The United States government may be stockpiling far fewer digital arms than anyone expected, according to new research.
The study centers around “zero day” exploits, which are soft spots in product security that companies are not aware of or have not patched. Depending on the severity of a vulnerability, zero days sell on the slightly-more-legal-than-black market known as a gray market for tens of thousands to more than a million dollars a piece.
Governments are the primary buyers of zero days and spend vast resources researching them. Since the U.S. is not short on capital and invests heavily into its offensive cyber warfare positions, even people in the zero day business assumed it held a few hundreds of these vulnerabilities.
“Today, the best, surest 0-days acquirer is the [National Security Agency], in truth a really insatiable one,” David Vincenzetti, founder and CEO of the military spyware contractor Hacking Team, wrote in one his company’s emails leaked last year.
“Today, the largest 0-days producers are U.S. companies, possibly large U.S. defense contractors, selling their stuff directly and possibly exclusively to the NSA.”
But new research shows that might not be the case.
Jason Healey, a senior researcher at Columbia University, says the number of vulnerabilities held by the government is closer to 50.
“I don’t think this is just a surprise to the DEFCON community, however, it was a surprise to me, and other policymakers as well,” said Healey.
Healey, a former director of cyber infrastructure protection for the George W. Bush administration, believes that the rapid pace of obsolescence of zero days, paired with an aggressive policy of notifying manufacturers of vulnerabilities rather than keeping them and using them, means the government keeps far fewer on hand than imagined.
Healey notes it would be extremely difficult to keep a large arsenal of zero days on hand, as computer vulnerabilities spoil on the vine if they are not used quickly.
The government is racing vendors and researchers constantly discovering and patching new vulnerabilities, nation states that also use zero days — once one is used in the wild, it only stays secret for an average of 300 more days — and people who are constantly upgrading equipment.
The longer the NSA sits on a bug, the less likely it is the agency can ever use it. At the same time, the longer the NSA sits on a bug, the more likely it is that someone will use it against the U.S., its companies or its interests.
Healey estimates that over a year, half the stockpile will become obsolete. Even without using any zero days, maintaining a stockpile of 100 means discovering or purchasing 50.
This year, the Electronic Frontier Foundation successfully sued the government to release its policies for keeping a vulnerability. From that, and from news reports, Healey has pieced together that since 2014 — around the time the NSA had to deny reports it had been using the infamous Heartbleed bug — the Obama administration has been strictly enforcing a policy that forces agencies wishing to keep a zero day to justify the reason to review board.
To keep a vulnerability, according to a 2014 list of criteria, the board weights its intelligence value against the security risk of not reporting the problem. Otherwise, the default is for an agency to notify vendors of any vulnerabilities it discovers.
Confirming public information with private interviews, Healey said the United States does not end up reviewing many of the zero days it finds. Of those it reviews, it keeps extremely few.
By an NSA estimate, it reports more than 90 percent of the bugs it has ever found. That estimate is likely weighted heavily to one side.
In autumn 2014, two sources told Healey that no requests had been accepted so far that year.
Combining the low number of zero days the U.S. keeps with the supply lost to use or obsolescence and the likely numbers the U.S. had on hand before 2014, Healey calculated that there are likely no more than 50 or 60 vulnerabilities in the arsenal at any given time.
It is a good system, he said, but one with a few quirks.
For example, when the FBI purchased a vulnerability to unlock a cellphone belonging to one of the San Bernardino, Calif., shooters, Healey thought it should have been required to report by the governing criteria.
The FBI did not do so.
Healey said methods to circumvent being required to report still need to be ironed out — even though it does not appear any are widely used.
“It’s not really clear whether or not you can use the vulnerability while it goes through the process,” he said.
And nothing specifically prevents someone from hiring third parties to break into devices without disclosing methods to the U.S. government or to operate under non-disclosure agreements.
The Vulnerabilities Equity Process ends with the Obama administration — it’s a directive, not a legality.
Healey hopes it will be taken up as legislation. But he cautions that it only works if agencies are funded in a way that makes vulnerabilities replicable enough to abide by the rules.
“I get the sense that we are not funding properly,” he said. “The executive branch is still getting its act fully together. Maybe some funding can help them out.”