The IP Police Armed with Internet Vulnerabilities

The White House Cybersecurity Coordinator, Michael Daniel, has a post purporting to lay out “established principles” on when the Administration would and would not disclose software and hardware vulnerabilities.

I’ve got a more thorough read below the rule, but I want to focus on one particular line. Daniel describes the downside of disclosing vulnerabilities as losing intelligence.

Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack [sic] stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.

That is, Daniel lays out three threats — terrorism, “hackers or other adversaries,” and IP thieves — that require we use vulnerabilities to combat.

The inclusion of terrorism is not a surprise. That’s the excuse NSA has been using since last June to justify its work.

Cybersecurity (“hackers or other [presumably far more threatening] adversaries”) is the threat that NSA was focused on until such time as it needed to chant terror terror terror to get people to buy into the dragnet. Not only is it not a surprise, but it’s probably the most urgent reason to use vulnerabilities (even if the threat in question is really far more serious than hackers).

But IP thieves?

To be fair, by this Daniel may be meaning Lockheed-Martin’s intellectual property, by which he really means that intellectual property that we fetishize as private property but is really national security. (I’ve got a question in with the White House on this point.) But stated as he does, it could as easily mean Monsanto and Pfizer and even Disney.

In fact, he may well mean that. As I noted, in its original statement, the Administration made quite clear they would use Zero Days for law enforcement as well as national security purposes. Moreover, as I have also noted, NSA rewrote the legally mandated minimization standards in its secret procedures to equate threats to property with threats to life and body, thereby permitting itself to keep data that reveals threats to property that are not otherwise evidence of crime indefinitely (with DIRNSA approval).

And all that’s assuming only NSA will exploit Zero Days. There’s no reason to assume that the FBI (and other law enforcement agencies, including DEA) aren’t using them.

I’m not sure that’s a bad thing either. Several great security experts recently endorsed using hacks for law enforcement, though insisted that overall security must not be compromised.

That’s the point though: how low is the bar for exploiting vulnerabilities? And if they are going to be used for law enforcement purposes — to chase IP thieves rather than threats to our nation — why isn’t it more public?


Here are some additional comments:

Note how Daniel refers to NSA’s denial in Heartbleed:

Earlier this month, the NSA sent out a Tweet making clear that it did not know about the recently discovered vulnerability in OpenSSL known as Heartbleed.

I find it notable that he was that specific given allegations of other NSA knowledge of SSL vulnerabilities.

Here’s how Daniel describes the interagency process that was rolled out in secret in response to the Presidential Review Group.

This spring, we re-invigorated our efforts to implement existing policy with respect to disclosing vulnerabilities – so that everyone can have confidence in the integrity of the process we use to make these decisions.

[snip]

We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed.

He makes no mention, though, that it came in response to the PRG (which in turn came in response to Edward Snowden’s disclosures, including disclosures about the Bullrun program aiming to create back doors). Nor does he describe us an even more basic detail: what entities get included in that interagency process (the PRG was quite specific about the entities that should be involved).

Note the description of the Internet’s role in US power, including “projecting power.”

We rely on the Internet and connected systems for much of our daily lives. Our economy would not function without them. Our ability to project power abroad would be crippled if we could not depend on them. For these reasons, disclosing vulnerabilities usually makes sense. We need these systems to be secure as much as, if not more so, than everyone else.

That’s a hint of an admission of the Internet’s role in our own hegemonic position, though not an explanation of all that entails. Again, that’s something that should be part of the public discussion.

Finally, here’s the list of the questions Daniel says unnamed stakeholders in this process will ask.

  • How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
  • Does the vulnerability, if left unpatched, impose significant risk?
  • How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
  • How likely is it that we would know if someone else was exploiting it?
  • How badly do we need the intelligence we think we can get from exploiting the vulnerability?
  • Are there other ways we can get it?
  • Could we utilize the vulnerability for a short period of time before we disclose it?
  • How likely is it that someone else will discover the vulnerability?
  • Can the vulnerability be patched or otherwise mitigated?

Folks on Twitter yesterday suggested that some of these questions — especially the one purporting to know whether anyone else will find a vulnerability — betray a real arrogance about our ability to know these things.

