At this year’s Defcon hacker conference in Las Vegas, Jason Healey, an Atlantic Council fellow and Columbia University researcher, revealed details, from what he could gather, about the United States government’s process for deciding whether to release or retain strategic computer bugs, useful for spying.
He began by asking the audience a question: How many of you think the number of software vulnerabilities in the National Security Agency’s stockpile is in the thousands? (Some hands raised.) How about the hundreds? (Most up.) How about dozens? (Crickets.)
The mustachioed academician proceeded to debunk what he deemed to be a misconception about the Vulnerabilities Equities Process, the covert procedure by which the government determines whether to disclose or to keep its secrets. Based on his research, which included interviews, public documents, and budget information, the NSA’s horde likely amounts to dozens—just dozens—of exploitable code flaws.
“I was shocked,” Healey told the roomful of disbelieving Defcon attendees, a proudly paranoid lot. “I assumed it was in the hundreds.” (He added that he had “moderate confidence” in the assessment.)
Unsurprisingly, given the process’ confidential nature, the public knows few details. And so civil liberties groups have agitated for openness and reform: individually submit every vulnerability to review, publish regular transparency reports, disclose all vulnerabilities after a short time. Who could object?
“This is a mindbogglingly terrible idea,” wrote Matt Tait and Dave Aitel, two founders of security consultancies, in a post on the blog Lawfare this week. The pair of intelligence agency alums listed reason after reason in a 3,300-word essay why the current system is “broken”—”it is, at some level, empty PR gamesmanship or simply poorly thought out guesswork,” they wrote—and how the reformers “now clamour to make things significantly worse.”
Their argument boils down to this: the Vulnerabilities Equities Process puts the U.S. at a disadvantage compared to its adversaries. Per the post:
Herein lies the basic problem: US cyber operations already face a greater level of scrutiny and limitations than our competitors. But single-minded reformists seek still more restrictions. At the same time, US cyber capabilities grow increasingly critical and central to the basic function of democratic interests worldwide. Without a robust investment in these capabilities, the US will lack the ability to solve the “Going Dark” issue and our intelligence efforts will start to run into quicksand around the world.
Governments must stockpile bugs, they argue. As the world’s communications adopt strong, end-to-end encryption, the only recourse that intelligence gatherers and law enforcement have to hack their targets. To do so, they need access to defects.
“This argument against the current VEP process is worth reading even if (like me) you disagree,” commented Kevin Bankston, director of the Open Tech Institute at the think tank New America, on Twitter.
Last week’s leak of an NSA-linked zero-day (previously unknown) vulnerability in Cisco firewall products has restoked the debate about the government’s disclosure policies. Healey, in an opinion piece for The Christian Science Monitor, knocked the spy agency (assuming it is responsible) for not disclosing the bug earlier: “The Shadow Brokers revelations”—named after the group that dumped the cache of spook hacking tools—”give the impression of an NSA that’s out of control,” he wrote, calling for an overhaul of the vulnerability review process.
When does stashing a vulnerability make the world safer, and when does it weaken the Internet for everyone? There are no easy answers; I welcome your input.
Have a great weekend, readers. More below.
Robert Hackett
robert.hackett@fortune.com
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
THREATS
Shadows broken. A mysterious hacker or hackers going by "Shadow Brokers" leaked attack code, allegedly from an NSA-linked group, that affects firewall and routing equipment made by the likes of Cisco, Fortinet, Juniper Networks, and others. Experts have speculated about the identity of the leakers, proposing everything from Russian spies to an NSA insider. (Fortune, Fortune, Washington Post)
Panic-driven cyber investment chills. Venture capital investors pumped an incredible amount of funding—$3.8 billion—into cybersecurity startups last year. That hype appears to be coming down; companies like Palo Alto Networks, FireEye, and Imperva, each lost about a quarter of their market value this year. (Wall Street Journal)
Twitter's terrorist whack-a-mole game. The microblogging service says it has clamped down on ISIS promoters running amok on its network. The company says it has closed 235,000 extremist-linked accounts since Feb., and has boosted shutterings by 80% since last year. (Fortune, Twitter)
Follow the yellow Silk Road. Ever wonder how those Feds who were stealing Bitcoin from the coffers of the online drug marketplace Silk Road got caught? Their undoing began after DEA Special Agent Carl Force tried to launder money through the Bitcoin exchange Bitstamp. (Ars Technica)
Meet Tony Fullman. The New Zealand citizen this week became the first-ever publicly identified target of the spy program PRISM, an Internet surveillance system used by the NSA and revealed by Edward Snowden in 2013. Intelligence agencies came to suspect that he was plotting to overthrow the government in Fiji. (Fortune, The Intercept)
Also, a tip of the hat to whomever Rickrolled the Shadow Brokers' Bitcoin auction. As Motherboard put it, very leet.
Share today's Data Sheet with a friend:
http://fortune.com/newsletter/datasheet/
Looking for previous Data Sheets? Click here.
ACCESS GRANTED
What does a satellite launch have to do with cybersecurity? A lot, actually. Fortune's Robert Hackett details a momentous scientific event.
China blasted the world’s first quantum communications satellite into orbit from the Gobi Desert early Tuesday.
The project signals the dawn of a potentially game-changing communications technology: quantum key distribution—a dependable system for exchanging secrets (more on this in a bit)—as beamed from space. If the experiment is successful, it could lead to considerably more secure global communications. Read the rest on Fortune.com.
FORTUNE RECON
Yes, That Website You're Visiting Is Probably Tracking You by Sy Mukherjee
Those Hacked NSA Exploit Names Are Funny, But Don't Laugh Too Hard by Mathew Ingram
20 Upscale Hotels Were Infected With Card-Data-Stealing Malware by David Meyer
China Says Foreign Investors' Concern Over Its Cybersecurity Bill Is 'Unnecessary' by Reuters
ONE MORE THING
Subvert like a spy. The CIA's Simple Sabotage Field Manual, published in 1944, serves as a step-by-step guide to bringing down an adversary from the inside. One tip? "Purposeful stupidity" as an act of destruction. So devious. (Flashbak)
