To Stockpile or Not to Stockpile Zero-Days? As the debate rages on, there is still no simple answer to the question of whether the government should stockpile or publicly disclose zero-day vulnerabilities.
In the post-Snowden years, there has been a fair amount of discussion about the federal government's efforts to weaken encryption standards, introduce backdoors in commercial software, and hack into commercial organizations for the purpose of data collection. High-profile efforts by federal agents to gain access to an iPhone used by the San Bernardino shooters and an ensuing, albeit short, court battle with Apple has made the encryption issue a dinnertime conversation.
What has received less attention is the government's use and stockpiling of zero-day exploits. Until recently, the relevant discussion was mostly focused on the process surrounding the vulnerability review. A recent RAND Corporation study introduces academic research on the zero-day stockpiling versus disclosure debate.
The term "zero-day vulnerability" refers to the fact that developers have zero days to address and patch a previous undiscovered vulnerability. To take advantage of such a vulnerability, an exploit needs to be created. The government's use of zero-day exploits has exploded over the last decade, feeding a lucrative market for defense contractors and others who uncover critical flaws in the software (and hardware), and sell information about these vulnerabilities to the government. For example, the infamous Stuxnet, a digital weapon used to attack Iran's uranium enrichment program, used four zero-day exploits to spread.
The argument in favor of stockpiling is that the discovery of zero-days is a costly process, but when successful, gives the government an asymmetric advantage versus our adversaries, allowing for practically undetectable intelligence gathering and even the ability to disable or sabotage opponents' infrastructure.
On the other hand, there is a chance that other parties (including our adversaries) have discovered the same zero-day and could be using it against our governmental and commercial entities. This is the argument in favor of disclosure, which allows affected vendors to patch the vulnerability.
The Disclosure Debate
Almost five years ago, in the wake of Edward Snowden's leaks, President Obama convened a presidential advisory committee to develop a set of recommendations for how to strike a balance between protecting national security interests, advancing the administration's foreign policy agenda, and respecting citizens' privacy and civil liberties. The resulting 308-page report issued by the panel included 46 recommendations, including the topic of zero-day disclosure. Recommendation 30 of the report states, "US policy should generally move to ensure that zero-days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks." The report continues, "In rare instances, US policy may briefly authorize using a zero-day for high priority intelligence collection, following senior, interagency review involving all appropriate departments."
It is clear that the panel's recommendation favors disclosure. In response, the government stated that "there is a [zero-day review] process, there is rigor in that process, and the bias is very heavily tilted toward disclosure."
However, when in April 2014 a new vulnerability dubbed Heartbleed appeared, Bloomberg News reported that the NSA "knew for at least two years" about the flaw and "regularly used it to gather critical intelligence." Note that the NSA has denied the allegation.
In August 2016, a group calling itself Shadow Brokers released a cache of cyber exploits almost certainly belonging to the NSA. Several were zero-days. Worryingly, these vulnerabilities were in security products produced by Cisco, Juniper, and Fortinet, among others, each widely used to protect US companies and critical infrastructure, as well as other systems worldwide. And those leaks were followed in 2017 by the zero-day leveraged in the crippling WannaCry.
So, did the government take the recommendations of the panel to heart? Should it?
US Director of National Intelligence Dan Coats compares the situation around cyberattacks targeting the United States infrastructure today to the months before September 11, 2001, noting, "Here we are nearly two decades later, and the warning lights are blinking red again." With that in mind, it would seem that a confidential stockpile could be invaluable for conducting reconnaissance and offensive campaigns, especially against state-sponsored cyberattackers.
On the other side of the spectrum is the commentary from Joe Nye, the veteran national security scholar, who suggested "...if the United States unilaterally adopted a norm of responsible disclosure of zero-days to companies and the public after a limited period, it would destroy their value as weapons — simultaneously disarming ourselves, other countries, and criminals without ever having to negotiate a treaty or worry about verification. Other states might follow suit. In some aspect, cyber arms control could turn out to be easier than nuclear arms control."
Stockpiling Pros & Cons
The question of whether the government should stockpile or publicly disclose zero-days is a difficult one, and the answer is not a simple "yes" or "no." Enter the RAND Corporation's fascinating report, "Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits." It reveals that zero-day exploits and their underlying vulnerabilities have a 6.9-year life expectancy, on average. That's 2,521 days after the initial discovery, with 25% of those zero-days surviving for more than 9.5 years.
Not only can zero-day exploits enjoy long life spans, but when a vulnerability is discovered, it can be put to work very quickly. When it comes to the time required to create an exploit, RAND found that almost a third are developed in a week or less, with the majority being developed in approximately 22 days.
Most importantly, the report does a deep dive into the issue of stockpiling and hypothesizes that if zero-day vulnerabilities are very hard to find and/or the likelihood of stumbling across the same vulnerability that was discovered by the other party is low, then it makes sense to stockpile. The research estimates that approximately only 5.7% of zero-day vulnerabilities are discovered by an outside entity per year. Hence, the "collision" rate, or the chance of the same vulnerability being discovered independently by multiple parties, is quite low. For that reason, stockpiling rather than disclosing may be beneficial for offensively focused entities.
Still, the 2013 presidential advisory committee's report referenced above counters RAND's conclusion: "In almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection. Eliminating the vulnerabilities — 'patching' them — strengthens the security of US Government, critical infrastructure, and other computer systems."
Which part of the stockpile or disclosure debate are you on? Share your thoughts in the comments.
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.
Nir Gaist is a senior information security expert, ethical hacker, and a gifted individual. He started programming at age 6 and began his studies at the Israeli Technion University at age 10. Nir holds significant cybersecurity experience after serving as a security ... View Full Bio