 Now it's time to kick off our first talk. And this is a talk I'm very excited about. I actually kicked Jay's talk off a couple of years ago. You guys are in for a real treat. Jay Healey has a quite interesting resume and I'm sure he's going to go through some of that. But he's going to talk a little bit about feds and zero days and stuff like that because it's been kind of a wild year for things like law and policy and security. So this is going to be a good one. Let's give our first speaker a big round of applause. Great. Thanks very much. My name is Jay Healey. I teach at Columbia University. And I want to kick off with this for a second because I don't teach computer science at Columbia. I teach in the International Affairs and Public Policy School. And that's kind of been my resume up to this point that just got mentioned. You know, I've spent, I started coming to DEF CON 9. I've been part of this community. A few years ago Jeff Moss put me on the, Dr. Tange put me on the review board to look at, so I can review the talks to be even more part of the community. But I've also been part of the policy community for that time. So one foot in DEF CON and with all of you guys that also very much within that policy audience at very deep Washington DC crowd. And that's what I teach now. It's trying to go back and forth so that the policy folks can understand what you do. And also translate for you guys what's happening in policy so that we can figure out our, or the things that are being done in Washington DC and other capitals in our interest. And also try and get through some of the BS so that you can better understand. So today's talk we're going to look at these four areas. So I want you to come away from this, especially understanding the government's process for looking at zero days. How they decide what to disclose to the vendor and what they're going to retain for their own use. Second, the real meat of this is how many zero days does the government keep to itself per year? Is it hundreds? Is it thousands? Is it more than that? Is it less than that? So just by a show of hands, who imagined that the government keeps hundreds of vulnerabilities? Okay, decent, maybe 40, thousands. Wow, a lot more. Who thinks it's maybe more than thousands? Great. Anyone less than anything that's listed there? Okay, I'm going to cut to the end of the talk. It looks like from every piece of evidence that we can find that it is much less than that. Now I know you're not going to believe that. So we're going, I'm going to go through every line of evidence that we've gone through to try and prove it and disprove it and let you make up your own minds. Last, so every year they've got some how big is that overall arsenal of retained vulnerabilities that they're keeping for themselves? So if the how many does it keep every year is about the flow, how many do they have in the arsenal? And then what we don't know, there's still some big open research questions and then some recommendations for governments as well as recommendations for the rest of us. This is work that was done by kicked off from a team of students from Columbia University School of International and Public Affairs. So we had five different teams that were looking across all different aspects of this. So the student research teams, one of the students is here. We had folks looking at everything from the zero-day markets and can we find what activity of governments in zero-day markets? What about the government and role in vulnerability disclosure programs? Diving right in and trying to figure out the VEP process. We had some folks that had some statistical background to try and look at it from statistics. We tried to see, all right, what's the use of actual zero-days in the wild and what do we know about other government programs? So I'm not going to reference this slide other than to say they put in a lot of work. We've put in a lot of work up to this point. I'm going to keep saying this again and again. I don't know if we got the right answer, but we've tried to run down every line of evidence that we can and we've put together, as you can see from this timeline of the government process, we've gotten together a lot of information on this. This should be coming out in a report hopefully in the fall. So whenever I've tried to make a judgment, I've listed what's my level of confidence based on my judging of that evidence as someone that understands both the technology side as well as the policy side. As I said, I've tried to go through every line of evidence that I can. We've hunted down as far as we can. I'll present all of that to you. You're still going to, there's reasons why we're really suspicious about government on this. They've given us a lot of reasons to be suspicious about this and to suspect the number is far higher. I'm probably not going to convince all of you. I had a great talk last night at the speaker's lounge with Don. Don, I don't know if you're here. I couldn't convince Don. And no matter the lines of evidence, Don wasn't going to be convinced. And that's okay. I'm not going to convince a lot of you about the answers that we come up with. What I'd prefer you be convinced about is that we did the best job we could to try and come up with those correct answers. And if we did get it wrong, that someone else can come in and try and get a better answer. So last one, it comes to credibility. As I said, I've been coming since, I started coming at DEF CON 9. I'm on the DEF CON review board. I've gone to the folks that you might consider credible on this. I've talked to this about dark tangent, to the EFF, to a lot of the journalists that have