Saturday, March 11, 2017

Some confusing language in the 0day debate

As revealed in last week's CIA #Vault7 leaks, the CIA has some 0days. This has ignited the debate about whether organizations like the CIA should be disclosing these 0days so that vendors can fix them, rather than "stockpiling" them. There seems to be some confusion about language.


Stockpile

The word "stockpile" has multiple connotations, as shown below:


This distorts the debate. Using the word "stockpile" strongly implies "reserve for use" at some time in the future. This prejudices the debate. If the the 0day is sitting on a shelf somewhere not being used, then it apparently has little value for offense, and thus, should be disclosed/patched for defense.

The truth is that that government does not buy 0days to sit on the shelf. With few exceptions, it buys 0days because it plans to use them in an offensive operation. This was described in that recent RAND report:

It's the sellers who might keep 0days on the shelf, because the buyers have no immediate need. It's not the government buyers who are stockpiling.

Words like "stockpiling", "amassing", or "hoarding" also bring the connotation that the number is too big. Words like "hoarding" bring the connotation that the government is doing something to keep the 0days away from others, preventing them from finding them, too.

Neutral terms would be more accurate, such as "acquiring" 0days, or having a "collection" 0days.


Find 0days

People keep describing the government as "finding" 0days. The word has two different meanings:



We are talking about two different policies here, one where the government finds 0day by chance, and one where they obtain 0days by effort.

Numerous articles quote Michael Daniel, former cyberczar under Obama, as claiming their default policy was to disclose 0days they find. What he meant was those found by chance. That doesn't apply to vulnerabilities researched/bought by the CIA/NSA. Obviously, if you've got a target (like described above), and you buy an 0day to attack that target, you are going to use it. You aren't going to immediately disclose it, thereby making it useless for the purpose for which you bought it.

Michael Daniels is typical government speak: while their official policy was to disclose, their practice was to not disclose.

Using the word "find" prejudices the conversation, like "stockpiling", making it look like the government has no particular interest in an 0day, and is just hoarding it out of spite. What the government actually does is "buy" 0days from outsiders, or "researches" 0days themselves. Either way, they put a lot of effort into it.


0day

In this context, there are actually two very different types of 0day: those the government use for offense, and all the rest.

We think of the NSA/CIA as superspies, but really the opposite is true. Their internal processes kill creativity, and what they really want are weaponized/operationalized exploits they can give to ill-trained cyber-warriors. As that RAND paper also indicates, they have other strange needs, such as how it's really important they don't get caught. They'd rather forgo hacking a target they know they can hack, rather than use a noisy 0day.

Also, as mentioned above, they have a specific target in mind when they buy a bug. While the NSA/CIA has 0days for mainstream products like iPhone and Android, the bulk is for products you've never heard of. For example, if they learn that ISIS is using a specific model of router from Huawei, they'll go out and buy one, pull the firmware, reverse engineer it, and find an 0day. I pick "Huawei" routers here, because they are rare in the United States, but common in the areas the NSA wants to hack.

The point is this: the "0day" discussion misses what's going really going on with the government weaponized/offensive 0days. They are apples-to-oranges 0days.


Conclusion

Recently, there has been a lot of discussion about the government finding and stockpiling 0days. The debate is off-kilter because the words don't mean what people think they mean.


No comments: