'Zero-day' stockpiling puts us all at risk

“Zero-days” are serious vulnerabilities in software that are unknown to the software maker or user. They are so named because developers find out about the security vulnerability the day that it is exploited, therefore giving them “zero days” to fix it.

These vulnerabilities can be found in some of the most widely used software and platforms on the commercial market: Adobe Flash, Internet Explorer, social networks (Facebook and LinkedIn, to name two) and countless others.

The recent dump of emails from Hacking Team sheds new light on the extent of government involvement in the international market for zero-days. Rather than disclosing these vulnerabilities to software makers, so that they can be fixed, government agencies buy and then stockpile zero-days.

This practice and the policy that permits it expose billions of internet and software users to serious and unnecessary cybersecurity risks. A number of solutions to this problem are available, but first let’s take a look at the zero-day market.

The growing market for zero-days

Knowledge of the existence of zero-days is valuable to criminals and intelligence agencies alike. They pay lots of money to learn about these vulnerabilities and then develop exploits (or simply purchase the exploits) to circumvent the information security of their targets.

Among other techniques, the hackers that breached Sony Pictures Entertainment and the Office of Personnel Management (OPM) exploited zero-day vulnerabilities to pull off these high-scale hacks.

This has become serious business. The international market for the buying and selling of zero-day vulnerabilities comprises three overlapping markets: “black,” “gray” and “white.”

Sellers in the black market include freelance hackers and organizations. Buyers include criminals and criminal organizations. Given the underground nature of the market, there’s no telling how many vulnerabilities are bought and sold on the black market. Roy Lindelauf, a researcher at the Netherlands Defence Academy, believes that more than half of exploits sold are now bought from bona fide firms rather than from freelance hackers, suggesting that the black market is not the biggest of the three interlinked markets.

The second market is “gray” in the sense that it is legal though unofficial and unregulated. Nation-states historically have had a monopoly over buying in the gray market. They include Brazil, India, Israel, Malaysia, North Korea, Russia, Singapore, the United Kingdom, the United States and many more. Defense contractors such as Northrupp Grumann and Raytheon are also thought to be buyers and/or sellers.

Firm estimates of the size of the gray market are difficult to make. The National Security Agency (NSA) in the United States is considered to be “the best, surest zero-day acquirer … in truth, a really insatiable one,” according to a Hacking Team email indexed by WikiLeaks. It spent US$25 million in 2013 to procure “software vulnerabilities” from private malware vendors. One source suggests that the average price for a zero-day ranges from $40,000 to $160,000, implying that $25 million might buy anywhere from 156 to 625 vulnerabilities.

Buyers in the also legal “white” market include software makers such as Facebook, Google, Microsoft and LinkedIn. Software makers offer a sum of money, sometimes called “bug bounties,” to anyone who finds and discloses the existence of a vulnerability to them.

There are also platforms that connect dozens of software makers with security researchers and experts. They promise a commission to those who disclose vulnerabilities to software makers through the platform. iDefense and TippingPoint were two early companies in this space. New companies have joined the scene, such as HackerOne, which recently raised $25 million in venture capital.

Bug bounties are a novel solution to the problem of zero-days: pay people not to hack a system. Instead, pay those people to use their skills to find and disclose vulnerabilities so that software makers can fix them, thereby improving overall cybersecurity.

The amounts paid through bug bounty programs can be significant. In all markets, prices tend to be determined by the type of bug and the potential for hacking use. However, the prices on the white market are not typically as high as prices on the black market, nor do the prices come close to the losses incurred by the victims of zero-day exploits.

Risks of government stockpiling

While many government agencies are buyers in the global gray market for zero-days, almost no countries have an explicit policy stance toward what they do with the bugs that they buy.

In the US, some details of the official policy toward disclosure of zero-days have been made public. Former NSA Director General Keith Alexander has stated that the agency uses zero-days “for defense, rather than … for offensive purposes.” President Barack Obama’s view, according to his advisers, is that “when the National Security Agency discovers major flaws in internet security” it “should – in most circumstances – reveal them … rather than keep them mum so that the flaws can be used.” A broad exception, however, is made for a clear national security or law enforcement need.

