Now it's time to kick off our first talk. And this is a talk I'm very excited about. I actually
kicked Jay's talk off a couple years ago. You guys are in for a real treat. Jay Healy is not
only has a quite a interesting resume and I'm sure he's going to go through some of that. But
he's going to talk a little bit about Feds and zero days and stuff like that. Because it's been
kind of a wild year for things like law and policy and security. So this is going to be a good
one. Let's give our first speaker a big round of applause.
Great. Thanks very much. My name is Jay Healy. I teach at Columbia University. And I want to
kick off with this for a second. Because I don't teach computer science at Columbia University.
I teach in the international affairs and public policy school. And that's kind of been my resume
up to this point. That just got mentioned. You know I've spent, I started coming to DEFCON 9.
I've been part of this community. A few years ago Jeff Moss put me on the, Dark Tangent put me on
the review board. To look at, so I can review the talks to be even more part of the community. But
I've also been part of the policy community for that time. So one foot in DEFCON and with all you
guys. And I've also been part of the policy community for that time. So one foot in DEFCON and
with all you guys. And I've also been part of the policy community for that time. So one foot in
DEFCON and with all you guys. And I've also been part of the policy community for that time. So one
foot in DEFCON and with all you guys. And I've also been part of the policy community for that
time. So one foot in DEFCON and with all you guys. And I've also been part of the policy community
for that time. So one foot in DEFCON and with all you guys. And I've also been part of the policy
community for that time. So one foot in DEFCON and with all you guys. And I've also been part of
the policy community for that time. So one foot in DEFCON and with all you guys. And I've also been
part of the policy community for that time. So one foot in DEFCON and with all you guys. And I've
this, especially understanding the government's process for
looking at zero days. How they decide what to disclose to the
vendor and what they're going to retain for their own use.
Second, the real meat of this is how many zero days does the
government keep to itself per year? Is it hundreds? Is it
thousands? Is it more than that? Is it less than that? So just by
a show of hands, who, who imagined that the government
keeps hundreds of vulnerabilities? Okay, alright,
decent, maybe 40. Thousands. Wow, a lot more. Who thinks it's
maybe more than thousands? Great. Anyone less than anything
that's listed there? Okay, um, I'm gonna, I'm gonna cut to the
end of the talk. It looks like from every piece of evidence
that we can find, that it is much less than that. Um, now I
know you're not gonna believe that. So, we're going, I'm gonna
go through, I'm gonna go through, I'm gonna go through
in every line of evidence that we've gone through to try and
prove it and disprove it. And let you make up your own minds.
Last, so if every year they have got some, how big is that
overall arsenal of retained vulnerabilities that they, that
they're keeping for themselves? So if the, how many does it keep
every year is about the, the flow. How many, how many do they
have in the arsenal? And then what we don't know, there's
still some, some big re, open research questions and then some
recommendations for governments as well as recommendations for
the rest of us. This is one of the, this is one of the
work that was done by, um, uh, kicked off from a team of
students from Columbia University, School of
International and Public Affairs. So we had five different teams
that were, uh, looking across all different aspects of this.
So the student research teams, uh, one of, one of the students
is here. We had folks looking at everything from, um, the zero
day markets and can we find what activity of a government's in
zero day markets? Um, what about the government and, uh, role in
vulnerability disclosure program? Um, what about the
Um, uh, diving right in and trying to figure out the VEP
process. We had some folks that, you know, had some statistical
background to try and look at it from statistics. We tried to
see, all right, what's the use of actual zero days, um, in the
wild and what do we know about other government programs? So,
uh, I'm not gonna, I'm not gonna reference this slide other than
to say they put in a lot of work. We've put in a lot of work
up to this point. Um, I'm gonna keep saying this again and
again. I don't know if we got the right answer. Um, I don't know
but we've tried to run down every line of evidence that we
can and we've put together, as you can see from this timeline of
the government process, we've gotten together a lot of
information on this. This should be coming out in a report
hopefully in the, uh, hopefully in the fall. So, wherever I can,
um, whenever I've tried to make a judgment, I've listed what's my
level of confidence based on, um, based on my judging of that
evidence as someone that understands both the technology
side as well as, as well as the policy side. As I said, I've tried to go through every, um,
every line of evidence that I can. Uh, we've hunted down as far
as we can. I'll present all of that to you. Um, you're still
gonna, um, there's a, reasons why we're really suspicious about
government on this. Um, they've given us a lot of reasons to be
suspicious about this and to suspect the number is far higher.
