LAS VEGAS — The quantity of zero-day exploits stockpiled by the U.S. government is much less than what the public may think, according to Jason Healey, a Columbia University professor and former director for Cyber Infrastructure Protection at the White House.
The NSA holds approximately “several dozen” usable zero-days, he said — which represent active, unpatched software and hardware security vulnerabilities that can be tapped into for surveillance and data extraction purposes.
Healy spoke at the DEF CON 2016 security conference Friday, where he revealed the findings of a Columbia University international relations-focused research paper that will be published in full this fall.
Over the last 14 years, the policy, procedure and authority tied to both using and disclosing government found security vulnerabilities has largely matured and become more transparent, Healy told an audience of hackers, security experts and journalists.
Beginning in 2002, with a still-classified document entitled NSPD-16 — which grew the White House’s authority to supervise zero-day disclosure decisions — the U.S. government has progressively shifted command of such cyber tools into the executive branch and away from, for example, the discretion of the NSA, FBI and Department of Justice .
In the past, when an agency discovered a zero-day exploit, the organization would typically decide — without outside oversight — whether the security vulnerability should be disclosed or remain secret for its future operational value. This is, however, no longer the standard procedure, according to Healey.
It remains unclear just how many zero-days have been privately disclosed to enterprises by the government and consequently, if those exploits were used prior to notification, he said.
The “several dozen” figure, Healey explained, is supported by a few key pieces of evidence, including previous information voluntarily released by the NSA regarding percentage of disclosed zero-days, a 2014 blog post written by White House adviser Michael Daniel and comments made by former defense and intelligence officials to journalists.
Additionally, a now public 2013 NSA budget document — originally leaked by whistleblower Edward Snowden — which showed a surplus of $25.1 million for the purpose of “covert purchases of software vulnerabilities,” has helped contextualize the capability of the U.S.’ top spy organization to acquire such technology. When the NSA’s 2013 zero-day budget is compared against the current market value of available zero-day exploits, the 2013 budget also generally supports Healey’s estimate of “several dozen.”
Daniel’s 2014 blog post outlined for the first time, Healey said, an important policy directive introduced by the Obama administration concerning zero-day exploit discovery. The directive defined “disclosure as the default.” For the last two years, the White House’s stance as a result became: if an exploit is found by an intelligence, law enforcement or justice division, the researcher is expected to notify the actual technology vendor whose product is flawed, immediately, at least in most cases.
While considerable gaps exist in current regulatory policy that oversees the sale, use and disclosure of zero-days, Healey said the U.S. is on the right path forward.