written on this and the names that you would know. I've also done this to try to be credible in the policy audience. I came out of this in military, doing mostly defensive cyber stuff. I had time at the Pentagon. I had time at the White House. I've talked to that crowd and the journalists that have written the stories. And I've gone to all of these groups, from EFF to former White House and current government officials, to say, where am I right? Where are we wrong? What has our research team seemed to be off? I've said, can we prove that we're wrong? Is there any way that we can try any evidence that disproves this? And this is what we've come up with so far. So hopefully you'll at least be convinced with what we've done. Okay, way too much preface. So the government has two main roles when you're talking about violence. And there's strong tension and often bureaucratic infighting between these two communities. You've got the agencies that love to use the zero days. They want to keep the zero days generally. This is really simplified. So you've got DOD, the intelligence community and law enforcement agencies that will like to keep these open as we saw in Apple FBI so that they can collect intelligence. They can do their job as they see it. There's others whose equities say, no, we want these to be pretty much all closed down. So for example, the Department of Commerce has been running a vulnerability disclosure dialogue, Alan Friedman there. The agencies that represent a specific sector of critical infrastructure like the Treasury Department or the Energy Department have equities where they want these things disclosed back to the vendors. And then DHS, which for the most part want some defensive. There are law enforcement parts of DHS on the, but for the most part the critical infrastructure protection and cybersecurity folks overwhelmingly want these closed down. And this is important because you see this tension between these agencies. The government is certainly not of one mind on this. And that does come in when we're thinking about evidence later on. I also want to point out there's three different main kinds of vulnerabilities when you're thinking about this from the government perspective. First is the battlefield systems. Right? This talk isn't going to deal with a Russian surface to air missile vulnerability. Right? That's not a commercial system that wouldn't go into the program that we're talking about here. Second, are closed and proprietary, but still commercial systems. So this is the things like Siemens, the industrial control systems, the more internet of things devices that are coming online. Last, the ones that we tend to think about when we're talking about phones is the open internet. The Microsofts, the Cisco's, the Apple vulnerabilities. But keep in mind we do have these three sets and we're not going to be talking about the closed battlefield ones. So we're going to start the story. We know the government has been using and sharing vulnerabilities for at least 50 and probably more like 20 years, going back to the 90s. Some of you might have seen comments from Richard Batelik. He's now with FireEye Mandiant and he had been in the Air Force in the 90s and he gave this quote. He was on the defensive side of Air Force cert and they discovered a Cisco vulnerability and they said great, let's tell Cisco. They didn't have any kind of process. They said that's the right thing to do. And the offensive part of the Air Force at that time in San Antonio said what are you doing? Let us know about that first. You can't just tell the vendor. So we know at least at this point in the Air Force, there was no set policy and you had this default to the offense. They said we'll decide and it looked like they were keeping it for offensive purposes. Also we know from this time that the military and the other agencies, they really hoarded it. If you were Air Force and you had a Cisco vulnerability, you didn't tell the Navy about that. You didn't tell NSA, you didn't tell the Army. Everyone kept that capability to themselves because it was something that you could have and once you share it to the Navy, they might use it and then you can't use it yourself within the Air Force. So it really looks like it was quite a bit hoarded. To try and fix this, NSA started an information operations technology center probably around 97, 98 it looks like to try and share capabilities. Now they were talking about this toolkit that probably was more about exploits than vulnerabilities but of course I'm sure it would have included both. So there's nothing from the White House on this point up until about well until July 2002. When they came out with a classified national security policy directive NSPD, NSPD 16, still classified and it asserted the presidential authority to get involved in this process. So if you hear someone that says the government doesn't know what they're doing on offensive, there's no policy to coordinate this. No, it's actually quite an old policy. It's almost 15 years old. And I've talked to some of the folks involved. They said they don't remember it really dealing with vulnerabilities. I don't think vulnerabilities featured very much in that. It was more about, it seems like it was more about coordinating operations. So again, prior to 2010, there doesn't seem like there's any US government-wide policy or process to handle this. So even if there wasn't anything government-wide, there definitely was with an NSA. They called it their equities process. It was based on their intel gain loss assessments if any of you know intelligence. You know, is US interest going to be better served if we