‘Zero Days,’ Collection & HoardingWhile the term ‘zero days’ is beyond basic to some, it is just coming into the view of others, so I’ll be perfectly clear about what I mean when I refer to this term. Zero days are essentially flaws in the code of operating systems, browsers and other software programs. They are incredibly valuable to an attacker because there is no technological defense against them. The status quo and what has persisted thus far is that these valuable units of information are collected and hoarded by governments. The now infamous ‘Vault 7’ leaks show just how active government agencies are at collecting and hoarding zero-day exploits. These efforts often come with quite a bill. In 2016, the FBI reportedly paid just under 1 million dollars to have the iPhone of one of the San Bernardino shooters unlocked. Even the US Drug Enforcement Agency (DEA) got into the game in 2012 with a buy-in of $575,000, including a line item for an “Exploit Portal Full Access (Zero-Day Level).”
Defending bad behaviorNow, government agencies doing this is problematic for several reasons, but to me, these actions are especially problematic given the slipping levels of trust that users place in the internet today. As shown in the newly released 2017 CIGI/Ipsos Global Survey on Internet Security and Trust, user trust in the Internet, governments and online companies is already fraying at the edges. The hoarding of vulnerabilities that effectively make everyone else less secure will only exacerbate this declining level of trust, creating disastrous effects for the digital economy. This is best shown in this year’s survey, a report which shined a light on areas like e-commerce where 49 percent of users cited a lack of trust as the primary reason that they do not shop online. This being said, there are some defensible reasons why governments might want to collect and at times use zero-day exploits. For one, organizations such as the NSA might need access to zero-day exploits for intelligence-collection purposes. These exploits, by definition, can provide the NSA access to foreign government’s systems and from there, an untold wealth of information might be gleaned. Secondly, the collecting of such exploits could potentially act as a deterrent against malicious cyberattacks by other states. The logic here is deeply flawed. A malicious cyber actor might be deterred from launching an attack with their own zero-day arsenal knowing that the US, as one example, could respond with a retaliatory attack of their own that is unpredictable in its scope, direction, and timing largely because of the ambiguity of the arsenal at the NSA or Cyber Command’s disposal. Finally, law enforcement increasingly needs to use technological tools to round out their investigations. Old fashioned police work can still reveal a lot during a criminal investigation, but as more crime has shifted online, policing methods have had to adapt. Sometimes, the crucial bit of evidence needed to crack the case is hosted digitally, often on an encrypted device (as in the San Bernardino case), in another jurisdiction (as in the Microsoft Irish server case), or on the Dark Web. In many of these cases, so-called network investigative techniques (hacking the technology) might be justified. The Problem & Ways Forward Despite these potentially defensible reasons for collecting zero-day exploits, there are also some good reasons why governments should not collect zero days and refuse to disclose them to the vendors who develop (and more importantly patch) the software. Chief among such reasons is the fallout from the reported Shadow Broker hack of Equation Group, a private firm with links to the NSA. The Shadow Broker data dump highlighted that many of the exploits and hacking techniques used by the NSA were years old, suggesting that the agency—rather than disclosing a vulnerability in a timely manner—held them and used them secretly for extended periods of time. The trouble here is manifold. By refusing to disclose their collected exploit to the vendors, the NSA placed everyone who used the various hardware or software in jeopardy. What can be found by one person can obviously be found by another. This last point raises the final reason why NSA hoarding of zero-days—or really government hoarding more generally—might be a bad idea. While it is common to hear of old cold war logic applied to the cyber realm, like the idea that cyber deterrence is possible, the fact of the matter is for the first time disarmament (that cold war unicorn) might be a practicable solution to the problem of destructive digital cyber weapons (zero days). Disarmament negotiations always hinge upon the crucial question of how do you know that your adversary has given up their weapons. Often times, you cannot be sure, and so nations keep their own weapons to prevent being taken advantage of. But the cyber-realm is different in a subtle but key respect. There is a certain indivisibility of the arsenals of nations that does not exist in the conventional world. Most prominently, the disclosure of a zero-day exploit by the NSA or other government agency to a vendor has the weird effect of removing a bomb from the digital arsenal of your opponent. Disclosing a zero-day exploit in Microsoft Office does not just result in a loss of a weapon for the NSA or Cyber Command. It also removes a bomb from Russia, from China, and from every other nation, too. Disclosure does not guarantee that some hostile actor might not have a vulnerability that is unknown to the NSA, but when you are at the top of the pile, your ability to force disarmament is huge. Government disclosure of zero-days, therefore, could have a number of beneficial effects. It could help preserve and even restore user trust in the Internet ecosystem by helping to keep people safe online. It could also act as an effective means of enforcing disarmament against all nations. By disclosing the exploit, governments can remove the bomb from every nations arsenal.