The use of the phrase “national security” is curious considering that a policy of withholding any zero-days at all effectively puts the security of all users of the software in question – which in today’s world includes companies, government agencies and individuals – at additional risk of being hacked.

To its credit, the US has gone further than all other governments in explaining its policy toward zero-day disclosure. Australia, China, Russia and the United Kingdom have not made their stance on zero-days public at all.

The consequences of this practice – and the often-murky policies that permit it – are severe. When knowledge of a zero-day is bought and then stockpiled by a government agency, there’s no guarantee that another malevolent person or organization might not discover (or purchase) and exploit that same vulnerability.

By withholding knowledge of zero-days, government agencies keep all software users in a state of suspended risk. The scope of this risk is global, as the software and platforms in question are used by billions of people.

What alternatives are there?

Instead of a policy of stockpiling zero-days, and the risks that this policy entails, what alternative policies might exist?

Mandatory disclosure, or greater oversight, over the discovery or purchase of zero-days are obvious domestic alternatives to the status quo. At an international level, “voluntary collective action to harmonize export controls on zero-days through the Wassenaar Arrangement” is seen as another possible direction, particularly given that it is currently under review. This agreement was designed to control the export and import of weapons and technologies that have potential military applications.

Computer security analyst and risk management specialist Dan Geer has proposed that the US government outbid (by 10 times) every other buyer in the international market for zero-days so long as bugs are “sparse not dense” (that is, the software in question has few, not many, bugs).

If the NSA spends $25 million a year on zero-days, under Geer’s plan this would increase to at least $250 million. The NSA budget is at least $10 billion annually, with $1.2 billion spent in 2013 on offensive cyber-capabilities (in other words, state-sponsored hacking).

Given the size of these budgets, Geer’s proposal is financially possible, though it would require a serious change of official policy, starting with mandating the immediate disclosure of all bugs to software makers so that they can be patched.

Going for the root

If governments were really serious about addressing the problem of zero-day vulnerabilities, they might consider going to the root of the problem: placing liability on software makers for buggy code.

The common practice for software makers, since the 1980s, is known as “patch and pray.” In short, software makers rush a product out the door, opting to release patches for vulnerabilities later, instead of investing time and resources for additional testing and patching of bugs (including zero-days) before release.

The economic logic is simple. Shipping equals sales and revenue. Delaying release to test and correct bugs adds to costs. Given that the losses from faulty software fall on the user, not the software maker, there’s little incentive for the software maker to fix the bugs before shipping. It’s easier to “move fast and break things” when you don’t have to pay for the things that end up broken.

To make matters worse, users do not always promptly update their software, which is really the only defense they have. Vulnerabilities can thus persist for years after they have been discovered and patches made available.

Placing liability on the software maker for the losses due to their buggy software would completely alter these incentives. A number of approaches could be investigated in an attempt to find one that balances the need to minimize bugs, and protect users, while not smothering innovation.

Placing any kind of liability on software makers for their faulty products would take a great deal of political will, particularly in a climate where current proposals are pushing for the opposite. However, if done correctly, it would create a strong incentive for software makers to adopt more rigorous measures to reduce the number of bugs in their software. This would give a meaningful boost to the cybersecurity of billions of software users.

Paradox of cybersecurity policy continues

Government officials claim to be doing everything possible to enhance cybersecurity. Zero-days are a serious threat to the cybersecurity of individuals, government agencies and corporations.

Yet government agencies are the biggest buyers of zero-days. If they’re serious about cybersecurity, why then do these government agencies withhold knowledge of some of the zero-days that they discover or purchase?

This is yet another example of the paradox of current cybersecurity policy: government agencies tasked with enhancing cybersecurity conduct activities that result in the opposite outcome.

A clear policy of disclosure of all discovered or purchased zero-days would be a major step forward in bolstering cybersecurity internationally. Even better would be a policy that goes to the root of the problem, by allocating some liability on software makers for the losses linked to their buggy software.

Until the political will is mustered to address the problem of buggy software, including zero-days, the best that software users can do to protect themselves, unfortunately, is to follow the software makers' lead: patch and pray.