Obama Policy on Zero Days Craps Out

Author(s): 
Publication Type: 
Other Writing
Publication Date: 
April 29, 2014

Yesterday afternoon, the White House put out a statement describing its vulnerability disclosure policies: the contentious issue of whether and when government agencies should disclose their knowledge of computer vulnerabilities. The statement falls far short of a commitment to network security for all and fails to provide the reassurance the global public needs in the midst of the NSA’s security scandal. It basically says the White House plays a well-intentioned guessing game with our online safety.

The National Security Agency (NSA) is a single agency with a dual mission—protecting the security of U.S. communications while also eavesdropping on our enemies. In furtherance of its surveillance goals, we recently learned about some of NSA’s top secret efforts to hack the Internet. For example, the NSA runs a network of Internet routers that it surveils all traffic going through. It hijacks (or did until recently) Facebook sessions to install malware. It has its own botnets, or networks of compromised computers, that it controls, and it has taken over botnets created by other criminals. It uses these capabilities to steal information, to deny access to websites and other internet services, and to modify digital information, whether in transit or stored on servers.

Given these revelations, the public might reasonably believe the NSA’s deck is stacked against securing people from the very same online vulnerabilities the agency could exploit. For example, some skeptics–not I, however–disbelieve government disavowals of advance knowledge of Heartbleed, one of the worst security holes ever found. To assuage this concern, on April 12th, President Obama announced the government will reveal major flaws in software to assure that they will be fixed, rather than keep quiet so that the vulnerabilities can be used in espionage or cyberattacks, with one huge exception—if there’s “a clear national security or law enforcement need”.

Yesterday’s statement by Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator, tries to reassure the public that this Administration knows how to make that judgment call. There are “established principles” and an “established process” for making what are essentially guesses—bets—on network insecurities, based on a series of facially sensible, but practically almost unanswerable, questions. Officials have to assess the risk from vulnerabilities. They have to guess how hard it is for other people to find the same flaw. They have to gamble on whether officials will figure out when the bad guys gain the same attack capabilities. They have to hypothesize whether, when they do, the attackers will use their knowledge to devastating effect.

On the other side of the table are intelligence “customers” demanding increasingly powerful surveillance capabilities, accustomed to getting their way, and waiving around the threat of terrorism. It is irresponsible for national security to rest unnecessarily on these impossible “judgment calls”. The public, left out of this process entirely, is left to hope that the U.S. government will get lucky, and not abuse its attack capabilities.

This is a global network. Today, people everywhere rely on the same cryptographic algorithms, operating systems, and Internet routers that terrorists and nation-states use. Attacking our enemies’ infrastructure in the name of national security and law enforcement exposes Americans and innocent civilians to attack as well. Secure routers, software, and encryption are what keep our online banking secure. They protect trade secrets and other intellectual property. They are what make sure people don’t change what our emails say before they get to the recipient. They are what let us shop confidently online. They are what confirm that we actually are talking with the person we think we are talking to. They are what ensure the grandkid photos we share with Grandma don’t end up in the hands of perverts. They are what protect human rights activists from oppression at the hands of their governments. These are the values that the Administration’s policy is gambling with.

We often say that the U.S. is a nation of laws, and that the rule of law is a fundamental American value. But what laws allow NSA to hack the Internet? Is the secret-but-established interagency process with no “hard and fast” rules where Daniel and other officials make bets with our online security the right way to go about securing the nation? How are Congress or the courts providing any meaningful oversight? What remedies does the public have when the White House guesses wrong? How can citizens be informed about what their government does in their name? A complicated interagency process governed by secret, internally crafted policies and norms is deciding one of the most important security, economic, and civil liberties issues of our time—how secure and reliable are modern communications technologies going to be allowed to become?

Today, modern networking technology ties the people of the world together, digitally and politically. But tomorrow, the demands of nation states to keep the NSA out, and also to spy on their own citizens, and to censor their networks, threaten to destroy the free and open Internet. The harm to our economy is spreading, as U.S.’s computer products and services are no longer trusted worldwide, and as people start to mistrust the Internet itself. We ought to agree that official policy is to make all of us secure from everyone today. Something precious is on the line.