Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:30 AM
Nir Gaist
Nir Gaist
Connect Directly
E-Mail vvv

To Stockpile or Not to Stockpile Zero-Days?

As the debate rages on, there is still no simple answer to the question of whether the government should stockpile or publicly disclose zero-day vulnerabilities.

In the post-Snowden years, there has been a fair amount of discussion about the federal government's efforts to weaken encryption standards, introduce backdoors in commercial software, and hack into commercial organizations for the purpose of data collection. High-profile efforts by federal agents to gain access to an iPhone used by the San Bernardino shooters and an ensuing, albeit short, court battle with Apple has made the encryption issue a dinnertime conversation.

What has received less attention is the government's use and stockpiling of zero-day exploits. Until recently, the relevant discussion was mostly focused on the process surrounding the vulnerability review. A recent RAND Corporation study introduces academic research on the zero-day stockpiling versus disclosure debate.

The term "zero-day vulnerability" refers to the fact that developers have zero days to address and patch a previous undiscovered vulnerability. To take advantage of such a vulnerability, an exploit needs to be created. The government's use of zero-day exploits has exploded over the last decade, feeding a lucrative market for defense contractors and others who uncover critical flaws in the software (and hardware), and sell information about these vulnerabilities to the government. For example, the infamous Stuxnet, a digital weapon used to attack Iran's uranium enrichment program, used four zero-day exploits to spread.

The argument in favor of stockpiling is that the discovery of zero-days is a costly process, but when successful, gives the government an asymmetric advantage versus our adversaries, allowing for practically undetectable intelligence gathering and even the ability to disable or sabotage opponents' infrastructure.

On the other hand, there is a chance that other parties (including our adversaries) have discovered the same zero-day and could be using it against our governmental and commercial entities. This is the argument in favor of disclosure, which allows affected vendors to patch the vulnerability.

The Disclosure Debate
Almost five years ago, in the wake of Edward Snowden's leaks, President Obama convened a presidential advisory committee to develop a set of recommendations for how to strike a balance between protecting national security interests, advancing the administration's foreign policy agenda, and respecting citizens' privacy and civil liberties. The resulting 308-page report issued by the panel included 46 recommendations, including the topic of zero-day disclosure. Recommendation 30 of the report states, "US policy should generally move to ensure that zero-days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks." The report continues, "In rare instances, US policy may briefly authorize using a zero-day for high priority intelligence collection, following senior, interagency review involving all appropriate departments."

It is clear that the panel's recommendation favors disclosure. In response, the government stated that "there is a [zero-day review] process, there is rigor in that process, and the bias is very heavily tilted toward disclosure."

However, when in April 2014 a new vulnerability dubbed Heartbleed appeared, Bloomberg News reported that the NSA "knew for at least two years" about the flaw and "regularly used it to gather critical intelligence." Note that the NSA has denied the allegation.

In August 2016, a group calling itself Shadow Brokers released a cache of cyber exploits almost certainly belonging to the NSA. Several were zero-days. Worryingly, these vulnerabilities were in security products produced by Cisco, Juniper, and Fortinet, among others, each widely used to protect US companies and critical infrastructure, as well as other systems worldwide. And those leaks were followed in 2017 by the zero-day leveraged in the crippling WannaCry.

So, did the government take the recommendations of the panel to heart? Should it?

US Director of National Intelligence Dan Coats compares the situation around cyberattacks targeting the United States infrastructure today to the months before September 11, 2001, noting, "Here we are nearly two decades later, and the warning lights are blinking red again." With that in mind, it would seem that a confidential stockpile could be invaluable for conducting reconnaissance and offensive campaigns, especially against state-sponsored cyberattackers.

On the other side of the spectrum is the commentary from Joe Nye, the veteran national security scholar, who suggested "...if the United States unilaterally adopted a norm of responsible disclosure of zero-days to companies and the public after a limited period, it would destroy their value as weapons — simultaneously disarming ourselves, other countries, and criminals without ever having to negotiate a treaty or worry about verification. Other states might follow suit. In some aspect, cyber arms control could turn out to be easier than nuclear arms control."

Stockpiling Pros & Cons
The question of whether the government should stockpile or publicly disclose zero-days is a difficult one, and the answer is not a simple "yes" or "no." Enter the RAND Corporation's fascinating report, "Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits." It reveals that zero-day exploits and their underlying vulnerabilities have a 6.9-year life expectancy, on average. That's 2,521 days after the initial discovery, with 25% of those zero-days surviving for more than 9.5 years.

Not only can zero-day exploits enjoy long life spans, but when a vulnerability is discovered, it can be put to work very quickly. When it comes to the time required to create an exploit, RAND found that almost a third are developed in a week or less, with the majority being developed in approximately 22 days.

Most importantly, the report does a deep dive into the issue of stockpiling and hypothesizes that if zero-day vulnerabilities are very hard to find and/or the likelihood of stumbling across the same vulnerability that was discovered by the other party is low, then it makes sense to stockpile. The research estimates that approximately only 5.7% of zero-day vulnerabilities are discovered by an outside entity per year. Hence, the "collision" rate, or the chance of the same vulnerability being discovered independently by multiple parties, is quite low. For that reason, stockpiling rather than disclosing may be beneficial for offensively focused entities.

Still, the 2013 presidential advisory committee's report referenced above counters RAND's conclusion: "In almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection. Eliminating the vulnerabilities — 'patching' them — strengthens the security of US Government, critical infrastructure, and other computer systems."

Which part of the stockpile or disclosure debate are you on? Share your thoughts in the comments.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Nir Gaist is a senior information security expert, ethical hacker, and a gifted individual. He started programming at age 6 and began his studies at the Israeli Technion University at age 10. Nir holds significant cybersecurity experience after serving as a security ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
11/30/2018 | 6:40:30 AM
Same old same old
In no way should any government , and especially ours, be trusted with something like ZDE's or private crypto keys.  Want proof?  Go back 100+ years and look at guns.  FBI agents and most other federal authorities could not carry guns, mostly because the founders of this republic knew they could not be trusted and for the most part, we had a VERY law abiding society.  It literally took an act of Congress to give them permission to do so and the result is what we have today.  Darn near any federal authority can carry a gun but citizens have to suck it up, and in some places beg, to even purchase a gun.  See the parallel?  If you don't your grandchildren or great grandchildren will, should our country stand that long.  Yes, I'm an old man if you need to know and yes, I understand the concept of the camels nose in the tent.  Do you?
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...