I'm probably not gonna convince all of you. I had a great talk
last night, um, at the speaker, at the speaker's lounge with
Don. Don, I don't know if you're here. I couldn't convince Don.
And, um, uh, no matter the, no matter the lines of evidence, um,
Don wasn't gonna be convinced. And that's okay. Um, I'm not
gonna con, I'm not gonna convince a lot of you about the
answers that we come up with. What I'd prefer you be convinced
about is that we did the best job we could to try and come up
with those correct answers. And, if we did get it wrong, that
someone else can come in and try and get a better answer. So last, when it comes to
credibility, um, as I said, I've been coming since, uh, when I started coming at
DEF CON 9, I'm on the DEF CON review board. Um, I've gone to the folks that you might
consider credible on this. I've talked to this about, to, to Dark Tangent, to the EFF, to a
lot of the journalists, um, that have written on this and the names that, uh, that you would
know. Um, I've also done this to be, try to, try to be credible in the, credible in the
policy audience. Um, I came out of this in, in military, um, doing, uh, most of my work, um,
mostly defensive cyber stuff. I did, had time at the Pentagon. I had time at the White House.
I've talked to that crowd and try, and the journalists that are, um, that have written the
stories. And I've gone to all these groups, from EFF to former White House and, and current
government officials to say, where am I right? Where are we wrong? What has our, has our
research team, uh, seem to be, um, seem to be off? I've said, is there, can we prove that
we're wrong? Is there any way that we can prove that we're wrong? Is there any way that
we can try and, any evidence that disproves this? And this is what we've come up with so far. So
hopefully you'll at least be convinced with what we've done. Okay, way too much preface. Um, so
the government has two main roles when you're talking about violence. And there's strong
tension and often bureaucratic infighting between these two communities. You've got the, the
agencies that love to use the zero days. They want to keep the zero days generally. This is
really simplified. So you've got DOD, the intelligence control agency, the intelligence
community and law enforcement agencies, um, that will like to keep these open as we saw in
Apple, FBI, so that they can collect intelligence. They can, they can, um, do their, do their
job as they see it. There's others that, whose, whose equities say, no, we want these to be
pretty much all closed down. So, for example, the Department of Commerce, um, has been, they've
been running a vulnerable, vulnerability disclosure dialogue, Alan Friedman there. Um, the, um,
the, the agencies that represent a specific sector of critical infrastructure, like the
treasury department or the energy department, department have equities where they want these
things disclosed back to vendors. Um, and then DHS, um, which for the most part wants them
defensive. There are law enforcement parts of DHS, um, on the, uh, but for the most part, the
critical infrastructure protection and cyber security folks overwhelmingly want the, want
these closed down. And this is important because you see this tension, this, this, this tension
between these agencies. The government is certainly not of a, of one mind on this. And that
does come in when we were thinking about evidence later on. I also want to point out, there's
three different main kinds of vulnerabilities, um, when you're thinking about this from the
government perspective. First is the battlefield systems. Right? This talk isn't going to deal
with a Russian surface to air missile vulnerability. Right? That's not a commercial system
that wouldn't go into the program that we're talking about here.
Second, are closed and proprietary, but still commercial systems. So this is the things like
Siemens, you know, the industrial control systems. You know, the more internet of thing, internet
of things, um, devices that are coming online. Last, ones that we tend to think about when we're
talking about bonds is the open internet. You know, the, the Microsofts, um, the Ciscos, the
Apple, the Apple vulnerabilities. But keep in mind, we do have these three sets and we're not
going to be talking about the.
the closed battlefield one. So we're going to start the story. Um, we know the government
has been, um, using and sharing vulnerabilities for at least 50 and probably more like
20, 20 years, going, going back to the 90s. Um, some of you might have, um, seen, uh,
comments from Richard Baitlick, um, he's now with FireEye Mandiant, and he had been in the
Air Force in the 90s, and he gave this quote. Um, he was on the defensive side of Air Force
CERT, and they discovered a Cisco vulnerability, and they said, great, let's tell Cisco. They
didn't have any kind of process, they said that's the right thing to do. And the offensive part of
Air, of the Air Force at that time, in San Antonio, um, said, what are you doing? Let us know
about that first, you can't just tell the vendor. So we know at least at this point in the Air
Force, you had this, there was no set policy, and you had this default to the offense, right?
They said, we'll, we'll decide, and it looked like they were keeping it for offensive purposes.
