http://www.wired.com/2015/03/us-used-zero-day-exploits-policies/
By Kim Zetter
Security
Wired.com
March 30, 2015
AROUND THE SAME time the US and Israel were already developing and
unleashing Stuxnet on computers in Iran, using five zero-day exploits to
get the digital weapon onto machines there, the government realized it
needed a policy for how it should handle zero-day vulnerabilities,
according to a new document obtained by the Electronic Frontier
Foundation.
The document, found among a handful of heavily redacted pages released
after the civil liberties group sued the Office of the Director of
National Intelligence to obtain them, sheds light on the backstory behind
the development of the government’s zero-day policy and offers some
insight into the motivations for establishing it. What the documents don’t
do, however, is provide support for the government’s assertions that it
discloses the “vast majority” of zero-day vulnerabilities it discovers
instead of keeping them secret and exploiting them.
“The level of transparency we have now is not enough,” says Andrew Crocker
a legal fellow at EFF. “It doesn’t answer a lot of questions about how
often the intelligence community is disclosing, whether they’re really
following this process, and who is involved in making these decisions in
the executive branch. More transparency is needed.”
The timeframe around the development of the policy does make clear,
however, that the government was deploying zero-days to attack systems
long before it had established a formal policy for their use.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
