Study shows hacking techniques harder to keep secret than first thought

A new Harvard study shows that multiple researchers independently uncover the same security flaws more often than previously thought, a discovery that could affect the way governments determine whether to keep those flaws secret for use in espionage. 

Researchers Trey Herr, Bruce Schneier and Christopher Morris discovered that, between 2014 and 2016, 15 percent to 20 percent of security vulnerabilities in the phone operating system Android and the web browsers Chrome and Firefox were discovered within one year.

The previous estimate, in a RAND Corp. study that had access to a smaller set of information, estimated that only around 6 percent were discovered within one year.

{mosads}The findings are significant because, as governments research security flaws to use in espionage operations or purchase from brokers, they have to determine both the shelf life of the weapons they could form and the potential damage if a hacker discovers the same vulnerability.

Earlier this year, the WannaCry ransomware used a package of exploits believed to be stolen from the National Security Agency. Had the NSA immediately reported the vulnerabilities to Microsoft as soon as they were discovered, Microsoft could have patched the problem years earlier. 

Instead, Microsoft had only patched the vulnerabilities weeks before the malware was released, which was in many cases not enough time for businesses to update. 

The Harvard study looked at a pool of 4,307 critical and high-risk security vulnerabilities. They found that, between 2009 and 2016, 1 in 7 were submitted back to the company by multiple researchers. When more than one group discovers the same vulnerability, it is known as a collision. 

But they also found that, over time, more collisions happened within the first year. 

In the United States, the strategy for determining which vulnerabilities should be kept for intelligence use is known as the Vulnerability Equities Process (VEP). The VEP requires intelligence agencies to presume that all vulnerabilities will be reported to manufacturers, but allows them to argue for keeping specific vulnerabilities in front of a third-party board. 

The process, put in place by the Obama administration, is opaque, and there is no public data about adherence to the policy or how the Trump administration has adapted the policy. 

There have been multiple legislative efforts to codify the VEP.