give this to the vendor if we keep this to ourselves? But the decision was entirely up to the director of NSA. He didn't have to ask anyone else in the US government. He didn't have to get advice from what we know of it. Doesn't seem like there was anyone outside of NSA that was part of this. There is no way to get anything in. They're more likely to keep it. This phrase kept coming up a lot in the research of Nobus. More likely to keep it if no one but us is able to use this vulnerability. If it is so obscure. So my favorite example of Nobus, since we're in Vegas, is what was it? Ocean's 13? You know, when Brad Pitt, they hack the jackpot machine. And you have to drop the coins in a certain manner to make the thing jackpot. That's a no one but us. No one but the ocean's 11 gang would have known that you have to drop the tokens into this machine in a certain way. That's kind of what we mean by Nobus. It's difficult to access. It's really obscure. It's going to take some, difficult to discover, really difficult to try and exploit. Now I assume but I don't know that the other agencies that like to keep vulnerabilities had their own internal process. I assume CIA and justice did but we haven't been able to discover that yet. So where things really kick off is in 2010. And we know this now because of the documents from the EFF. And by the way, you'll see I've got FN2 up there. I've got all the footnotes at the very end of the talk. I'm going to leave my references up there so that you can take a photo of it if you're interested in following up on the references. So now you finally had this document that came out in 2010 from the Office of Director of National Intelligence I believe that laid out here's the process that's going to come out. NSA can still run it but you've now got a formal process in Washington, D.C. they call it the interagency process by which others need to be brought in if they're going to have an equity in this issue. So this is what that process looked like. This was what was in place from 2010 to 2014. So note at the top the government or its contractors and I think that's a nice loophole that they were taking out there to include contractors. Find something that's newly discovered and not publicly known. So all of these are key phrases in there. NSA is the executive secretariat. This is good for us because it's NSA IAD which is the defensive side of NSA. It wasn't being run by TAO which was the offense espionage part of NSA. So that is being run by the defenders is actually a good sign that things were going in the right direction. It would go to an equities review board which would have the senior people on it and they would be the ones that would make the final decision based on the recommendations from the subject matter export. There was and they would make the decision whether to disclose to the vendor or retain for their own purposes. Now this is, there was an appeals process but it was redacted. So it's tough to know exactly what the appeals process was going to be. So as much as I like this, this is a decent process. If you're going to implement this in your organization it's not a bad way to do it. At least it's relatively well laid out. You can in fact flowchart it and it does include people outside of the agency in question. So as a policy guy this is okay. It turns out it looks like it wasn't really ever fully implemented. So this came out in 2010. Footnote three there is from one of my former colleagues that had been at the White House during this time. That he said it became dormant. That NSA ran their own internal process. Didn't formally include the outside agencies as much as we would have wanted. Footnote four is from the current head of the cyber directorate at the NSC. So a guy named Michael Daniel. So he's the president's top cyber advisor. He looks at both defense and some offense. And he said this policy at this time wasn't fully implemented. So they reinvigorated it in 2014. I'll talk about that reinvigoration in a second here. And it looks like this decision to reinvigorate might have been in part driven by Stuxnet. By the discovery that Stuxnet used so many Microsoft zero days as well as Siemens vulnerabilities as well. So if you remember I talked about that tension between the bureaucracies. If this is true then I think this might have been one of those places where you were seeing this tension in the bureaucracies. So that when the way I imagine and again I haven't found evidence on this. This is just in my mind. You can imagine seeing these defensive bureaucracies like DHS or Treasury or Energy or Commerce saying holy crap we just did what with Stuxnet? We didn't know about that. You were keeping all of these and now my agencies are having to deal with this we need to try and fix this. And so this tension within the bureaucracy is an important point. I think might have been an important point here but I'm also going to bring it up later on because what we don't see on it is we don't see that tension today. We don't see this disagreement and I think that lack of evidence is very interesting to me. Okay. So after the Snowden revelations President Obama puts together a senior review group including people like Dick Clark and others that understand our field somewhat well to say all right what are the recommendations that we can do to look at intelligence and other ways based on these Snowden revelations. One of those recommendations recommendation number 30 was we need a default disclosure policy and we need a better process. Obama accepts those recommendations January 2014 saying one disclose by default. So the president signed off on this piece of