- ‘Bachelor’ contestant apologizes for ‘White Lives Matter’ photo shoot Today 12:13 AM
- ‘Sonic The Hedgehog’ sets box office record for video game movies Sunday 8:15 PM
- Truck driver allegedly watching porn kills teen driver in a car crash Sunday 6:44 PM
- Is the Buttigieg campaign behind this pro-Pete Nigerian Twitter account? Sunday 4:58 PM
- Mask that has your face printed on it allows you to unlock your phone during viral epidemics Sunday 3:52 PM
- Justin Bieber slid into the DMs of someone who hated his new album Sunday 1:05 PM
- HQ Trivia host and co-founder in Twitter feud amid shutdown Sunday 12:10 PM
- YouTuber shamed for fake call with Caroline Flack after her death Sunday 10:59 AM
- This MAGA-loving Keanu Reeves imposter isn’t fooling anyone Sunday 10:16 AM
- How to watch ‘Outlander’ season 5 online Sunday 8:00 AM
- Kobe Bryant’s complicated online legacy isn’t buried with him Sunday 6:00 AM
- TikTok teen’s reaction to discovering boyfriend’s cheating goes viral Saturday 4:46 PM
- This may be the creepiest Amazon review you’ll ever read Saturday 3:58 PM
- Bill Maher booed on own show over defense of Bloomberg Saturday 3:37 PM
- The Sun allegedly deletes negative Caroline Flack story after her death Saturday 2:48 PM
EFF sues U.S. government over cybersecurity disclosures
Your move, NSA.
The Electronic Frontier Foundation (EFF) wants to know how the U.S. government decides which major cybersecurity flaws to disclose and which to keep secret.
On Tuesday, the EFF launched a Freedom of Information Act (FOIA) lawsuit against the National Security Agency and the Office of the Director of National Intelligence (ODNI) in an effort to obtain documents that show how American intelligence agencies choose to disclose devastating and previously unknown computer security flaws known as “zero days.”
“This FOIA suit seeks transparency on one of the least understood elements of the U.S. intelligence community’s toolset: security vulnerabilities,” EFF Legal Fellow Andrew Crocker said Tuesday in a statement. “These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country.”
Zero days are the most valuable and effective weapons in any cyberwar arsenal because no one knows they exist. Many governments will pay a premium for these vulnerabilities, which they can then use in cyberattacks of their own.
Zero day attacks can remain undetected for months or years after they are first launched. Stuxnet, a computer worm that sabotaged Iran’s nuclear program, worked for as many as five years before detection in 2010.
The EFF specifically cited the April 2014 Heartbleed bug, a vulnerability that existed for years, as a potentially crucial zero day attack. Bloomberg News reported that the NSA secretly exploited the bug for two years, a charge that the agency vehemently denied.
“In the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest,” Michael Daniel, the White House cybersecurity coordinator, wrote in response to the charges. “This has been and continues to be the case.”
There are exceptions—an opportunity to collect crucial intelligence to thwart a terrorist attack or to stop the theft of intellectual property, for instance—and the White House says it has “established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure.”
Daniel did not reveal any other specifics about how the U.S. decides which vulnerabilities to keep secret.
The U.S. government’s use of zero days affects domestic policing as well. The Department of Justice is currently pushing the U.S. Courts’ Committee on Rules of Practice and Procedure to allow law enforcement to use zero days to hack into computers using malware.
“The use of zero days by law enforcement poses significant risks,” Nathan Freed Wessler, Staff Attorney at the ACLU wrote, “because by exploiting these vulnerabilities rather than notifying the companies responsible for the software, the government leaves the rest of the internet vulnerable to malicious attacks.”
Wessler argues that the use of zero days also undermines the Fourth Amendment of the U.S. Constitution against unreasonable search and seizure.
The EFF insists that the public ought to be able to take part in the debate over vulnerability disclosure, which remains obscured by government secrecy.
Photo via Robert Nelson/Flickr (CC BY 2.0)
Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.