Also, we know from this time that, uh, the military and the other agencies, they really
hoarded it, right? If you were Air Force and you had a Cisco vulnerability, you didn't tell the
Navy about that. You didn't tell NSA, you didn't tell the Army. Um, everyone kept that capability
to themself, because it was something that you, that you had to, you had to, you had to, you
could have. And once you share it to the Navy, they might use it, and then you can't use it any,
you can't use it yourself within the Air Force. So it really looked like it was quite a bit
hoarded. To try and fix this, NSA started an Information Operations Technology Center,
probably around 97, 98, it looks like, to try and share capabilities. Now they were talking
about this toolkit that probably was more about exploits than vulnerabilities, but of course,
I'm, I'm sure it would have included both. So there's nothing from the White House on
this point up until about 2000, well, until July 2002, when they came out with a classified
National Security Policy Directive, NSPD, NSPD 16. Still classified, and it, and it asserted the
presidential authority to get involved in this process. So if you hear someone that says the
government doesn't know what they're doing on offensive, there's no policy to coordinate this,
no, it's actually quite an old policy, it's almost 15 years old. Um, and I've talked to some of the
folks involved, it didn't, they said they don't remember it really dealing with
vulnerabilities, I don't think vulnerabilities featured very much in that. It was more about, it
seems like it was more about coordinate, coordinating operations. Cause again, prior to
2010, there's, there doesn't seem like there's any US government-wide policy or process to
handle this. Um, so even if there wasn't anything government-wide, there definitely was within NSA.
Um, they, they called it their equities process, it was based on their Intel gain loss
assessments, if any of you know intelligence. You know, is US interest gonna be better served if we
give this to the vendor, if we keep this to ourselves? But the decision was entirely up to the
director of NSA. He didn't have to ask anyone else in the US government, he didn't have to get
advice from what we, from what we know of it. Um, doesn't seem like there was any, anyone outside of
NSA that was part of this. There's no way to get anything in. Um, they're more likely to keep it,
this phrase kept coming up a lot in the research of Nobus. More likely to keep it if no one but us is
able to use this vulnerability. If it is so obscure. So my, my favorite example of Nobus, since
we're in Vegas, is um, what was it, Oceans 13? You know, when uh, Brad Pitt, they, they hacked
the um, uh, the jackpot machine. Right, and you have to drop the coins in a machine, and you have to
in a certain manner to make, to make the thing jackpot. Right, that's a no one but us. No one but
the Oceans 11 gang would have known that you have to drop the tokens into this machine in a certain
way. That's kind of what we mean by Nobus. You know, it's difficult to access, um, it's really
obscure, um, it's going to take some, uh, difficult to discover, really difficult to try and
exploit. Now I assume, but I don't know, that the other agencies that tried to, that, that like to
keep vulnerabilities had, had their own internal process. Um, I assume CIA and Justice did, but,
um, we haven't been able to discover that yet. So where things really kick off is in 2010. And we
know this now because of the documents from the EFF. And by the way, you'll see I've got FN2 up
there. I've got all the footnotes at the very end of the talk. Um, I'm going to leave my
references up there so that you can take a photo of it if you're interested in following up on
the ref, follow up on the references. So now you finally had this document that, uh, came out in
2010, um, from the Office of the Director of National Intelligence, I believe, that laid out,
here's the process that's going to come out. Um, NSA can still run it, but you've now got a
formal process in Washington, DC, they call it the interagency process, by which others need to
be brought in if they're going to have an equity in this issue. So this is what that process
looked like. This was what was in place from 2010 to 2014. Um, and, and, and, and, and, and, and, and,
I should continue. So note at the top, the government or its contractors and I think that's,
that's a nice loophole they were taking out there, uh, to include contractors, find something
that's newly discovered and not publicly known. So all of these, these are key phrases in
there. NSA is the Executive Secr- Secretariat, this is good for us because it's NSA IAD, which
is the defensive side of NSA. It wasn't being run by TAO, which was the offensive team of the
espionage part of NSA. So that it's being run by the defenders
is actually a good sign that things were going in the right
direction. It would go to an equities review board which
would have the senior people on it and they would be the ones
that would make the final decision based on the
recommendations from the subject matter export. There was and
they would make the decision whether to disclose to the
vendor or retain for their own purposes. Now this is um uh it's
there was an appeals process but it was redacted. So it's tough
to know exactly what the appeals process was was going to be. So
as much as I like this, this is this is this is a decent process
right? If you're going to implement this in your
organization it's not a bad way to do it. At least it's
relatively well laid out. You can in fact flow chart it. And
it does include people outside of the organization. So you can
see the agency in question. So as a policy guy this is this is
this is okay. Uh it turns out it looks like it wasn't really
ever fully implemented. So this came out in 2010. Um footnote
three there is from one of my um uh former colleagues that had
uh been at the White House during this time. That he said
it became dormant. That NSA ran their own internal process.
