The U.S. Government and Zero-Day Vulnerabilities: From Pre-Heartbleed to Shadow Brokers
“In August 2016, a group calling itself Shadow Brokers released a cache of top secret cyber spying capabilities almost certainly belonging to the U.S. National Security Agency (NSA). Out of the fifteen exploits in the cache, several appear to be previously unknown vulnerabilities (a so-called zero day or 0day vulnerability). Worryingly, these vulnerabilities were in security products produced by Cisco, Juniper, and Fortinet, each widely used to protect U.S. companies and critical infrastructure, as well as other systems worldwide. As of this writing, the Shadow Brokers are still revealing new vulnerabilities and there may be more zero days discovered.
The existence of these capabilities begs many questions critical to the future of cyberspace:
- Should the NSA have told vendors like Cisco about these vulnerabilities?
- What is the process for determining whether to retain or disclose them to vendors?
- Do these revelations mean this process is broken?
- How many does the U.S. government retain every year?
- How big is the U.S. arsenal of such capabilities?
- What should be done next?
This report, based on research over the past six months from Jason Healey, senior research scholar at Columbia University’s School of International and Public Affairs (SIPA) and a class of graduate students, provides the best current answers for these questions.”