paper that said the US government policy is that when we get a vulnerability my intent is that that will be disclosed to the vendor and if you don't want to disclose that you want to retain that then it's up to you to prove why that's a good idea. Such public policy defaults are really important because now you know the president's intent and it's up to the other agencies. You can't say well we didn't know what the president wanted. You can but it becomes a lot, lot tougher. Also what the president did was saying this stuff is too damn important to leave it any one agency. So we're going to bring it into the White House. This can't be decided just at NSA anymore. This now has to be run out of the NSC, the president's national security council. We learned a little bit more about this and I'll go through that process. I'll put a slide up that has that flow chart in a second. We learned a little bit more of this in congressional testimony from Admiral Rogers when he was up to be the I think it was confirmation for a cybercom commander in March 2014. This is the first time we really learned about this default by this, disclosed by default policy was in his testimony. We didn't know in the community about Obama's decision until he talked about it here. I also thought it was interesting. You can see the bits I highlighted subtly there. NSA has always employed that principle, he said. He talked about that he did a decent job of talking a little bit about that process and highlighting it's not just software vulnerabilities but hardware vulnerabilities as well. And that if they do decide to retain it, they attempt to find other ways to mitigate the risks. So for example, if you're going to try and retain it, maybe you do, you try and use a more significant collection to see if anyone else is finding this bug and if someone else finds the bugs then you'll decide to tell the vendor. And so this was really interesting for us. And it helps as a policy guy, what people tell Congress usually matters. Because usually if a staffer thinks the person is full of it, the congressional staffer thinks the person is full of it, they'll go through and they'll leak in saying look, they testified this but we know the truth is different. And we didn't find any of that, we didn't get any of that out of this kind of testimony. So I want to really repeat on this because as a policy guy this was incredibly important to me. The White House policy is to disclose to vendors. And you can scoff and I'm okay with that. But for a policy guy that's about as strong as it gets. The president himself made this decision. And then he didn't just make the decision, he said I will have my personal people that are beholden to me at the National Security Council staff review this. And so that again, it can get stronger but this is really strong in Washington D.C. terms. But when this was coming out it was pretty, there were some exceptions that struck us. And people like Kim Zetter and others talked about these in saying well yeah, the default policy is to disclose but if you carve out exceptions for national security and law enforcement what the hell have you done, right? Those are exceptions that you can drive a truck through. So really I was extremely skeptical at this stage because we know, I mean all of us have seen what happens when you've got that kind of exception, what the intelligence community can do with it. They're going to play it to the edge. But we did get three more breakthroughs that really made a significant difference in understanding those exceptions. One, heart bleed. So Bloomberg reporter wrote a story that said NSA knew. He had some confidential sources that said NSA knew about heart bleed. And that story came out. A couple days later, New York Times, David Sanger reacted to that story and he was able to get the White House, I'm sorry, get the NSA to publicly deny the Bloomberg story. This was unprecedented to get an intelligence community agency to talk on the record about intelligence collection capability. They would always sit back and say we will not confirm or deny because they don't want to get in this place. It was stunning that NSA came out and said look, we had no idea about this. And I suspected they wouldn't have kept this one for reasons we'll talk about in a second. They came out and said we didn't know about this. You see the IC on the record, so the Office of the Director of National Intelligence came out, said we did not know about this. The Bloomberg story is false. Or they didn't get, you know, they didn't talk to the right folks. Seventeen days after that Bloomberg story breaks, we really get a fantastic set of information. This White House cyber guy, the president's cyber advisor, publishes a blog on WhiteHouse.gov that says we didn't know. And moreover, he really gives us a sign in on what they do and how they operate within the White House. He lays out these decision criteria. How much does it use? How bad is the vulnerability that's not patched? How much harm could they do to us? If someone was using this phone against us, how likely is it that we would know ourselves? If we really need this vulnerability for intelligence, I mean, is this something that, you know, we need to know if Russia is planning a secret nuclear strike on us? Or is this just kind of a routine kind of bug that might not be that useful? This number six is really important to me for reasons I'll come back. Could we use it for a short period before we disclose it? And to me, that's an important one we'll come back to. And can we, you know, has anyone else found it and can this get patched? Now, that strikes me as a pretty decent