Threat Intelligence

10:30 AM
Nir Gaist
Nir Gaist
Connect Directly
E-Mail vvv

To Stockpile or Not to Stockpile Zero-Days?

As the debate rages on, there is still no simple answer to the question of whether the government should stockpile or publicly disclose zero-day vulnerabilities.

In the post-Snowden years, there has been a fair amount of discussion about the federal government's efforts to weaken encryption standards, introduce backdoors in commercial software, and hack into commercial organizations for the purpose of data collection. High-profile efforts by federal agents to gain access to an iPhone used by the San Bernardino shooters and an ensuing, albeit short, court battle with Apple has made the encryption issue a dinnertime conversation.

What has received less attention is the government's use and stockpiling of zero-day exploits. Until recently, the relevant discussion was mostly focused on the process surrounding the vulnerability review. A recent RAND Corporation study introduces academic research on the zero-day stockpiling versus disclosure debate.

The term "zero-day vulnerability" refers to the fact that developers have zero days to address and patch a previous undiscovered vulnerability. To take advantage of such a vulnerability, an exploit needs to be created. The government's use of zero-day exploits has exploded over the last decade, feeding a lucrative market for defense contractors and others who uncover critical flaws in the software (and hardware), and sell information about these vulnerabilities to the government. For example, the infamous Stuxnet, a digital weapon used to attack Iran's uranium enrichment program, used four zero-day exploits to spread.

The argument in favor of stockpiling is that the discovery of zero-days is a costly process, but when successful, gives the government an asymmetric advantage versus our adversaries, allowing for practically undetectable intelligence gathering and even the ability to disable or sabotage opponents' infrastructure.

On the other hand, there is a chance that other parties (including our adversaries) have discovered the same zero-day and could be using it against our governmental and commercial entities. This is the argument in favor of disclosure, which allows affected vendors to patch the vulnerability.

The Disclosure Debate
Almost five years ago, in the wake of Edward Snowden's leaks, President Obama convened a presidential advisory committee to develop a set of recommendations for how to strike a balance between protecting national security interests, advancing the administration's foreign policy agenda, and respecting citizens' privacy and civil liberties. The resulting 308-page report issued by the panel included 46 recommendations, including the topic of zero-day disclosure. Recommendation 30 of the report states, "US policy should generally move to ensure that zero-days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks." The report continues, "In rare instances, US policy may briefly authorize using a zero-day for high priority intelligence collection, following senior, interagency review involving all appropriate departments."

It is clear that the panel's recommendation favors disclosure. In response, the government stated that "there is a [zero-day review] process, there is rigor in that process, and the bias is very heavily tilted toward disclosure."

However, when in April 2014 a new vulnerability dubbed Heartbleed appeared, Bloomberg News reported that the NSA "knew for at least two years" about the flaw and "regularly used it to gather critical intelligence." Note that the NSA has denied the allegation.

In August 2016, a group calling itself Shadow Brokers released a cache of cyber exploits almost certainly belonging to the NSA. Several were zero-days. Worryingly, these vulnerabilities were in security products produced by Cisco, Juniper, and Fortinet, among others, each widely used to protect US companies and critical infrastructure, as well as other systems worldwide. And those leaks were followed in 2017 by the zero-day leveraged in the crippling WannaCry.

So, did the government take the recommendations of the panel to heart? Should it?

US Director of National Intelligence Dan Coats compares the situation around cyberattacks targeting the United States infrastructure today to the months before September 11, 2001, noting, "Here we are nearly two decades later, and the warning lights are blinking red again." With that in mind, it would seem that a confidential stockpile could be invaluable for conducting reconnaissance and offensive campaigns, especially against state-sponsored cyberattackers.

On the other side of the spectrum is the commentary from Joe Nye, the veteran national security scholar, who suggested "...if the United States unilaterally adopted a norm of responsible disclosure of zero-days to companies and the public after a limited period, it would destroy their value as weapons — simultaneously disarming ourselves, other countries, and criminals without ever having to negotiate a treaty or worry about verification. Other states might follow suit. In some aspect, cyber arms control could turn out to be easier than nuclear arms control."

Stockpiling Pros & Cons
The question of whether the government should stockpile or publicly disclose zero-days is a difficult one, and the answer is not a simple "yes" or "no." Enter the RAND Corporation's fascinating report, "Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits." It reveals that zero-day exploits and their underlying vulnerabilities have a 6.9-year life expectancy, on average. That's 2,521 days after the initial discovery, with 25% of those zero-days surviving for more than 9.5 years.

Not only can zero-day exploits enjoy long life spans, but when a vulnerability is discovered, it can be put to work very quickly. When it comes to the time required to create an exploit, RAND found that almost a third are developed in a week or less, with the majority being developed in approximately 22 days.

Most importantly, the report does a deep dive into the issue of stockpiling and hypothesizes that if zero-day vulnerabilities are very hard to find and/or the likelihood of stumbling across the same vulnerability that was discovered by the other party is low, then it makes sense to stockpile. The research estimates that approximately only 5.7% of zero-day vulnerabilities are discovered by an outside entity per year. Hence, the "collision" rate, or the chance of the same vulnerability being discovered independently by multiple parties, is quite low. For that reason, stockpiling rather than disclosing may be beneficial for offensively focused entities.

Still, the 2013 presidential advisory committee's report referenced above counters RAND's conclusion: "In almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection. Eliminating the vulnerabilities — 'patching' them — strengthens the security of US Government, critical infrastructure, and other computer systems."

Which part of the stockpile or disclosure debate are you on? Share your thoughts in the comments.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Nir Gaist is a senior information security expert, ethical hacker, and a gifted individual. He started programming at age 6 and began his studies at the Israeli Technion University at age 10. Nir holds significant cybersecurity experience after serving as a security ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/30/2018 | 6:40:30 AM
Same old same old
In no way should any government , and especially ours, be trusted with something like ZDE's or private crypto keys.  Want proof?  Go back 100+ years and look at guns.  FBI agents and most other federal authorities could not carry guns, mostly because the founders of this republic knew they could not be trusted and for the most part, we had a VERY law abiding society.  It literally took an act of Congress to give them permission to do so and the result is what we have today.  Darn near any federal authority can carry a gun but citizens have to suck it up, and in some places beg, to even purchase a gun.  See the parallel?  If you don't your grandchildren or great grandchildren will, should our country stand that long.  Yes, I'm an old man if you need to know and yes, I understand the concept of the camels nose in the tent.  Do you?
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: New camera 2FA closed loop!
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-12-11
jaxb/ in Pippo 1.11.0 allows XXE.
PUBLISHED: 2018-12-11
An issue was discovered in /bin/boa on D-Link DIR-619L Rev.B 2.06B1 and DIR-605L Rev.B 2.12B1 devices. There is a stack-based buffer overflow allowing remote attackers to execute arbitrary code without authentication via the goform/formLanguageChange currTime parameter.
PUBLISHED: 2018-12-11
An issue was discovered in /bin/boa on D-Link DIR-619L Rev.B 2.06B1 and DIR-605L Rev.B 2.12B1 devices. goform/formSysCmd allows remote authenticated users to execute arbitrary OS commands via the sysCmd POST parameter.
PUBLISHED: 2018-12-11
In Evernote before 7.6 on macOS, there is a local file path traversal issue in attachment previewing, aka MACOSNOTE-28634.
PUBLISHED: 2018-12-10
Mishandling of an empty string on the Jooan JA-Q1H Wi-Fi camera with firmware allows remote attackers to cause a denial of service (crash and reboot) via the ONVIF GetStreamUri method and GetVideoEncoderConfigurationOptions method.