Security

Why we Should Corner the Market on Zero Days

I recently read about the US Navy’s interest in Zero Day exploits; they’d like to hire a contractor to research and develop zero days, which the Navy would (presumably) hold on to for offensive use. Every time I hear someone talk about hoarding zero days, my immediate reflex is to cover my face with my hands and shake my head. Once upon a time, this kind of thinking might have made sense (e.g., we need to build more battleships than our adversary has), but it’s an irrelevant and harmful strategy in the area of cybersecurity.

A “zero day” is an computer exploit that’s unknown to the general public, and probably unknown to the vendor that produced the computer or computer software. They’re software defects; they allow someone to make a computer behave in unintended ways, or do unintended things. Zero days can be used to destroy data, exfiltrate data, steal secrets, or damage physical machinery the computer is hooked up to (think Stuxnet). The NSA’s Tailored Access Operations team has been working on zero days for some time, and now the Navy wants in on the action. The Navy sees potential for offensive weapons, but there’s a catch.

Let’s step back for a moment and talk about a different kind of offensive weapon — the intercontinental ballistic missile (aka ICBM). Decades ago, the US made significant research and development investments in nuclear weapons. It’s the same idea as building a bigger battleship: you have this shiny new offensive weapon, your adversary doesn’t, and this gives you some kind of (real or perceived) advantage. Of course, your adversary is going to develop shiny new offensive weapons of their own, and you’ll want to stay one step ahead. We call this sort of thing an arms race. The US spent decades in a nuclear arms race with the Soviet Union, and between the two countries, we built enough nukes to destroy the planet many times over. It was a colossal waste of money.

Well, maybe it wasn’t a colossal waste for companies that manufactured ICBMs. They probably made a killing, but I digress.

Zero days are not battleships and they are not ICBMs. They’re specific bits of knowledge, which can be developed by anyone with enough computer expertise (and any country with enough computer experts). Pick any zero day that the US is holding on to; some other country (or countries) knows about the same exploit, and they’re holding on to it too.

The recent Office of Personnel Management hacks were reportedly done with a zero day, and I’ll bet you lunch that at least one of our federal agencies knew about the specific exploit in question. (Congressional folks: if there’s ever a hearing about the OPM breach, “did we know about this exploit” would make an excellent testimony question).

Now suppose one of your zero days is discovered and fixed. Obviously you loose that offensive capability, but so does everyone else. In other words, fixing a zero day disarms your adversary. It’s pretty wild stuff: you don’t need a bilateral disarmament treaty; one nation can simply go ahead make a unilateral decision to destroy everyone’s cyber weapons stockpile. Plugging computer security holes makes everyone safer, and this is the way computer security is supposed to work.

This is why the US should corner the market on zero days. We should buy them from anyone who’s willing to sell; we should pay top dollar; and we should work with industry to make sure they’re fixed as quickly as possible. The United States spends more on defense than the
next seven countries combined; surely we have the means to corner the market on zero days.

Security buffs: this is our chance. Many of our legislators aren’t very savvy about how all this computer stuff works. We have a duty to explain it to them.

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.