Didn't formally include the outside agencies as much as we
would have wanted. Um and that's why it's so important to
know. Footnote four is from the current head of the cyber
directed director at the NSC. So a guy named Michael Daniel. So
he's the president's top cyber advisor. He he looks at both
defense and some offense. Um and he said um this policy at this
time wasn't fully implemented. So they reinvigorated it in 2014.
I'll talk about that reinvigoration in a second here.
And it looks like this decision to reinvigorate was in par might
have been in part driven by Stuxnet. By the discovery that
Stuxnet used so many Microsoft um zero days as well as Siemens
vulnerabilities as well. So if you remember I talked about that
tension between the bureaucracies. Um if this is true
then I think you this might have been one of those places where
you were seeing this tension in between the bureaucracies. So
that when the the way I imagine and again I haven't found
evidence on this. This is this is just in my mind. You you can
imagine seeing
these defensive bureaucracies like DHS or treasury or energy or
commerce saying holy crap we just did what with Stuxnet? We didn't
know about that. You were keeping all of these and now my agencies
are having to deal with this. We need to try and fix this. And so
this tension within the bureaucracy is an important point that I think
might have been an important point here. But I'm also going to bring
it up later on because we what we don't see on it is a we don't see
that tension today. We don't see this disagreement and I think
that that lack of evidence is very interesting to me. Okay. Um
so after the snow and revelations President Obama puts
together a senior review group including people like Dick Clark
and others that understand our field somewhat well. Um to say
alright what are the recommendations that we can do to
look at um intelligence and other ways based on um the
snow and revelations. One is you have a record of evidence that it's not
of those recommendations, recommendation number 30 was we need a default disclosure policy and
we need a better process. Obama accepts those recommendations. January 2014, saying one,
disclose by default. So the president signed off on this piece of paper that said the U.S.
government policy is that when we get a vulnerability my intent is that that
will be disclosed to the vendor. And if you don't want to disclose that, you want to retain
that, then it's up to you to prove why that's a good idea. Such public policy defaults are
really important because now you know the president's intent and it's up to the other
agencies. Right, you can't say well we didn't know what the president wanted. Well you can but
it becomes a lot, lot tougher. Also, what the president did was saying this stuff is too damn
important to leave it any one agency. So we're going to bring it into the White House. This
can't be decided just at NSA anymore. This now has to be run out of the NSC, the president's
National Security Council. We learned a little bit more about this, and I will go through that
process. I'll put
was up to be the, I think it was confirmation for cyber comm commander in March 2014. This is
the first time we really learn about this default, default by, disclosed by default policy was
in his testimony. We didn't, we didn't know in the community about Obama's decision until he
talked about it here. I also thought it was interesting, you can see the bits I highlighted
subtly there. NSA has always employed that principle, he said. He talked about, he did a
decent job of talking a little bit about that process and highlighting it's not just software
vulnerabilities but hardware vulnerabilities as well. And that if they do decide to retain it,
they attempt to find other ways to mitigate the risks. So for example, if you're gonna, if
you're gonna try and retain it, maybe you do, you try and use more SIGINT collection to see if
anyone else is finding this bug. And if someone else finds the bugs then you'll, then you'll
decide to tell the vendor. Um, and so this was really interesting for us. And it helps
as a policy guy, what people tell Congress usually matters. Um, cause usually if a staffer
thinks the person's full of it, the congressional staffer thinks the person's full of it, they'll go
through and they'll, and they'll leak in saying, look they testified this but we know the
truth, we know the truth is different. And we didn't find any of that, we didn't get any of
that out of this kind of testimony. So I want to really repeat on this, cause as a policy guy
this was incredibly important to me. The White House policy is
to disclose to vendors. And you can scoff, and I'm okay with that. But for a policy guy
that's about as strong as it gets. The President himself made this decision. And then he didn't
just make the decision, he said, I will have my personal people that are beholden to me at the
National Security Council staff review this. Um, and so that, again, this, it, it can get
stronger, but this is really strong in Washington DC, in Washington DC terms. But when this was
coming out, it was pretty, there were some exceptions that struck us. And people like Kim
Zetter and others talked about these in saying, well yeah, the default policy is to disclose, but
if you carve out exceptions for national security and law enforcement, what the hell have you
done, right? Those are exceptions that you can drive a truck through. Um, so, so really I was
extremely skeptical at this stage. Cause we know, I mean, all of us have seen what happens
when you've got that kind of exception, what the intelligence community can do with it, right?