way of going about this. It's not a bad analytical way of saying what are the important questions that we need to answer? What's the process by which we're going to try and get answers to these? So again, as a policy guy, I read this. I was floored that the White House was willing to talk to this, to this, much depth at it, and I was very pleased that I couldn't think of any additional questions to add in here. So it seemed to me to be a decent way of going about it. The second breakthrough. I don't know if EFF is here, but thank you. EFF did a fantastic job doing a FOIA request and follow up lawsuits for some of these key documents on the vulnerability's equities process. And so this footnote too, you can go look at these documents again. Maybe you come to different conclusions than we did. You can see from that one it's decently well redacted, but still we were able to get a lot of details on the process thanks to EFF. Breakthrough number three. NSA came out with some more information. On 30 October and they said 91% of vulnerabilities that went through the internal NSA process over the history of the NSA process were disclosed to the vendor. And out of that 9% that's the remainder, that includes at least some that the vendor discovered before NSA had a chance to disclose. No, I'm sorry, and that's historically including all, all of the vulnerabilities at least back to 2010, not 2020. And now this is only NSA, this isn't all the US government vulnerabilities, this is just within the NSA process. But again, we're starting to really see a lot of transparency that was coming out of the government on this. But I know a lot of you are saying 91%, how can we know 91%? How can we know any of this is true? So in the next part we'll start getting into these assessments and can we really know if any of this is true? Can we prove what they're saying? Can we disprove what they're saying? So from 2014 to present this is what it looks like. The parts highlighted are the parts that have changed since the previous version of the slide. So the top yellow one, now that equities review board is run by the White House, also the way to appeal is much clearer. Because once it's in the White House, once it's in the NSA, everybody understands the rule of appealing. If you don't like what happened at this level, it can go to something called, it can go up to the next big level would be a deputies committee. So that would be the Deputy Secretary of the Treasury, Deputy Secretary of Defense, Deputy Secretary DHS. And this deputies committee is where the real decisions get made. And so if you don't like, if you think a decision went against you and the ERB either way, you can say, you know what, I've got to beep with this, I'm going to take it to the deputies. That's the same way you appeal anything that's a national security or homeland security decision. So all of a sudden it became a lot clearer on what that appeals process was going to be. So what we learned applies to off-beds and contractors, all funds whether discovered or bought. This does not apply to vulnerabilities that were known prior to the policy coming out. So that's an interesting loophole. A new process is owned by the White House. And then again, kind of a subtle inside the Beltway point, I was pleased that this was being run by the cyber directorate because they are predominantly a defensive shop. This wasn't being run, for example, by the intelligence part of the NSC or the defense part of the NSC. If we're either of those, then they would probably have a little bit more bias to want to retain these things for government use. Because it was cyber, we're going to see much more of a balance. So what don't we know? And I'm going to cover all five of these. What didn't we know from the breakthrough? So I'm going to touch all five of these. FBI versus Apple. By my reading of the policy, as a former White House guy, FBI should have had to submit the iPhone 5 vulnerability. Based on that Michael Daniel criteria that we talked about, those eight or nine elements, it certainly seems to fit. It's certainly widespread. We can certainly imagine others using these. FBI ended up claiming contractual IP restrictions. Officially, FBI only bought the use of the tool for about a millionish dollars, the reporters said. They don't because they don't actually know what the vulnerability is, they therefore cannot submit it. Because they don't know. To me, it seems to contraven pretty direct presidential guidance. So I'm going to be very curious to see if the White House is going to revamp the process to try and say that you can't do this kind of exception. You can't do this kind of end around. Just one side note a few months ago, FBI did inform Apple of another vulnerability and they used this entire VEP process to go about and do it. And by the way, I've got a bet with a buddy. He put it up on law fair that I said that Apple would know within a year about the vulnerability. My buddy said no way Apple is going to know about this vulnerability in a year. So I've got dinner writing on that. Okay. The big question. The moment you've all been waiting for, how many do they actually retain? And this was the real thing that I think got my students excited about doing this was to try and answer this question. This is what you've waited for. Not hundreds or thousands. This is prior to the reinvigorated policy. I've got moderate confidence that in the period up to 2014, they were probably keeping dozens. Not hundreds, not thousands, not more than that. So here's the evidence that here's how we got there. But I've only got moderate confidence. To me, one of the most important things