploits, RAND seems to accept it as a matter of fact that all governments do so.
For the purpose of its research, “RAND obtained rare access to a dataset of information about zero-day software vulnerabilities and exploits.” This dataset spans 14 years from 2002 to 2016, and contains information on more than 200 exploits and their vulnerabilities. More than half of these were still zero-days on March 1, 2017.
RAND describes itself as “a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous.” In this study, it analyzes the life-span of a zero-day exploit with the intention of helping government policy on whether to stockpile or disclose.
“There is an ongoing policy debate,” says the report (PDF), “of whether the U.S. government — or any government — should retain so-called zero-day software vulnerabilities or disclose them so they can be patched.” The implication is that RAND’s statistical analysis of the lifespan of the zero-day exploit will help government to decide whether to keep or disclose, because “many worry that keeping these vulnerabilities secret can expose people who use the vulnerable software to malware attacks and other attempts to collect their private information.”
This is not a major concern of the study. The research is not about when government should disclose to keep the user safe, but when government should disclose because adversary governments also know about the vulnerability.
“If both sides have the same stockpiles, then some argue that there is little point to keeping them private — whereas a smaller overlap might justify retention. But without information on the overlap, or concrete metrics based on actual data, it is challenging to make a well-informed decision about stockpiling,” the report reads.
These challenges are also problematic for RAND’s research. A zero-day exploit is zero-day until it is patched by the vendor. But there is no limit to the number of actors who could be in possession of the exploit — it remains zero-day until it is patched. This means that a government, many adversary governments, and any number of criminal actors may be in possession of the same vulnerability knowledge and it still remain zero-day.
RAND acknowledges that refusal to disclose a vulnerability could be problematic for the user if it is also known to bad actors. It claims that its research “shows that that the collision rates for zero-day vulnerabilities are nonzero.” By this it simply means that not all zero-days in its sample were known only to its supplier. Most people will assume that the supplier is the US government; but it makes no difference to the argument.
“Some may argue that, if there is any probability that someone else (especially an adversary) will find the same zero-day vulnerability, then the potentially severe consequences of keeping the zero-day private and leaving a population vulnerable warrant immediate vulnerability disclosure and patch. In this line of thought, the best decision may be to stockpile only if one is confident that no one else will find the zero-day; disclose otherwise.”
The difficulty here is the impossibility of knowing absolutely whether an adversary or criminal bad actor has that vulnerability until or unless it is used and discovered; by which time disclosure will be too late to benefit the victim. The implication is that governments knowingly accept that in stockpiling vulnerabilities there may be collateral damage among the user population that could have been prevented had the vulnerabilities been disclosed rather than kept.
“RAND talks about stockpiling ‘either for defensive purposes (e.g., penetration testing) or offensive operations’,” comments ESET senior research fellow David Harley. “Noticeably absent from that sentence is any suggestion of disclosure for the benefit of potential victims… Leaving aside the issue of internal testing, which in times of economic stringency is probably honored more in the breach than the observance, I’d guess that the main potential conflict is between direct danger to the IT-using population as a whole, and disclosure as a perceived threat to national security (for instance, by endangering the effectiveness of a planned or ongoing offensive operation). Complicated, perhaps, by factors such as the urgency of the issue, the number and grouping of people potentially affected, and so on.”
This question of national security versus public benefit was also noticed by Eric O’Neill, national security strategist at Carbon Black; but he suggests the onus is on government to be able to make a reasonable judgment. “The key thing to consider here is that software vulnerabilities are weapons and should be treated as such,” he explained. “When issues of national security are concerned, governments should be protecting these weapons and preventing them from getting in the wrong hands at all costs. When national security is not involved, the government should conduct a transparent dialogue with concerned parties to ensure that these weapons are known about, patches are created and then widely deployed.”
The point, he added, is that government cannot excuse itself from all liability to business. “If there is a high probability that zero-days will get into the wrong hands, and these zero-days do not directly conflict with national securit
y interests, the government should act responsibly and disclose appropriately on an agreeable timeline,” he added.
“This disclosure should include detailed notification about the vulnerability, recommendations for patching and a proposed timeline for patch deployment. This level of transparency keeps the interests of all parties in mind. Simply mass stock-pilling all vulnerabilities or disclosing all vulnerabilities on a macro level leaves too many potential gaps. Vulnerabilities need to be handled like weapons and how communication about these weapons occurs is critical to security.”
RAND’s conclusions on the implications of its study ‘for defense and offense’ are no more reassuring for business. It makes no comment on whether government should automatically disclose the vulnerabilities it finds, but instead says business should improve its general defensive posture. “Defenders likely need better options to both find zero-day vulnerabilities and detect when a system or software package is being exploited. In addition, rather than focusing only on finding zero-day vulnerabilities, defenders may be able to shift the balance in their favor by starting from the assumption of compromise, investigating ways to improve system architecture design to contain the impact of compromise, and adopting different techniques to identify vulnerabilities.”
In other words, RAND’s advice is standard contemporary advice: business should move to an incident response security posture; and simply accept that government will have and maintain its own stockpile of zero-days.
It may also be worth noting that the WikiLeaks disclosures probably come nowhere near the CIA’s actual stockpile. If we assume that RAND got its dataset from the US government, then RAND says that as of March 1, 2017, the majority of the vulnerabilities were unknown. Industry response to the WikiLeaks disclosures, however, suggests that the majority of the vulnerabilities are old and already patched. The two datasets appear at this stage to be completely different.
Related: Responsible Disclosure – Critical for Security, Critical for Intelligence