They're, they're gonna play it to the edge. But we did get three more breakthroughs that
really made a significant difference in understanding those exceptions. One, heart bleed.
So, um, Bloomberg Reporter wrote a story that said, NSA knew. And, and, and, and, and,
he had some, some confidential sources that said, NSA knew about heart bleed. And that story
came out. Couple days later, New York Times, um, David Sanger, reacted to that story and he was
able to get the White House, I'm sorry, get the NSA to publicly deny the Bloomberg story. This
was unprecedented to get an intelligence community agency to talk on the record about a
intelligence collection capability. They would always sit back and say, we will not confirm or
deny cause they don't want to get in this place. It was stunning that NSA came out and said, look,
we had no idea about this. Um, and I, I suspected they wouldn't have kept this one for reasons
we'll talk about in a second. They came out and said, we didn't know about this. Um, you see
the, the, um, IC on the record, so the Office of the Director of National Intelligence came
out, said, we did not know about this. The Bloomberg story is false. Um, or they didn't get, you
know, they, um, they didn't talk to the right folks. 17 days after that Bloomberg story
breaks, we really get a fantastic set of information. This White House cyber guy, the President's
Cyber Advisor, um, publishes a blog, um, on WhiteHouse.gov that says, we didn't know. And
moreover, he really gives us a sign in on what they do and how they operate within the White House.
These decision criteria. Um, how much is it used? How bad is the vulnerability if it's not
patched? How much harm could they do to us? Um, if someone was using this phone against us, how
likely is it that we would know ourselves? Um, if we really need this vulnerability for
intelligence, I mean, is this something that, um, you know, we need to know if Russia's planning a
secret nuclear strike on us? Or is this just kind of a routine kind of bug that might not be that
useful? Um, this number six is really important to me. It's, it's, it's, it's, it's, it's, it's, it's, it's, it's, it's,
it, they do this, but pretty soon, say, for a very, very limited reason, they'll come back. Could we
use it for a short period before we disclose it? That's an important one we'll come back to. Um,
and, can we, you know, has anyone else found it? And can this get patched? Now, that strikes me as a
pretty decent way of going about this. It's not a bad analytical way of, for example, of saying
what are the important questions that we need to answer, what's the process by which we're going to
to try and get answers to these. So again, as a policy guy I read this, I was floored that
the White House was willing to talk to this much depth at it and I was very pleased that I
couldn't think of any additional questions to add in here. So it seemed to me to be a decent way
of going about it. The second breakthrough. I don't know if EFF is here, but thank you. EFF
did a fantastic job doing a FOIA request and follow up lawsuits for some of these key
documents on the vulnerabilities equities process. And so, as a footnote too, you can go
look at these documents again, maybe you come to different conclusions than we did. You can
see from that one it's decently well redacted, but still we were able to get a lot of details
on the process thanks to EFF. Breakthrough number three, NSA came out with some more
information. On 30 October and they said 91% of the people who were involved in the
vulnerabilities that went through the internal NSA process over the history of the NSA
process were disclosed to the vendor. And out of that 9%, that's the remainder, that includes at
least some that the vendor discovered before NSA had a chance to disclose. Um, no I'm sorry,
and that's historically including all, all, at least back to 2010, not, not 2020. So, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so,
so, so, so, so, so, so, the, and, um, and, now this is only NSA, this isn't all the US government
vulnerabilities. This is, this is just within the NSA process. But again, we're starting
to really see a lot of transparency that was coming out of the government and government on
this. And, but I know a lot of your saying 91%, how can we know 91%, how can we know any of this
is true? So in the next part will start getting into, um, these assessments and can we really
know, you know as much as those who depends of the government outside of the government
if any of this is true. Can we prove what they're saying? Can we disprove what they're
saying? So from 2014 to present, this is what it looks like. The parts highlighted are the
parts that have changed since the previous version of the slide. So the top yellow one, now
that equities review board is run by the White House. Also, the, the, the, the, the
the way to appeal is much clearer. Because once it's in the White House, once it's in the
NSC, everybody understands the rule of appealing. If you don't like what happened at, at
this level, it can go to something called, um, it can go up to the next big level would be a
deputy's committee. So that would be the deputy secretary of the treasury, deputy secretary of
defense, deputy secretary of DHS. Um, and this deputy's committee is where the real
decisions get made. And so if you don't like what happened at this level, you can go to the
White House. If you think a decision went against you and the ERB, either way, you can say,
you know what, I've got a beef with this, I'm going to take it to the deputies. That's the same
way you appeal anything that's a national security or homeland security decision. So all of
a sudden it became a lot clearer on what that appeals process was going to be. So what we
learned applies to all feds and contractors, all funds whether discovered or bought. This does
not apply to vulnerabilities that were known prior to the policy coming out. So that, that's
an interesting loophole.