in this was the revelations that we found out that NSA keeps 20, that had a budget of 25.1 million for covert purchases of software vulnerabilities. To me, that was a, I'll walk through this 25.1 and what that meant for me. And so let's unpack that. What does 25.1 maybe buy you? So I did some assumptions. I don't think that if I had a budget like that for buying vulnerabilities, I don't think I would buy bucket of bugs. I'm not just going to go out there and find simple ones that I can kind of discover myself. I assume that there was probably going to be some purchase for non-commercial bugs. I'll talk about that in a second. I would suspect that they would tend towards higher value vulnerabilities rather than less expensive ones. And that 91% that NSA number came out with was roughly accurate. And I'll talk about that right here. So can we believe 91%? Dickey George who is the former technical director of the defensive side of NSA, information assurance director, gave an interview and he said retaining was very rare during his time and he'd been doing it for over 15 years. I showed these slides to the former director of NSA, General Hayden. He came in and said, yes, this all seems consistent with my time there. Seems consistent with my experience that we took defense very seriously. But keep in mind, this only applies to NSA to really try and prove or disprove this. I think you'd have to go out and try and talk to vendors and find out how many vulnerabilities NSA actually tells them. And that was well out of scope of what we could do here. If you really want to go after it, I think you've got to try and go to the vendors and get the actual numbers. So for right now, I'm going to take 91% as accurate-ish. It's tough for me to get anything real tight on it to prove it. I can't yet disprove it either. So here's two examples of what you might do with 25.1. You might buy 250 important commercial vulnerabilities at 100K each. If you assume 91%, you end up with about 25 of those. If you assume that maybe CIA and justice were getting similar numbers, you discover about similar numbers. You end up with 75. If we're off by a factor of three on this, then you end up in low hundreds with 225 retained. So it puts us into hundreds, but I couldn't get into thousands of vulnerabilities doing this. I think then based on this, dozen seems okay, maybe low hundreds. But to me, this is a little bit too simplistic version of what you might do with 25.1 million dollars to buy bugs. So example number two. I imagine we'd buy 12 critical commercial vulnerabilities for a million, five critical non-commercial for a million. If NSA could buy access to a Russian air defense missile system for a million dollars, good luck on them. I hope they're able to do that. Other major vulnerabilities for 250K, if we assume 91%, that gives us with five retained. Assume other agencies, ones that they discover. We end up with 15. Again, even if we're off by a factor of three, we're in this middle dozens kind of area on how many before the new policy. So you can see why I'm only moderate confidence on this. There's not that much to go on. On one hand, we've got people that say this is very rare. We defaulted towards the defense 91%. On the other hand, we've got some evidence like this, like 25.1 million. So that was prior to 2014. We've got much stronger evidence today on how many they retain. Right now it looks like single digits. I couldn't believe this. Everyone I talked to imagined that it was far higher than that. People that had been White House, people that had been Department of Defense and Pentagon officials all assumed like you did it was hundreds if not thousands. And I actually have high, pretty high confidence in that assessment. Press reported earlier this year that the government, that the White House reviewed about 100 and only kept two. One of my colleagues that was former White House during this time in his blog on Apple FBI referenced this. That matters to someone, right? If someone that probably knew the process pointed to someone else that referenced it in another news source, to me that's a good sign that we're on about the right track, that an insider was referencing this. Dickey George, this guy that was the NSA official responsible said it was about three or four per year. I was at NSA in August 2014. I had the T.A.O. and the I.A.D. tech director in the room and they said up to this point this year we have retained none. Now that was about nine months, eight or nine months into the new policy. And I get told to my face it was none. So that's interesting. But we wanted to say can we prove or disprove that? So this is what journalists say. This is what others say. This is what executives in it said. But can we prove it or even better can we disprove it? So one, I'm not seeing that tension between bureaucracies here. No one is coming out and saying no this is BS. The intelligence community is going around the vulnerabilities equities process. We're not seeing that kind of evidence right now that it seems has happened in the past. Two, it looks like there's only about 50 total zero days last year. So to me a number for U.S. government that's in single digits or maybe low double digits that seems reasonable to me. If NSA is keeping hundreds or thousands it doesn't seem right that we would only be discovering 50 per year when we've got so many people looking. And that's from every source. You know from which all these Russian groups are keeping, from what all the China groups are keeping, from what all the red teamers are using. So to me if they're only finding, we only found about 50 in the wild single digits sounds