20 March 2016

NSA’s “Zero Days” Software Exploitation Strategy to Remain Secret

NICHOLAS IOVINO
Courthouse News Service
March 17, 2016
SAN FRANCISCO (CN) - The U.S. government’s process for deciding whether to exploit or disclose security flaws that make people vulnerable to hackers will remain shielded from the public, a federal judge ruled Thursday.
The Electronic Frontier Foundation sued the National Security Agency in July 2014 for refusing to release records on the government’s handling of “zero days,” or newly discovered security flaws not yet fixed by software developers.
EFF’s suit was filed in the wake of news reports claiming the government knew for two years about the Heartbleed Bug, a widespread security flaw affecting an estimated two-thirds of the world’s websites, without disclosing the threat.
In a ruling issued Thursday, U.S. District Judge Richard Seeborg found the NSAproperly invoked exemptions under the Freedom of Information Act to withhold portions of its vulnerable equities process document.
The judge reviewed the document behind closed doors and determined the redacted portions of the file were not previously revealed to the public by national security and intelligence officials and therefore not subject to declassification as EFF had claimed.
Seeborg also refused to make the NSA reveal the names of individuals and government agencies listed on the headers of the document, along with the names of “small government components” involved in the decision-making process. He agreed with the NSA that such information is covered by the deliberative process exemption under FOIA.
"The header here is not an embodiment of the Vulnerabilities Equity Process, but a reflection of the 'group thinking’ involved in 'working out’ what that policy would be-a policy then expressed and embodied in the balance of the VEP document,“ Seeborg wrote in his five-page ruling.
The judge granted the NSA’s motion for summary judgment, denied the EFF’s cross motion for summary judgment and gave the government 20 days to submit a proposed final judgment in the case.

No comments: