The National Security Agency may find and purchase zero days, but that doesn’t mean it’s sharing its hoard with other government agencies such as the U.S. Navy, which apparently is in the market for some unpatched, undisclosed vulnerabilities of its own.
A request for proposal posted last Wednesday—which has since been taken down—to FedBizOpps.gov was a solicitation by the Naval Supply Systems Command seeking a CMMI-3 (Capability Maturity Model Integration) contractor capable of producing operational exploits that integrate with commonly used exploitation frameworks, the RFP said.
The Navy said it was looking for vulnerability intelligence, exploit reports and operational exploit binaries for commercial software, including but not limited to Microsoft, Adobe, [Oracle] Java, EMC, Novell, IBM, Android, Apple, Cisco IOS, Linksys WRT and Linux, among others.
Microsoft, IBM and EMC (parent company of RSA Security) declined to comment for this article. Requests for comment were also made to Adobe and Apple, neither of which was returned prior to publication.
“The vendor shall provide the government with a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old). This list should be updated quarterly and include intelligence and exploits affecting widely used software,” the RFP said. “The government will select from the supplied list and direct development of exploit binaries.
“Completed products will be delivered to the government via secured electronic means,” the RFP continues. “Over a one year period, a minimum of 10 unique reports with corresponding exploit binaries will be provided periodically (no less than 2 per quarter) and designed to be operationally deployable upon delivery.”
Per the solicitation, it would seem the Navy is looking not only for offensive weapons, but also those that meet the need internally to emulate hacker tactics and capabilities.
“Reading the call, it seems as much about N-day (N<6 months) as 0-day for the red team when evaluating their own systems,” said Nicholas Weaver, a senior network security and malware researcher with the University of California at Berkeley. “And it’s as much about the capability of turning vulnerability reports into exploits.
“I wouldn’t think of it as too out of the ordinary for such a solicitation about ‘offensive tools for defensive use,’” Weaver added.
The request, however, does require the contractor to develop exploits for future released CVEs.
“Binaries must support configurable, custom, and/or government owned/provided payloads and suppress known network signatures from proof of concept code that may be found in the wild,” the RFP said.
The government’s involvement in the use and purchasing of zero days has always been a contentious point, not only over how the exploits will be used, but also because details won’t be disclosed to the vendor leaving potentially millions of users exposed to attacks.
Shortly after the disclosure last year of the Heartbleed vulnerability in OpenSSL, White House cybersecurity coordinator and special assistant to the president Michael Daniel explained the executive branch’s position on disclosure, which somewhat lines up with the NSA’s stance, in that there are occasions when the government won’t share bug details with vendors.
“Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run,” Daniel wrote in April 2014. “Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area.”
Daniel’s memo shares the high-level questions the government considers when an agency proposes withholding vulnerability details from a vendor. The Electronic Frontier Foundation (EFF) today wrote that it’s skeptical the so-called Vulnerabilities Equities Process results in many disclosures considering the financial investment that, in this case, the U.S. Navy would make in contracting zero-day development; individual zero-days reportedly can sell for as much as six figures in legitimate and underground markets.
“What’s more noteworthy is how little regard the government seems to have for the process of deciding to exploit vulnerabilities,” wrote Nate Cardozo and Andrew Crocker of the Electronic Frontier Foundation. “As we’ve explained before, the decision to use a vulnerability for ‘offensive’ purposes rather than disclosing it to the developer is one that prioritizes surveillance over the security of millions of users.”
The NSA, for example, has a twofold mission to not only protect American networks, but also to gather data from foreign networks, which could include penetrating those networks using vulnerabilities the agency has discovered or purchased. The need to keep those vulnerabilities under wraps is of great value to the NSA, something director Adm. Michael S. Rogers said during a November speech that he discussed with the president.
“He also said, look, there are some instances when we’re not going to [share vulnerability information]. The thought process as we go through this policy decision, the things we tend to look at are, how foundational and widespread is this potential vulnerability? Who tends to use it? Is it something you tend to find in one nation state? How likely are others to find it? Is this the only way for us to generate those insights we need or is there another alternative we could use?” Rogers said. “Those answers shape the decision.”