Science

When do Canadian spies disclose the software flaws they find? There's a policy, but few details

A similar process helps U.S. spies decide whether to report flaws to tech companies or keep them secret for future use.

A similar process helps U.S. spies decide when to report flaws to tech companies versus exploiting them

When it comes to evaluating software vulnerabilities, a 'longstanding assessment process is carried out by a panel of experts from across CSE,' according to a spokesperson. The agency is run by Chief Greta Bossenmaier, pictured here. (Chris Wattie/Reuters)

When a crippling ransomware attack wreaked havoc on computers around the world earlier this year, it did so with alarming, worm-like speed. It didn't take long for security researchers to find out why. The highly sophisticated code that was used to sneak silently into computers, largely undetected, had been stolen from the NSA.

The incident thrust a long-simmering debate about the disclosure of previously undiscovered software flaws into the spotlight: how should government agencies decide which vulnerabilities to report, and which ones to keep secret for future use?

In the U.S., the policy governing this careful weighing of stakes is known as the Vulnerabilities Equities Process, or VEP.

In Canada, spies have for the first time acknowledged that a similar process exists here, too.

"CSE (Canada's electronic spy service) has a rigorous process in place to review and assess software vulnerabilities," wrote Communications Security Establishment spokesperson Ryan Foreman in an email, in response to a list of questions about the handling of zero-day vulnerabilities sent by CBC News. "This longstanding assessment process is carried out by a panel of experts from across CSE."

Canadian Forces Station Leitrim in Ottawa intercepts communications for CSE. (Chris Wattie/Reuters)

According to Foreman, the panel meets "regularly," though he declined to say how often, nor how many times they have met in recent years. CSE's policy is not public, and the agency declined to even give the policy's formal name, citing "operational specifics."

"We would want the policy itself to be public and scrutinizable," says Brenda McPhail, privacy director for the Canadian Civil Liberties Association (CCLA).

A copy of the U.S. government's own vulnerability handling policy was only obtained through a Freedom of Information Act lawsuit filed by the digital rights group Electronic Frontier Foundation in 2014, after the NSA declined to publicly release its policy.

The risk of 'stockpiling'

In the U.S., the VEP was created to help different government agencies weigh the risk of keeping newly discovered software vulnerabilities secret, so that they can be exploited by law enforcement or intelligence agencies to gather intelligence from computers and phones without detection.

So-called zero-day vulnerabilities are considered especially serious because no patches have been developed to fix them, and software developers — be it Microsoft, Apple, Google, or others — don't know the flaws exist.

As a result, some are worried that keeping the discovery of zero-day vulnerabilities secret unnecessarily puts users around the world at risk — especially if knowledge of the vulnerability is obtained or discovered by someone else first.

That concern was realized in May when previously undisclosed software vulnerabilities discovered by the NSA were stolen, and later used to infect computers with a particularly nasty strain of ransomware called WannaCry.

A strain of ransomware dubbed WannaCry hits thousands of computers in 99 countries in May, encrypting files and demanding affected users pay $300 US in bitcoin to regain access. (Ritchie B. Tongo/EPA)

"This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," wrote Brad Smith, Microsoft's president and chief legal officer, in a blog post following the incident. "Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage."

Zero-day vulnerabilities used by the CIA have also been published online by WikiLeaks in recent months.

In the interest of greater transparency, U.S. senators drafted new legislation last month that would require government agencies to prepare an annual report detailing the number of vulnerabilities that have been reviewed and ultimately disclosed under the VEP. They would also have to describe the nature and severity of each flaw found.

Reviewing the review process

Foreman, CSE's spokesperson, said any decisions made by CSE's panel of experts are made "in the best interests of Canada's security, which includes protecting Canada's critical information systems and networks, and protecting Canadians from foreign threats at home and abroad."

But some are skeptical that intelligence agencies such as the NSA and CSE — which contain both offensive and defensive units that sometimes have opposing goals — are in a position to make that call.

"You'll have the defensive people at the table, and you'll have the offensive people at the table, and you'll have the foreign intelligence people at the table," said Christopher Parsons, a research associate at the University of Toronto's Citizen Lab. "And they do not necessarily share the same agenda."

A sign for the Government of Canada's Communications Security Establishment (CSE) is seen outside their headquarters in the east end of Ottawa on Thursday, July 23, 2015. Canada's electronic spy agency introduced mandatory privacy awareness training for all employees in March following an internal breach involving personal information. THE CANADIAN PRESS/Sean Kilpatrick
An oversight body intended to oversee the government's security and intelligence agencies — including CSE — was proposed in June as part of the Liberal government's overhaul of the controversial anti-terror law Bill C-51. (Sean Kilpatrick/The Canadian Press)

Experts say they would like to know the criteria that CSE's panel uses to evaluate the severity of vulnerabilities and its decision to report them to technology companies, as well as reporting similar to what senators are pushing for in the U.S.

Both Parsons and McPhail suggest this may be an area worthy of further study by CSE's current review body, or even the Intelligence Commissioner proposed in the recently introduced national security legislation Bill C-59.

"We think of our national security agencies as people whose jobs is to keep us safe," said McPhail. "And I think it's problematic when people whose job it is to keep us safe are able to make decisions to deliberately reduce our safety online for their own advantage."

ABOUT THE AUTHOR

Matthew Braga

Senior Technology Reporter

Matthew Braga is the senior technology reporter for CBC News, where he covers stories about how data is collected, used, and shared. You can contact him via email at matthew.braga@cbc.ca. For particularly sensitive messages or documents, consider using Secure Drop, an anonymous, confidential system for sharing encrypted information with CBC News.