I guess that makes it easier to use this stuff for law enforcement, as well as larger national security, problems.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

15 replies
  1. Bitter Angry Drunk says:

    Remember the swat teams guarding the Merrill Lynch bull? You’re damn right the government is in the business of protecting Monsanto, Pfizer, Disney, et al…

  2. jerryy says:

    “How likely is it that someone else will discover the vulnerability?”
    .
    It is extremely likely that someone will discover the vulnerability. Almost certain that is. Companies pay out sums of money to folks that will be nice enough to let them know about the bugs that are out there. $10,000 is a usual fee. A fee that is often ignored by skilled crackers because they can often easily get more selling the cracks on the open market. Contests, such as the Black Hat convention, are held where contestants routinely blast through defenses, but these are held in public view — not by the ones selling behind closed doors.
    .
    GoToFail, gnuTLS and Heartbleed have been in the news recently most likely because of a slide saying major for-and-non-profit companies had been compromised caused those companies to do a scramble security audit of their code base. There are rumors that these vulnerabilities had been known and used by the less than ethical for some time. These vulnerabilities are known to us via the news because they are open source based, problems in the closed sourced base are only sometimes known to us depending on the niceness of the researcher openly reporting the problem — bad folks do not report the problem.
    .
    If the problems are not reported, we cannot take appropriate measures. When Target, Niemann Marcus, Sears, et al were recently hacked by a foreign group they (the merchants) took the brunt of the cost. How long will that continue?
    .
    The NSA is playing god with this, denying due process with our property and safety- has a judge ruled that your accounts, etc. are under their control without you being notified of the hearing stripping you of your right to protest the seizure?
    .
    Let them get a warrant, them check to see if a supposed bad person has electronic equipment with hackable entry points. Your front door has a lock for a reason, sure cops can easily bypass it, but they are not supposed to just kick it down.
    .

  3. chronicle says:

    quote “Your front door has a lock for a reason, sure cops can easily bypass it, but they are not supposed to just kick it down.”unquote

    Notwithstanding rolling on the floor in gut splitting laughter, since when have the cops stopped in their tracks at a front door? That’s absurd. 80 THOUSAND SWAT team assaults on citizens front doors last year alone testifies to your naivety. And that’s not counting all the local police door kick in’s that arn’t reported. In reality, if they want in..they don’t give a FLYING FUCK about the Constitution. In fact..they’d murder you in a heartbeat and concoct a story after the fact. It happens routinely now. Welcome to the Police State.

    • jerryy says:

      After you get done rolling around on th floor, brush the dust off and crack open a few history books. We have always been ‘at war’ with the authorities in this country. From the beginning.
      .
      And every right ‘we’ have is because ‘we’ have pushed back and fought to keep it. Whether it was miners dying in battles, unionists striking, hippies peace marching and protesting, farmers dumping milk, librarians waging court battles, whatever.
      .
      People have been cut down in cold blood by those in authority positions, again from the beginning, and then others stepped and took their place.
      .
      Go hide in a hole if you wish and mutter over the futility of it all, but not all of us are going silently.
      .

      • chronicle says:

        quote:”Go hide in a hole if you wish and mutter over the futility of it all, but not all of us are going silently.”unquote

        Excuse me asshole, but who said anything about futility or hiding in a hole? You say “People have been cut down in cold blood by those in authority positions, again from the beginning, and then others stepped and took their place.”

        Name a year before 2006 where 80 THOUSAND SWAT team assaults on citizens homes took place. I was responding to ” sure cops can easily bypass it, but they are not supposed to just kick it down.” by laughing at “they’re not supposed to kick it down” Now go fuck yourself.

        • jerryy says:

          As I said, crack open a few history books. While you are leisurely perusing them, look up the Whiskey Rebellion or the Harlan County Wars for example. There are plenty of other examples.
          .
          And no, they are not supposed to kick the door down.

  4. Evangelista says:

    “To Enforce the Law” is a phrase empty of meaning: Whose law? Who enforces? What about law that is ignored? Selectively enforced? Or “enforced”? What about law enforcement ignoring law, violating law, re-writing law? The Constitution and its Bill of Rights are supposed to be law in the United States, you know. What about those, and the enforcers’ ignoring and violating of those?

    There are no answers to these, or any questions about law in the United States that are not quibbles.

    Next, about keeping hacks and exploits secret, whether “official” or “black-op” or other, and keeping them “under control”: As soon as an exploit operates something is effected. Those who watch will notice. Even if they do not know what, and even if it takes a few repetitions to confirm even only that something seems to be going on, the effect of the exploit will soon be noticed. Then it will be traced and ‘reverse-engineered’ to discover its operating pattern.

    While an exploit may be extremely difficult to cook-up in the first place, once it is recognized to be in existence the tracing and reverse-engineering take little time, and the people with the most interest to learn exploits’ operations are those who want to exploit the exploits, themselves. They copy and use.

    Pet dogs let run with wolves soon become wolves. The NSA can’t do some things it would like to, because of backlash from violating law. But it can trade with others who are not constrained by the same law. Thus, American industrial “secrets” are not protected by those responsible for “national security, they are exploited by them, sold and traded, with the traffic being controlled by the same ethics that controlled when the CIA traded in cocaine to finance itself and position its agents, and that control(led) in the shifting of torture and shuffling of imprisonments, and what are classified “prisons” and “custody”.

    Which comes back to there being no law, except in propaganda, where the value of the law is in the word and use of the word.

