Wired reported on the process that the U.S. Federal Government, and more specifically, the Intelligence Community, uses to decide when to keep bugs secret and use them against systems they want to attack and when to reveal them to the vendors to fix.
The bugs, known as zero days or O Days, are ones that have not been discovered yet. According to the article, the government spends about $25 million to buy zero days, but there is not a lot of transparency in the process, so we don’t know if they are buying them from hackers or from services or a combination. $25 Mil sounds like a lot to you and me, but to big companies, it is just a cost of doing business.
As early as 2008, the intelligence community figured out that they needed to have a policy regarding how they handle these bugs. Since the NSA wears two hats – attacking systems and protecting systems, they have to decide whether to reveal a bug or keep it secret. They decided to create a group inside the NSA’s Information Assurance Division to make these decisions.
Last year, the government intelligence reform committee reported that this process was flawed and needed to be rethought. This goes back to reports from last year that the government knew about the SSL Heartbleed bug for several years and used it rather than reveal it. The government denied that, but doubts remain.
At that time, Michael Daniels, the President’s advisor on cyber said that the government had a rigorous process for deciding which bugs to keep secret and which ones to reveal, but didn’t offer any details on that process or how many bugs they revealed vs. kept secret.
Last year Daniels revealed to Wired that the Equities Process had not been implemented to the degree that it should have been and the process was moved out of the NSA last year into the National Security Council.
The Wired article is an interesting insight into the challenges that the Intelligence Community has to face – choosing between protecting us and hacking into bad guys.