Vulnerabilities / Threats
7/8/2014
02:22 PM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Electronic Frontier Foundation Sues NSA, Director of National Intelligence

EFF says that the agencies have failed to provide documents requested under the Freedom of Information Act.

The Electronic Frontier Foundation (EFF) has filed a Freedom of Information Act (FOIA) lawsuit against the NSA and the Office of the Director of National Intelligence (ODNI) for failing to deliver on requests for documents about how intelligence agencies decide whether or not to disclose zero-day security flaws.

The request was filed after Bloomberg News, citing "two people familiar with the matter," reported April 11 that the NSA secretly exploited the Heartbleed bug themselves for at least two years before the public knew about the vulnerability.

April 28, Michael Daniel, special assistant to the President and the cybersecurity coordinator stated in a blog post that the NSA had no prior knowledge of Heartbleed and further stated that they have developed an "interagency process for deciding when to share vulnerabilities," called the Vulnerability Equities Process.

As Daniel described:

"This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability:

  • How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
  • Does the vulnerability, if left unpatched, impose significant risk?
  • How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
  • How likely is it that we would know if someone else was exploiting it?
  • How badly do we need the intelligence we think we can get from exploiting the vulnerability?
  • Are there other ways we can get it?
  • Could we utilize the vulnerability for a short period of time before we disclose it?
  • How likely is it that someone else will discover the vulnerability?
  • Can the vulnerability be patched or otherwise mitigated?"

EFF wants to know more. The FOIA request filed May 6 asks for "all records, including electronic records, concerning or reflecting: the development or implementation of the 'Vulnerabilities Equity Process' and... the ‘principles’ that guide the agency 'decision-making process for vulnerability disclosure' in the process described in the White House blog post."

"It's hard to speculate on what they have or don't have," but the messaging from the government implies that documents formally outlining the process and records describing how it has been implemented exist, says EFF Legal Fellow Andrew Crocker. Although some of the information might be classified and therefore redacted from the disclosed documents, it is possible that these records could include prior decisions on what zero-day vulnerabilities were disclosed, when, he says.

EFF formally asked that the processing of the request be expedited. ODNI granted that request; NSA rejected it. Under the law, agencies have 20 days to respond to a regular FOIA request, and fewer if that request is expedited. Crocker says that in practice those deadlines are rarely met. EFF filed the lawsuit July 1 -- nearly two months later -- alleging that these organizations are in violation of FOIA for failure to expedite processing and wrongful withholding of agency records.

"We as a country, as a public, have engaged in a particularly intense debate about the scope of intelligence gathering-techniques," Crocker says. He says that the debate has resulted in greater transparency, but that zero-day vulnerability disclosure remains "a particularly not very well-understood area of what the intelligence agencies do."

The agencies being sued have 30 days (from July 1) to respond to the lawsuit.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
7/9/2014 | 9:19:16 AM
Re: Even if NSA is telling the truth about Heartbleed ...
This shows just how little credibility NSA has, post-Snowden, doesn't it? With each damning revelation, pro-transparency organizations like EFF have more ammunition to pursue FOIA and lawsuits against NSA and other agencies. No doubt this won't be the last.
David F. Carr
50%
50%
David F. Carr,
User Rank: Strategist
7/8/2014 | 6:15:46 PM
Even if NSA is telling the truth about Heartbleed ...
I gather the EFF's point is that even if NSA is telling the truth about Heartbleed, they want to know more about this process for deciding when to withhold news of a vulnerability and how often it has been used.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7266
Published: 2015-02-01
Algorithmic complexity vulnerability in Cybozu Remote Service Manager through 2.3.0 and 3.x through 3.1.2 allows remote attackers to cause a denial of service (CPU consumption) via vectors that trigger colliding hash-table keys. NOTE: this vulnerability exists because of an incomplete fix for CVE-2...

CVE-2014-7269
Published: 2015-02-01
ASUS JAPAN RT-AC87U routers with firmware 3.0.0.4.378.3754 and earlier, RT-AC68U routers with firmware 3.0.0.4.376.3715 and earlier, RT-AC56S routers with firmware 3.0.0.4.376.3715 and earlier, RT-N66U routers with firmware 3.0.0.4.376.3715 and earlier, and RT-N56U routers with firmware 3.0.0.4.376....

CVE-2014-7270
Published: 2015-02-01
Cross-site request forgery (CSRF) vulnerability on ASUS JAPAN RT-AC87U routers with firmware 3.0.0.4.378.3754 and earlier, RT-AC68U routers with firmware 3.0.0.4.376.3715 and earlier, RT-AC56S routers with firmware 3.0.0.4.376.3715 and earlier, RT-N66U routers with firmware 3.0.0.4.376.3715 and earl...

CVE-2014-8630
Published: 2015-02-01
Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shel...

CVE-2014-9200
Published: 2015-02-01
Stack-based buffer overflow in an unspecified DLL file in a DTM development kit in Schneider Electric Unity Pro, SoMachine, SoMove, SoMove Lite, Modbus Communication Library 2.2.6 and earlier, CANopen Communication Library 1.0.2 and earlier, EtherNet/IP Communication Library 1.0.0 and earlier, EM X8...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.