A new process is owned by the White House. And then, and then a, again a, kind of a subtle inside
the beltway point. Um, I was pleased that this was being run by the cyber directorate. Because
they are predominantly a defensive shop. Um, this wasn't being run, for example, by the
intelligence part of the NSC or the defense part of the NSC. If it were either of those, then
they would probably have a little bit more bias to wanna, to wanna retain these things for
government use. Because it was cyber, we're gonna see a, uh, much more of a balance.
So what don't we know, and I'm gonna cover all five of these. What didn't we know from the
breakthrough. So I'm gonna touch all five of these. FBI vs. Apple. By my reading of the policy
as a former White House guy, FBI should have had to submit the iPhone, iPhone five vulnerability.
Um, based on that, that Michael Daniel criteria that we talked about, those, those eight or nine,
those eight or nine elements, it certainly seems to fit. Uh, by the way, FBI's king, but in the
It's certainly widespread. Um, we can certainly imagine others using these. Um, FBI ended up
claiming contractual IP restrictions. Officially, FBI only bought the use of the tool for, what,
a million-ish dollars, the reporter said. Um, they don't, because they don't actually know
what the vulnerability is, they therefore cannot submit it. Cause they don't know. Um, to
me, it seems to contravene pretty direct presidential guidance. Um, so I'm gonna be very
curious to see if the White House is gonna revamp the process to try and say that you can't do
this kind of exception. You can't do this kind of end around. Um, just one side note, a few
months ago, FBI did inform Apple of another vulnerability and they used this entire VEP
process, uh, to go about and do it. And by the way, I've got a bet, um, with a buddy, um, he
put it up on Lawfare that, um, I, I said that Apple would know within a year about the
vulnerability. Um, my buddy said, no way Apple's gonna know about this vulnerability in a year,
so I've got dinner riding on that. Okay, the big question, the moment you've all been waiting for,
like, how many do they actually retain? And this was the real thing that I think got my students
invo- uh, excited about doing this, was to try and answer this question. This is what you've
waited for. Not hundreds or thousands. Um, this is prior to invigor- the reinvigorated policy.
I've got moderate confidence that, um, in the period up to 2014, they were probably keeping
dozens. Not hundreds, not thousands, not more than that. So here's the evidence that, here, here's
how we got that. But I've only got moderate confidence. To me, one of the most important
things in this was, um, the revelations that we, we found out that NSA keeps 20, that had a
budget of 25.1 million dollars. Um, and, and, and, and, and, and, and, and, and, and, and, and, and, and,
and, and, and, and, and, and, and, for covert purchases of software vulnerabilities. To me,
that was a, um, I'll walk through, I'll walk through this 25.1 and what that, what that meant
for me. Um, and, so w- let's unpack that. What, w- where does 25.1 maybe buy you? So I did some
assumptions. I don't think that, um, if I had a budget like that, for buying vulnerabilities, I
don't think I would buy a bucket of bugs, right, I'm not just going to go out there and find
simple ones that I can kinda discover myself. Um, I assume that there was probably gonna be some
purchase for non-commercial bugs, I'll talk about that in a second. I would suspect that they
would tend towards higher value vulnerabilities rather than less expensive ones. And that 91%
that NSA number came out with was roughly accurate. And I'll talk about that right here. So
can we believe 91%? Dickie George, who is the former technical director of the defensive side
of NSA, information assurance directorate, gave an interview and he said retaining was very
rare during his time. And he'd been doing it for over 15 years. I showed these slides to the
former director of NSA, General Hayden. He came in and said, yes, this all seems consistent
with my time there. Seems consistent with my experience that we took defense very seriously.
