“Secret Trade in Digital Vulnerabilities” (opinion by prof. Corien Prins / Tilburg University)

UPDATE 2014-09-23: today the Dutch Senate requested (.pdf, in Dutch) the government to create safeguards concerning the decision-making on the disclosure or non-disclosure of vulnerabilities found by the Dutch intelligence & security services (notably by the employees of the JSCU). The Senate states that the decision to disclose or not disclose a vulnerability cannot be made by the services themselves, because the interest of all internet users has to be taken into account (thus implying that the services cannot be relied upon to take the interest of all internet users sufficiently into account).

In April 2014, professor Corien Prins (Tilburg University) published a piece on the trade in computer vulnerabilities in the Dutch law magazine “Nederlands Juristenblad”. The original piece is here (.pdf, in Dutch) and carries the title “Geheime handel in digitale lekken”. Here is my translation of Prins’ original text:

Secret trade in digital vulnerabilities

Last month, the European Court of Justice made clear that the authority of law enforcement agencies to request so-called ‘traffic data’ (which phone number is called which phone number, from what location and for how long?) must be used proportionally [1]. The Court found that the collection of traffic data can contribute to the fight against serious crime and terrorism, but that the way in which this is currently happening is contrary to the proportionality requirement.

Commentators immediately pointed out that the decision fits into a change of thinking about the importance of privacy. But more or less at the same time that the European Court reinforced the privacy interest, it became clear that the NSA has been using a internet security vulnerability labelled `Heartbleed’. Instead of reporting it to relevant parties, such that they could implement the necessary changes in the systems, they kept secretly peeking through the crack and thereby violated the privacy of many people worldwide.

This report got ample media attention. But those familiar with the world in which companies such as Vupen (vupen.com) and ReVuln (revuln.com) operate, were not surprised. In this world, lots of money is made by trding vulnerabilities. The minimum privacy for a so-called `zero-day exploit’ is around 50.000 dollar. In short, a zero-day exploit is a software application that is specifically developed to abuse a vulnerability in, for instance, an internet service. Using a zero-day exploit, the IT system can be penetrated without knowledge of its provider. Whoever has an exploit can covertly observe, wiretap data, install viruses, et. The term zero-day exploit is derived from the age of the software application that uses the vulnerability. It is inherent to the application that it abuses the vulnerability before the first day (day 0) that the provider of the system is aware of the vulnerability. From that day on, after all, the provider has the opportunity to distribute a patch to users and hence the exploit loses its value.

Little is known about the trade in zero-day exploits, but an analysis worth reading of this shady market by Reuters makes it clear that the intelligence services are major customers [2]. Interesting is the mafia-like arrangement (having your cake and eating it too) of various suppliers [3]: they present themselves as defenders against dangerous exploits, while at the same time developing exploits to offer from the stance (whether or not commercially motivated): ‘if you do not pay, we put your door wide open’.

The economic and social dependence on crosslinked digital systems combined with the growing uncertainty about cyber terrorism and digital ‘warfare’, brings both security services and the military to previously unknown strategies. Whether and to what extent zero-day exploits are part of the new instruments, is unclear. The Annual Report 2013 of the AIVD presented last week does not mention it. But from the letter sent by the Minister of Defense to the Parliament on March 17th 2014 it becomes clear that “the development of the capability to carry out offensive cyber operations” is a spearhead in the Defense Cyber Strategy [4]. Furthermore it states: “Offensive cyber capabilities are digital means that have the purpose of influencing or render impossible opponent action” These capabilities can be deployed in a military operation to support conventional military capabilities. The use falls under the relevant mandate and the applicable Rules of Engagement. The legal frameworks are no different from those that apply to the use of conventional means.”

In case our country uses zero-day exploits: what exactly are the implications of the simple observation that “applicable Rules of Engagement” apply? Which assessment framework does one use, now that the use of zero-day exploits by definition puts the safety of citizens and businesses at stake? According to Richard Clarke, the former cyber security adviser to the Obama administration, the U.S. government used zero-day exploits without a solid assessment framework [5]. Of course it is very difficult to formulate criteria here, but what arguments, then, underly the choice to use an offensive strategy (using the vulnerability to influence the action of opponents) or rather a defensive strategy (preventing malversants form using the vulnerability and inform IT providers)? And how transparent can and will they be regarding the extent to which this means is used?

The head of the AIVD, Rob Bertholee, states in his forward to the Annual Report 2013: “We are a secret service, but we do not want to be secretive. Our tasks and responsibilities are laid down in the law, our actions are publicly accounted for. This Annual Report is a part of that. Only a part of what we do is secret and secret for a reason: the protect sources or prevent unauthorized persons from taking note of our activities. The control over that secret part of our work is fortunately also properly organized” [6]. Possibly the use of zero-day exploits is part of the secret part of the activities of the AIVD and the Ministry of Defense. There will be good reason for that. At the same time, society should be confident that considerations and control over the use this new instrument will function properly, so as befits the rule of law.

[1] Judgment of the Court (Grand Chamber) April 8th 2014, in joined cases C-293/12 and C-594/12, requests for a preliminary ruling under Article 267 TFEU from the High Court (Ireland) and the Verfassungsgerichtshof (Austria), made by decisions of 27 January and 28 November 2012, respectively, received at the Court on 11 June and 19 December 2012.
[2] J. Menn, U.S. cyberwar strategy stokes fear of blowback, Reuters, May 10th 2013.
[3] For an overview of these companies, see: http://wikileaks.org/the-spyfiles.html
[4] Letter to Parliament about offensive cyber capability, Dutch Ministry of Defense, March 17th 2014
[5] J. Menn, U.S. cyberwar strategy stokes fear of blowback, Reuters, May 10th 2013.
[6] AIVD: Dutch persons committed suicide attacks.

These are some of the companies associated with buying and/or selling vulnerabilities/exploits:

Further reading:


Leave a Reply

Your email address will not be published. Required fields are marked *