Back to News & Commentary

FBI Releases Details of 'Zero-Day' Exploit Decisionmaking Process

Internet data
Internet data
Nathan Freed Wessler,
Deputy Director, ACLU Speech, Privacy, and Technology Project
Dyan Cortez,
Legal Assistant,
ACLU Human Rights Program and Speech, Privacy, and Technology Project
Share This Page
June 26, 2015

In response to an ACLU Freedom of Information Act request, the FBI has released a set of internal slides that shed new light on the federal government’s process for evaluating how to handle so-called “zero-day” vulnerabilities in software and internet platforms. This new document helps inform the raging national debate about how to secure the nation’s infrastructure against malicious hacking and foreign espionage.

Zero-day exploits are computer code that take advantage of security flaws in software that are unknown to the software’s programmers and users. While security vulnerabilities can be exploited by criminals and perpetrators of cyber-attacks, they can also be exploited by governments for military, intelligence, and law-enforcement purposes. Zero-day exploits can, for example, be used to gain unauthorized access to a computer system in order to deliver spyware or download sensitive user data. The most effective way to protect systems from security exploits is for software developers to release a patch fixing the underlying flaw, but this is only possible if they are notified of the security hole. Without a patch, users remain vulnerable and potential targets can do very little to protect themselves. This is what makes zero-day exploits so alarming.

Back in April 2014, we filed a FOIA request to obtain documents related to the policies followed by government agencies when they discover or acquire zero-day vulnerabilities and software exploits. In particular, we sought to learn how the government balances its own intelligence needs with the importance of making sure that the software used by Americans is as secure as possible. After more than a year, the FBI finally responded to our request by releasing a heavily redacted document that outlines key details of the government’s internal process for dealing with zero-days. While scant on details, the document is significantly more illuminating than the responses we and other groups have received from elsewhere in the government.

As we know from reports about the formal US policy regarding zero-day exploits, the government reserves the right to keep a vulnerability secret—leaving all users of the affected software open to attack—and use it offensively instead. The new document sheds light on the process through which the government makes that decision. According to the document, after a federal agency learns of a zero-day vulnerability, representatives of “all concerned” US government agencies are informed and then “participate in discussions” to decide how to balance the US government missions of “cybersecurity, information assurance, intelligence, counterintelligence, law enforcement, military operations and critical infrastructure protection.” The FBI recognizes that “in most circumstances” there will be a conflict between serving the interests of “intelligence collection, investigative matters and information assurance.” But it fails to explain who will decide which interests to privilege and what safeguards are in place to prevent the country’s many intelligence and law enforcement agencies from overriding other voices.

We remain concerned that the offensive intelligence needs of agencies will be prioritized above cybersecurity. Fixing flaws, rather than stockpiling them, is the best way to make the Internet more secure. At a time when our leaders in Washington seem to be more focused on the threat of cyber-attacks than ever before, it is vital that the intelligence community not undermine efforts to improve the security of the computer systems upon which so much of our economy depends. Vulnerabilities should be reported and fixed as soon as they are discovered, and the government has the capacity and obligation to assist software developers in doing this. The government’s practice of soliciting, purchasing, hoarding, and using zero-day exploits raises serious concerns.

We hope that the process described in the FBI’s document will lead to the right outcomes, but we fear it will often not. Key questions remain unanswered, and the government should provide additional explanation so the public can participate meaningfully in this important debate.