  5. bloopie2 says:

    To me the scariest moment in the SCOTUS oral argument today, on the two cell phone warrant cases, was when the US attorney stated that encryption of information on cell phones posed a “grave danger” because it hid information from law enforcement. I can’t believe no Justice asked him, “A danger to whom?” (There’s no good answer, of course.) And the follow-up question should have been, “Do you believe that an innocent American should possess the ability to encrypt all of her digital information so as to successfully hide it from the police forever?”

  6. Stephen says:

    So let me see if I have this straight. In at least some cases the NSA et al will NOT disclose the existence of vulnerabilities discovery in operating systems and other software.

    OK, so what happens if that same software is in use by computers used by the White House, Pentagon, and security agencies? Are those computers to be left vulnerable as well or does the US government have (secret) agreements with Apple, Microsoft, Sun, etc to provide the US government with patches to such vulnerabilities in their proprietory software but NOT to disclose those patches to anyone else?

  7. john francis lee says:

    Gee, what a charmer you are mr. chronicle.
    .
    This is what it’s all about, where ‘the rubber meets the road’ from the point of view of TNC clients … those whose payday does not come directly from ‘our’ government for spying on us themselves.
    .
    So the Googles, Yahoos, MSNs, AT&Ts, Verizons of this world will all be paid by ‘our’ government for turning us up for being ‘terrorists’, or lawbreakers of one sort or another … in reality, just for keeping our dossiers full so we’re able to be prosecuted whenever our turn comes … and they’ll be paid by the ‘owners’ of the ‘IP property’ we fail to rent from the ‘rentiers’ they notify of our ‘crimes’.
    .
    If we put up with this nonsense … well we’re all sorry for the sheep at their slaughter.
    .
    Thanks, above, for showing me the dot-on-line-alone technique. This used to be a beautiful site to comment on … now it’s ugggggly.

    • jerryy says:

      :^)
      .
      .
      It could be even worse. Consider the combination of the proposed TPP, the proposed Comcast – Time Warner Cable merger and the FCC internet proposals. While there is plenty to object about in each of them, taken together this could easily achieve:
      .
      No effective means to oppose propaganda. Media consolidation and delivery consolidation has that effect since you are hearing only the corporate byline.
      .
      You may have heard of the so called internet kill switch legislation which was to allow the leadership to turn off the Internet during times of emergency – whatever that means. The proposal was abandoned because it was then unworkable. The very nature and design of the internet would work around any blockages to restore service so to speak. But if the delivery is owned by one corporation, then it is possible to kill the internet.
      .

      • Stephen says:

        “You may have heard of the so called internet kill switch legislation which was to allow the leadership to turn off the Internet during times of emergency – whatever that means. The proposal was abandoned because it was then unworkable. The very nature and design of the internet would work around any blockages to restore service so to speak.”

        That statement is not entirely true. One way of making the Internet (or at least large parts of it) unworkable would be to shutdown the root servers for the domain name system (DNS). The DNS is a database system which associates IP addresses with particular domain name addresses (like “www.emptywheel.net”). That database is a hierarchical tree structure with a series of root servers run by ICANN at the base which every DNS server on the Net ultimately points to. Shut down those root servers (or at least make them unreachable by the DNS system) and for all practical purposes you would shut down most non-local Net traffic, which by and large relies on DNS to function, and the DNS service relies on the ICANN servers to connect all the various DNS servers across the Net to one another.

        (One caveat: since DNS servers cache DNS addresses to speed up access, some addresses on particular DNS servers which had recently accessed through that server, especially commonly used ones like “www.google.com”, would still function for a time for the clients of that particular DNS service.)

        • jerryy says:

          Depending on the type of emergency some of the installed darknet could come online (*1) Google alone has plenty. The basic design of the ‘net does allow for the arin servers and icann servers to be knocked out, and have other backups take over the routing. These ideas get actually tested both as real life problems via natural and other disasters stress test it and the overseers run destruction tests. A short while back a fire in the northeast, I seem to remember it was around Philadelphia, took out a trunk line feed and made sites unreachable in both directions, but by the end of the day the routers had service restored.
          .
          What makes it work is the variety of ‘telecom’ companies working together. If one gets pissy, others pick up the burden. This is a problem if there are not a lot of companies providing the tubes for the data to travel through. Limit this number and kill switch is a moot point. Now take out the electrical grid and yeah the ‘net would go as well, but that is a bigger can of worms.
          .
          (*1) if you would like to know more about it, http://www.team-cymru.org/Services/darknets.html

  8. TarheelDem says:

    Interesting that the national securers, having destroyed the airline industry except for obligatory travel, now have their sights set on the communications industry. The easiest and most effective response is for ordinary people to leave the “conveniences” behind and return to personal face-to-face conversations locally and walking to get around.

    Between the assault on net neutrality and this intent to privilege corporations over people, the internet is now under hospice care.

Comments are closed.