But keep in mind, this only applies to NSA. To really, really, really, really understand
this, if you try and prove or disprove this, I think you'd have to go out and try and talk to
vendors and find out how many vulnerabilities NSA actually tells them. And that was well out of
scope of what we could do here. If you really want to go after it, I think you've got to try and
go to the vendors and get the actual numbers. So for right now, I'm going to take 91% as
accurate-ish. It's tough for me to get anything real tight on it to prove it. I can't, I can't
yet disprove it either. So here's two examples of what you might do with 25.1. You might buy
250 important commercial vulnerabilities at 100K each. If you assume 91%, you end up with
about 25 of those. If you assume that maybe CIA and Justice were getting similar numbers, you
discover about similar numbers, you end up with 75. If we're off by a factor of 3 on this, then
you end up in low hundreds with 225 retained. So it puts us into hundreds, but I can't, I can't
get to that, getting into thousands of vulnerabilities doing this. I think then based on
this, dozens seems okay, maybe low hundreds. But to me this is a little bit too simplistic version
of what you might do with 25.1 million dollars to buy bugs. So example number two. Imagine we
buy 12 critical commercial vulnerabilities for a million, 5 critical non-commercial for a
million, right? If NSA could buy access to a Russian air defense missile system for a million dollars, good luck.
I hope they're able to do that. Other major vulnerabilities for 250K, if we assume 91%, that
gives us with 5 retained. Assume other agencies, ones that they discover, we end up with 15. Again,
even if we're off by a factor of 3, we're in this middle dozens kind of area on how many before the
new policy. So you can see why I'm only moderate confidence on this. There's not that much to go on.
On one hand we've got people that say this is very rare, we defaulted towards the defense, 91%
on the other hand we've got some evidence like this, like 25.1, 25.1 million. So that was prior to
2014. We've got much stronger evidence today on how many they retain. Right now it looks like
single digits. I couldn't believe this, everyone I talked to imagined that it was far higher than
that. People that had been White House, people that had been in the, uh, department of defense in
and Pentagon officials all assumed, like you did, it was hundreds if not thousands. And I
actually have high, uh, pretty high confidence in that assessment. Um, press reported earlier
this year that the government, that the White House reviewed about a hundred and only kept
two. One of my colleagues that was former White House during this time, in his blog on
Apple FBI, referenced this. That matters to someone, right? That, if someone that probably
know, that knew the process, pointed to someone else that referenced it in another, in another
news source, to me that's a good sign that we're on about the right track. That an insider was
referencing this. Um, Dickie George, this guy that was the NSA official responsible, said it
was about three or four per year. Um, I was at NSA in August 2014. I had the NSA, uh, the TAO and
the IAD tech director in the room and they said, uh, up to this point this year we have
retained none. Now that was about nine months, eight, eight or nine months into the new
policy, uh, and I get told to my face it was none. So, that's interesting, but we wanted to say,
can we prove or disprove that? So this is what journalists say, this is what others say, this
is what executives in it said, um, but can we, can we prove it or even better, can we disprove
it? So one, I'm not seeing that tension between bureaucracies here. No one is coming out and
saying, no, this is B.S., this is, this is, this is, this is, this is, this is, this is, this is
this. Um, the intelligence community is going around the vulnerabilities equities process. We're
not seeing that kind of evidence right now, um, that it seems has happened in the past. Two, it
looks like there's only about 50 total zero days last year. So, to me, a number for U.S.
government that's in single digits or maybe low double digits, that seems reasonable to me. If
NSA is keeping hundreds or thousands, it doesn't seem right that we would only be discovering 50 per
year when we've got so many people looking. And that's from every source. You know, from which
Russia, all these Russian groups are keeping, from what all the China groups are keeping, from
what all the red teamers are, are, are using. Um, so to me, if they're only finding, we only
found about 50 in the wild, single digit sounds about right. Again, uh, we tried to go into the
National Vulnerability Database and see if we could see any statistical anomaly, anomalies of
this, um, of the government starting to release more vulnerabilities into the system. The NVDA was
terrible. We couldn't, we couldn't figure out any, uh, it's probably impossible. Um, again, we
didn't see any, um, uh, we just couldn't, we tried to find conflicting evidence. We tried to
say, prove us wrong. You know, we sent it to the EFF, we sent it to others. No one came back
with anything that was significant other, other than, um, modest changes to the slide. Um, the
last one we went in was, was a little, was a little more worrying. Uh, we said, can we figure out
the total number of U.S., uh, government vulnerabilities? Uh, we said, can we figure out the
number of U.S. that the government vulnerability has discl- disclosed? Um, Dickie George said
they discovered about fifteen hundred a year. If you apply the ninety-one percent to that, um,
that gets you to the, that probably puts you in the dozens space. But he might have been talking
about the process before it was reinvigorated in 2014. So to me, that's probably supporting
evidence for the, uh, for the dozens. He also said that they only retained three or four a year.
