Future Tense

The Federal Policy Loophole Supporting the Hacking-for-Hire Market

Can it be closed?

Photo illustration: two chains held together by a warped paperclip.
Photo illustration by Slate. Photos by Thinkstock.

The FBI can shut down hundreds of online marketplaces on the dark web and identify web administrators on the internet anonymizing platform Tor. But when it comes to cracking encrypted mobile devices, it can seem as helpless as any regular citizen.

In a January 2018 speech at Fordham University, FBI Director Christopher Wray noted that in 2017 alone, agency investigators couldn’t access content on 7,775 devices: “That’s more than half of all the devices we attempted to access in that timeframe—and that’s just at the FBI.”

It was dire revelation. But there was only one problem: It wasn’t true. The Washington Post found the number was closer to between 1,000 to 2,000, more in line with the 880 devices the agency said it was locked out of in 2016.

The FBI eventually admitted its error, though it came after months of Wray and other government officials repeating the inflated numbers. The revelation, however, may not exactly mean the FBI is better at cracking phones than it publicly discloses. The agency, after all, has been known to supplement its hacking abilities with outside help.

Most of the time, cracking encrypted devices comes down to finding and leveraging zero-day vulnerabilities—unknown exploitable weaknesses in software or hardware. While agencies like the FBI can do this themselves, they also outsource the task to third-party hackers and companies who operate on the “gray market”—a furtive marketplace of sellers offering zero-days and hacking services exclusively to government and corporate clients.

In 2015, for instance, the FBI paid about $1.3 million to an undisclosed gray-market company for an exploit—essentially a tool leveraging a zero-day vulnerability—that cracked a locked iPhone used by gunman Syed Farook in the San Bernardino, California, shooting, according to then–FBI Director James Comey. While the purchase received much attention, it was hardly the first time the U.S. government relied on the gray market. In 2012, the NSA bought exploits from Montpellier, France–based Vupen, a gray-market company that closed in 2015 and reopened as Zerodium. In fact, the NSA budgeted $25.1 million to purchase zero-days in 2013.

For the federal agencies, there is one significant incentive to use the gray market: It allows them to bypass the Vulnerabilities Equities Process, an interagency policy that requires the government decide whether to disclose zero-day vulnerabilities to tech companies to be patched, or to keep them classified to leverage in intelligence operations or investigations.

Though it was first established in 2010, the very existence of the VEP was only made public in 2014. Three years later, the Trump administration updated the VEP, and publicly released an unclassified policy charter. Many, including a former cybersecurity official in the Obama administration and the American Civil Liberties Union, praised the move for, among other things, disclosing the criteria used to determine whether to reveal or classify a vulnerability. The charter shows that the cybersecurity of everyday tech consumers is a significant factor in the decision-making process.

But like its earlier iterations, the updated VEP is flawed because it continues to include a glaring loophole. The government doesn’t have to follow the VEP if it purchases zero-days that are subject to contractual restrictions, such as nondisclosure agreements. In other words, the government need not weigh the security repercussions of keeping vulnerabilities purchased on the open market secret.

To be sure, there is incentive for both government zero-day buyers and seller to seek nondisclosure agreements. Sellers don’t want vulnerabilities disclosed to be patched—it ruins their products. This, in turn, allows agencies like the FBI to bypass their responsibility under the VEP and potentially keep purchased vulnerabilities operational—even if they pose a significant cybersecurity risk to U.S. consumers—for as long as possible.

What’s more, such agreements can also benefit buyers by restricting sellers from publicly discussing their business dealings. The U.S. government, after all, would not want potentially adversarial nations knowing it purchases zero-days in the first place, out of concern that it could show the limits of its hacking abilities. Nor would it want adversaries to know the specific zero-days it purchases, as they could offer clues about ongoing U.S. intelligence operations.

Stephen Maurer, adjunct professor of public policy at the University of California–Berkeley, notes that while both buyers and sellers can ask for nondisclosure agreements, they are more likely to come from sellers. “In the current system the vast majority of business models are based on trade secrets. If the FBI asks for a nondisclosure agreement in the first place, that’s really only an accident. Because if they didn’t ask, the contractor would immediately demand one.”

A 2017 report by the RAND Corp. found that most prices for zero-days on the gray market averaged about $50,000 to $100,000, though they can hit as high as $1 million. Yet the extent to which U.S. government purchasing power supports the gray market is not definitively known. But Sharon Bradford Franklin, director of surveillance and cybersecurity policy for New America’s Open Technology Institute notes that while there is little transparency in zero-day transactions, “there has been some reporting about how the U.S. government is the biggest buyer in the market.” (Disclosure: New America is a partner with Slate and Arizona State University in Future Tense.)

It might be tempting, then, to argue that the U.S. should stop doing business with the gray market altogether and instead leverage only the zero-days it finds on its own. But that could be risky. Should the government stop buying from gray-market sellers, nation-states and private organizations that may be adversarial to the U.S may have an opportunity to fill the void.

