Sitting on a Ticking Bomb: Introducing Congressional Oversight for Zero-Day Vulnerabilities

Each new military paradigm and technological development promises new legal and policy questions. Every innovation in weaponry brings new range, cost, and training while impacting civilian life, posing new questions to the leaders of the day. The Constitution attempts to timelessly outline the parameters around which the government make war, yet the framers could never have imagined computers as a concept let alone the possibility of cyber-warfare. Congress must take an active role in oversight to determine which vulnerabilities the government stockpiles and which it discloses to software publishers. The digital world pervades simply too much of modern life to leave its security to executive branch processes alone and which it discloses to software publishers.

At best, the average member of the public has heard the term zero-day before in reference to some catastrophic hack on the news. Zero-day vulnerabilities are errors in computer code that the company that created the code has not discovered. These errors provide an opening for hackers to take over sensitive systems. Once someone informs the software company of these vulnerabilities, the company can quickly go to work fixing the issue to secure all users.

The CIA and NSA currently stockpile these vulnerabilities to use offensively against adversaries. The U.S., alongside Israel, previously employed offensive cyber-attacks using zero-days in the Stuxnet attack on the Iranian Natanz nuclear facility. Conversely, if malignant actors discover one of those stockpiled zero-days, they can use them against American citizens or businesses. In one devastating incident, an NSA leak of vulnerabilities included exploits that hackers used to create and distribute the NotPetya virus that caused more than $10 billion in damage to private companies as well as shut down critical infrastructure in Ukraine and other allied countries in 2017.

The key difference that separates software vulnerabilities from existing weapons control paradigms is non-exclusivity; when the U.S. discovers a vulnerability, policymakers cannot assume that an adversary or even private or criminal actors cannot exploit the same vulnerability. As such, each tool that intelligence agencies add to their cyber toolbox could potentially harm American companies and consumers. More so than other weapons platforms, cyber-weapons intertwine with civilian life. Attacks on infrastructure and businesses far outstrip the concept of proportional response.

Balancing these two competing equities: advancing offensive capabilities and protecting American assets, requires a careful process considering input from both policymakers and technical experts. Historically, while Congress holds the ability to declare war, the Constitution tasks the President with defending the American people and designates the President as Commander-in-Chief. The President has broad latitude in determining how to defend the United States. Under this mandate, the executive branch has the power to determine which vulnerabilities to develop for offensive use and which to disclose to software publishers so that they can fix them; however, Congress has both oversight authority and the power to create laws governing interstate commerce.

Today, the United States has a policy for disclosing zero-days to companies under the Vulnerabilities Equities Policy and Process (VEP). If an agency discovers a vulnerability, they collaborate with other relevant executive branch entities that define the impact of leaving it unpatched. They then present their findings to the head of the program, the Executive Secretariat, who makes a final determination.

Many find the current VEP lacking in several critical ways. The fact that the disclosure of the process itself required a FOIA request did not bode well for overall transparency, and advocates contend that the process does little to assuage those concerns. The program reports neither the number of zero-day vulnerabilities the government disclosed nor the number it stockpiled. While officials could legitimately make a case that disclosing the latter would reveal the extent of the current collection, reporting the number of disclosed vulnerabilities could engender greater goodwill both domestically as well as encouraging international cooperation. One Executive Secretariat claimed that the government worked with publishers on the “vast majority” of zero-days, but the lack of transparency limits the public’s ability to verify such claims.

Beyond the natural transparency concerns, privacy groups have voiced concerns over the government saving up these vulnerabilities either for their use against American citizens by either law enforcement and security agencies or other criminal elements. Stockpiled zero-days leave American citizens (not to mention any other computer user) vulnerable to surveillance. Any delay in disclosure serves to further extend the possible period for exploitation. The National Security Agency discovered a critical vulnerability in a widely used web library two years before researchers publicly announced the vulnerability. The incident, known colloquially as “Heartbleed,” infected an estimated two-thirds of websites and left enormous amounts of user data vulnerable. While the White House and ODNI both denied prior knowledge of the vulnerability, malicious actors may have caused untold damage.

Even the subjective nature of the VEP policy’s coverage leaves large loopholes in the current oversight process. The criteria the Executive Secretariat outlined rely on a series of judgment calls which leave wide latitude to simply hand wave national security as a reason for non-disclosure. Intelligence agencies could declare that all vulnerabilities too sophisticated for anyone else to exploit, pose minimal danger to citizens, or could be used against adversaries subverting the entire process and removing the Executive Secretariat from the equation.

Even those subject to the existing process hardly take it seriously. Former FBI Director James Comey threw cold water on the oversight ability of the entire VEP process when he described it as an “informal process” that the FBI would not shape an investigation to avoid.

Introducing additional oversight into this process beyond the Executive Branch would serve to smooth out the process and ensure that equities beyond single agencies must have their voices heard as part of the process. As such, lawmakers should propose a new process for research, development, and deployment of computer vulnerabilities that includes Congressional approval to weigh the domestic risk against offensive capabilities. On a quarterly basis the directors of each agency tasked with cyber capabilities must present the nature of the zero days they currently hold, potential offensive use, potential domestic risk, and the level of expertise required for an adversary to discover and exploit the vulnerability to the House and Senate Intelligence Committees. The committees then vote on disclosing each vulnerability to the relevant software publisher. If the two committee votes disagree, then the President has final say on disclosure. If the vote dictates disclosure, then the relevant agency shall disclose the relevant information to the publisher within 30 days. The technical difficulty inherent in these vulnerabilities will require additional staff work and preparation so a bill must include an appropriation for additional committee staff to manage this process. This solution provides a process that includes oversight for elected representatives as part of the calculus.

Cybersecurity plays too great a role in the daily life of every American to be left to an opaque executive branch process. Congress needs to have a role in zero-day management to safeguard the interests of citizens. Without such oversight, every device faces vulnerabilities that the U.S. government may know about, but has hitherto failed to warn the American people about.