And again, we've tried to go in, and disprove. How large is the arsenal? Moderate confidence that
we're, that we're talking about dozens. Um, we haven't done this fully, we didn't have the
time to really do this, but you can do a Drake's equation, right? If you were going to say how
big is the arsenal, these are the kinds of equations you'd want, these are the, these are
the factors that you would have in that equation, right? How many do they keep? How long have
they been keeping? How many do they burn per year? How many get discovered by vendors or by,
um, or by other bad guys? What's the shelf life of a, of a bug? We went through, when I
went through this, I got in somewhere around 50 or 60, when I did this. Um, again, if we
really tried to do this in depth, you might come up with a different answer. This quote on the
bottom is from Michael Daniel, the president cyber advisor. Um, I, I was talking about this
talk yesterday with our tangent, and he, and he gave me an idea that we hadn't even thought
before. We actually kind of know, there had been a, a revelation about what TAO's
capabilities were, and, and so I added this last night. It looks like the N, the NSA book
of capabilities had 50 pages that each had one capability in it. So I thought that revelation
was going to be something that disproved that it was in the dozens, and it ended up being right
smack in the middle of where our guess was. Now again, that was a book about capabilities, not,
not exploits, but to me that was a, a really fascinating that it ended up in exactly the same
place. Um, I thought that was gonna have hundreds. Okay, other nations have about 30, uh,
there are about 30 other nations that have this. Um, the UK is the only one that's even
talked a little bit. So love or hate U.S. government, we're the only ones that have been
anywhere near this transparent. Okay, other research questions. So as others get, get
involved in this, can we know, how can we know our agency is really submitting all their
vulnerabilities? Um, can agencies use a vulnerability while it goes through the process?
That criteria from Michael Daniels said, he's asked, can we use this, um, while, for a little
bit? That leads me to believe they may not be doing that, but I haven't found, we haven't found a
great answer for that. Um, can we find any more direct measurement, and most importantly, what is
the next president gonna do? Cause this is just done by this president, and the next president
can come in with their own. Okay, recommendations, um, two former White House officials, Rob
Kanaki, Ari Schwartz, um, did a fantastic set of recommendations. They did a report on this
process, um, that was very helpful. Um, I'm gonna, I'm gonna, I'm gonna, I'm gonna, I'm gonna, I'm
gonna be very grateful for us. Right now, there's no role for Congress in this. Right now, this is
just a policy. That can be stronger. It can be an executive order or presidential directive.
Right now, once it goes through the process, it never gets reviewed again. Um, and these guys
said, you know what? Let's take a look at that. Let's look at what the watchdogs can do, like
the inspector general or the privacy and civil liberties oversight board. I would add to that,
mandating no use of this vulnerability until it's gone through the process. Um, that's, that
doesn't seem like it's specific. We need to add that.
Um, and I just think we need other countries, especially, especially other democracies
like, like Great Britain that get involved and, and give their process as well. But also
countries like, um, like the Netherlands, Australia. Um, there are great democracies, um,
that aren't talking. Recommendations for the rest of us. Normally in warfare, if one side
disarms themselves, that all they've done is disarm themselves. Right? If the US said we're
not going to have nuclear weapons, everyone else has nuclear weapons, we haven't changed. This
is the one area where you can, you can disarm governments. Because once that information goes
to a vendor, everybody is disarmed. So if you're out discovering vulnerabilities and you
want to disarm governments around the world, make sure you're telling the vendor. Follow up if
they're not listening to you. I think we need more attention on this question amongst,
amongst the researchers and, and more FOIA.
So we covered these four, we covered these four areas. Um, I think it's a pretty decent process
on disclosing or retaining, but there are definitely some improvements that we can come up
with. The number that they keep every year seems to be much smaller than I would have ever guessed
going into this. I was shocked. I assumed it was in the hundreds. And it looks like it used to be
dozens and now in the single digits. The full arsenal seems to be in the dozens, but only
moderate consonant, confidence in that. And, and, and, and, and, and, and, and, and, and, and, and, and,
and, and, and, and, and, and, and then a few areas for us to talk about. Okay. Here's the
references. I'll leave that up for a little bit. I don't think, uh, we're not gonna have time for
questions, um, but, um, I'll stick around afterwards and I'll, and I'll, I'll see you out
here in the hallway afterwards. So, I know I might not have convinced you.