Ari Schwartz, former senior director for cybersecurity at the National Security Council, likens the situation to blackmail: “You’re engaging in a process where people will sell to anyone, and they are also sort of saying if you don’t buy from us, we’re just going to sell it to someone else, your enemy, so you might as well buy from us.”

Some gray-market companies say they work only with the U.S. and its allies, like the now-defunct Vupen claimed to do. But such exclusivity is far from universal, and could change should market dynamics alter.

U.S. intelligence agencies may also be too reliant on gray-market companies to suddenly disengage. A report by the Department of Justice’s Office of Inspector General on how the FBI handled unlocking the San Bernardino gunman’s iPhone, described such companies as contractors working on several long-term projects for FBI teams.

While the U.S. may be hard pressed to leave the gray market, supporting sellers that retain zero-days also poses risks. After all, gray-market companies like the Hacking Team and Cellebrite were breached by cybercriminals in the past (though to be fair, so were government agencies).

In addition to security concerns, Schwartz notes that “there is a morality risk as well” in encouraging hackers to sell vulnerabilities to government buyers, instead of disclosing them to tech companies for patching, There is also the moral uneasiness posed by supporting some gray-hat market companies, such as the Hacking Team, that will sell zero-days to repressive governments.

The U.S. could continue to operate in the gray market while closing the VEP loophole. But doing so is not just a matter of rewriting policy, but of “reorganizing the entire [gray market] and federal vulnerabilities purchases in some completely different way,” Maurer says.

There are some ideas about how to go about this. In a 2016 report, Schwartz and his colleague Robert Knake, former cybersecurity policy director at the National Security Council, recommended requiring the government to buy the exclusive rights to gray market zero-day vulnerabilities and enter them into the VEP. The government could then decide whether to disclose or classify every zero-day it knew about.

But just how receptive gray-market companies would be to selling their vulnerabilities outright is an open question. Lillian Ablon, an information scientist at RAND, notes that some gray-market companies opt for leasing exploits and vulnerabilities “to multiple different groups so they can make more money off of them.”

There are others, however, who want the government to disrupt the gray market form the ground up. Maurer believes the government should enter the gray market itself by directly working with independent researchers who are not tied to any particular gray-market company.

He notes that Zerodium already offers independent researchers bug bounties for the exclusive rights to zero-days they find. It then sells those zero-days to its corporate and government clients. “The question then becomes: Why doesn’t the NSA just run its own bounty program and cut out the middleman? Because they’re almost certainly paying Zerodium a markup, in which case they could probably do the job cheaper themselves.”

Once the government obtains vulnerabilities, Maurer adds, they should immediately disclose each one, thereby shrinking the gray market and establishing “a baseline level of competition for the private sector.” He says that “if you publish a vulnerability, you help defenders, and make life harder for all attackers everywhere.

But disclosing all zero-days doesn’t sit well with many government officials. Rob Joyce, the former NSC cybersecurity coordinator who spearheaded the 2017 VEP updates, has dismissed the idea. “In my view, this is tantamount to unilateral disarmament,” he wrote in a blog post announcing the VEP changes. “Our adversaries, both criminal and nation state, are unencumbered by concerns about transparency and responsible disclosure and will certainly not end their own programs to discover and exploit vulnerabilities.”

While some are calling for radical changes, there are those who believe in a more measured approach, arguing that the current situation is unsustainable anyway. Schwartz, for instance, sees the gray market eventually flaming out on its own, thereby allowing the loophole to be closed with little repercussions. “We are starting to see the rate of vulnerabilities being found really increasing right now, and you can look at the Spectre and Meltdown cases as one example,” he says, referring to the 2017 discovery of Intel microprocessor vulnerabilities by multiple researchers.

Of course, uncovering more vulnerabilities potentially supports the gray market. But Schwartz argues that “in the short term, an investment in finding these vulnerabilities is going to pay off because you’ll find a lot of them, and in the long term it’s going to be harder to find them” as tech companies become more security conscious with their products. In the meantime, he calls on the government to increase funding for its own vulnerability discovery to rely less on the gray market. But expanding the government’s cybercapabilities doesn’t always sit well with everyone.

OTI’s Franklin notes that there are “concerns in the privacy advocacy community and among cybersecurity experts about having the government develop their hacking capabilities.” But she is in favor of relying more on the government than the private sector.

Whatever the solution, it is clear that something has to change. The U.S. government’s relationship with the gray market poses deep moral and security problems for a country facing increasing global cyberthreats and more public scrutiny over its own cyberspying programs. While the creation and development of the VEP was meant to rein in the security dangers posed by use of zero-days, a robust gray market ensures that increasingly sophisticated cyberattacks and government-sponsored hacking will continue unabated. The tension between government policy and practice, however, is not sustainable long-term, and eventually, one has give at the expense of the other. But while it may be easier to change a relatively new policy than decades-old practice, it’s also becoming less and less feasible to keep the status quo.