The Electronic Frontier Foundation (EFF) wants to know how the U.S. government decides which major cybersecurity flaws to disclose and which to keep secret.
On Tuesday, the EFF launched a Freedom of Information Act (FOIA) lawsuit against the National Security Agency and the Office of the Director of National Intelligence (ODNI) in an effort to obtain documents that show how American intelligence agencies choose to disclose devastating and previously unknown computer security flaws known as “zero days.”
“This FOIA suit seeks transparency on one of the least understood elements of the U.S. intelligence community’s toolset: security vulnerabilities,” EFF Legal Fellow Andrew Crocker said Tuesday in a statement. “These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country.”
Zero days are the most valuable and effective weapons in any cyberwar arsenal because no one knows they exist. Many governments will pay a premium for these vulnerabilities, which they can then use in cyberattacks of their own.
Zero day attacks can remain undetected for months or years after they are first launched. Stuxnet, a computer worm that sabotaged Iran’s nuclear program, worked for as many as five years before detection in 2010.
The EFF specifically cited the April 2014 Heartbleed bug, a vulnerability that existed for years, as a potentially crucial zero day attack. Bloomberg News reported that the NSA secretly exploited the bug for two years, a charge that the agency vehemently denied.
“In the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest,” Michael Daniel, the White House cybersecurity coordinator, wrote in response to the charges. “This has been and continues to be the case.”
There are exceptions—an opportunity to collect crucial intelligence to thwart a terrorist attack or to stop the theft of intellectual property, for instance—and the White House says it has “established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure.”
Daniel did not reveal any other specifics about how the U.S. decides which vulnerabilities to keep secret.
The U.S. government’s use of zero days affects domestic policing as well. The Department of Justice is currently pushing the U.S. Courts’ Committee on Rules of Practice and Procedure to allow law enforcement to use zero days to hack into computers using malware.
“The use of zero days by law enforcement poses significant risks,” Nathan Freed Wessler, Staff Attorney at the ACLU wrote, “because by exploiting these vulnerabilities rather than notifying the companies responsible for the software, the government leaves the rest of the internet vulnerable to malicious attacks.”
Wessler argues that the use of zero days also undermines the Fourth Amendment of the U.S. Constitution against unreasonable search and seizure.
The EFF insists that the public ought to be able to take part in the debate over vulnerability disclosure, which remains obscured by government secrecy.
Photo via Robert Nelson/Flickr (CC BY 2.0)