about right. Again we tried to go into the national vulnerability database and see if we could see any statistical anomalies of this, of the government starting to release more vulnerabilities into the system. The NVD was terrible, we couldn't figure out anything that is probably impossible. Again we didn't see any, we just couldn't, we tried to find conflicting evidence. We tried to say prove us wrong. You know we sent it to the CFF, we sent it to others. No one came back with anything that was significant other, other than modest changes to the slide. The last one we went in was a little more worrying. We said can we figure out the total number of government vulnerabilities disclosed? Dickey George said they discovered about 1,500 a year. If you apply the 91 percent to that, that gets you to the, that probably puts you in the dozen case but he might have been talking about the process before it was reinvigorated in 2014. So to me that's probably supporting evidence for the, for the dozens. He also said that they only retain three or four a year. And again we tried to go in and disprove. How large is the arsenal? Moderate confidence that we're, that we're talking about dozens. We haven't done this fully, we didn't have the time to really do this but you can do a Drake's equation, right? If you were going to say how big is the equation, these are the, these are the factors that you would have in that equation, right? How many did they keep? How long have they been keeping? How many did they burn per year? How many did they get discovered by vendors or by, or by other bad guys? What's the shelf life of a, of a bug? We went through, when I went through this I got in somewhere around 50 or 60 when I did this. Again if we really tried to do this in depth you might come up with a different answer. This quote on the bottom is from Michael Dana, the president cyber advisor. I was talking about yesterday with our tangent and he, and he gave me an idea that we hadn't even thought before. We actually kind of know, there had been a, a revelation about what TAO's capabilities were. And, and so I added this last night. It looks like the NSA, the NSA book of capabilities had 50 pages that each had one capability in it. So I thought that revelation was going to be something that disproved that it was in the dozens. And it ended up being right smack in the middle of where our guess was. Now again that was a book about capabilities not, not exploits. But to me that was a really fascinating that it ended up in exactly the same place. I thought I was going to have hundreds. Okay. Other nations have about 30, there are about 30 other nations that have this. The UK is the only one that's even talked a little bit. So love or hate US government, we're the only ones that have been anywhere near this transparent. Okay. Other research questions? So as others get, get involved in this, can we know, how can we know our agency's capabilities? Can we know, how can we know our agency's really submitting all their vulnerabilities? Can agencies use the vulnerability while it goes through the process? That criteria from Michael Daniel said, he's asked, can we use this for a little bit? That leads me to believe they may not be doing that, but we haven't found a great answer for that. Can we find any more direct measurement and most importantly, what is the next president going to do? Because this is just done by this president and the next president can come in with their own. Okay. Recommendations. Two former White House officials, Rob Kanaki, Ari Schwartz did a fantastic set of recommendations. They did a report on this process that was very helpful for us. Right now there's no rule for Congress in this. Right now this is just a policy. That can be stronger. It can be an executive order presidential directive. Right now once it goes through the process that we've reviewed again and these guys said, let's take a look at that. Let's look at what the watchdogs can do like the inspector general or the privacy and civil liberties oversight board. I would add to that, mandating no use of this vulnerability until it's gone through the process. It doesn't seem like it's specific. We need to add that. And I just think we need other countries, especially other democracies like Great Britain that get involved and give their process like the Netherlands, Australia. There are great democracies that aren't talking. Recommendations for the rest of us. Normally in warfare if one side disarms themselves all they've done is disarm themselves. If the U.S. said we're not going to have nuclear weapons, everyone else has nuclear weapons. We haven't changed. This is the one area where you can disarm governments because once that information goes to a vendor, everybody is disarmed. So if you're out discovering vulnerabilities and you want to disarm governments around the world, make sure you're telling the vendor follow up if they're not listening to you. I think we need more attention on this question amongst the researchers and more FOIA. So we covered these four areas. I think it's a pretty decent process on disclosing or retaining but there are definitely some improvements that we can come up with. I'm going to give you a little bit of an example. I'm going to give you a little bit of an example here. It seems to be much smaller than I would have ever guessed going into this. I was shocked. I assumed it was in the hundreds and it looks like it used to be dozens and now in the single digits. The full arsenal seems to be in the dozens but only moderate confidence in that and then a few areas for us to talk about. I know I might not have convinced you.