The EFF obtained the document, titled “Vulnerability Equities Process Highlights,” after suing the Office of the Director of National Intelligence. “Vulnerability Equities Process” refers to the government’s assessment of zero-day software security holes, and whether they should be disclosed to the software vendor to be patched or kept secret so intelligence agencies can use them to hack into systems as they please.
According to the document, the equities process grew out of a task force the government formed in 2008 to develop a plan for improving its ability “to use the full spectrum of offensive capabilities to better defend U.S. information systems.”
The equities process was not established until 2010, however, two years after the task force recommended it.
That is after the US and Israel used a digital weapon called Stuxnet in 2009 to sabotage centrifuges enriching uranium for Iran’s nuclear program. One of the zero-days used in the attack exploited a fundamental vulnerability in the Windows operating system that, during the time it remained unpatched, left millions of machines around the world vulnerable to attack.
Last year, the White House insisted that, according to the equities process, any time the NSA discovers a major flaw in software, it must disclose the vulnerability to vendors to be patched, unless there is “a clear national security or law enforcement” interest in using it.
Since the equities process was established in 2010, the government has continued to purchase and use zero days supplied by contractors. According to documents leaked by National Security Agency whistleblower Edward Snowden, the government spent more than $25 million in 2013 alone to buy “software vulnerabilities” from private vendors.
Following the Snowden revelations, an intelligence reform board recommended changes to the equities process. In its December 2013 report, the board asserted that the government should not be exploiting zero-days, but should instead be disclosing all vulnerabilities to software makers and other relevant parties by default, except where there is a clear national security need to retain an exploit.
Peter Swire, a member of the review board, told WIRED last year that disclosures were not happening to the degree they should, because the government was finding too many exceptions whereby it deemed it necessary to keep a zero-day secret instead of disclosing it.
Andrew Crocker, a legal fellow at EFF, said that none of the documents his group has received so far from the government give them confidence that the equities process is currently being handled in any wiser manner.
“Based on the documents they’ve released and withheld there’s really not a lot of paper to back up [the government’s claims about] this being a rigorous process with lots of actual considerations in it,” he said. “There just isn’t support for that in what they’ve released. It continues to raise questions about how thorough this process is and how much is there when the rubber meets the road.”
Those documents also do not support the government’s assertions that it discloses the “vast majority” of zero-day vulnerabilities it discovers instead of keeping them secret and exploiting them.
“The level of transparency we have now is not enough,” Crocker said. “It doesn’t answer a lot of questions about how often the intelligence community is disclosing, whether they’re really following this process, and who is involved in making these decisions in the executive branch. More transparency is needed.”