A market has developed in which specialized firms discover new vulnerabilities in software and sell that knowledge for tens or hundreds of thousands of dollars. These vulnerabilities are known as “zero day exploits” because there is no advance knowledge of them before they are used. In this blog post, we recognize that this market may require some kind of action, but reject simplistic calls for “regulation” of suppliers. We recommend focusing on the demand side of the market.
Although there is surprisingly little hard evidence of its scope and scale, the market for vulnerabilities is considered troublesome or dangerous by many. While the bounties paid may stimulate additional research into security, it is the exclusive and secret possession of this knowledge by a single buyer that raises concerns. It is clear that when a someone other than the software vendor pays $100,000 for a zero-day they are probably not paying for defense, but rather for an opportunity to take advantage of someone else’s vulnerability. Thus, the vulnerabilities remain unpatched. (Secrecy also makes the market rather inefficient; it may be possible to sell the same “secret” to several buyers.)
The supply side of the market consists of small firms and individuals with specialized knowledge. They compete to be the first to identify new vulnerabilities in software or information systems and then bring them to buyers. Many buyers are reputed to be government intelligence, law enforcement or military agencies using tax dollars to finance purchases. But we know less about the demand side than we should. The point, however, is that buyers are empowered to initiate an attack, a power that even legitimate organizations could easily abuse.
Insofar as the market for exploits shifts incentives away from publicizing and fixing vulnerabilities toward competitive efforts to gain private, exclusive knowledge of them so they can be held in reserve for possible use, the market has important implications for global security. It puts a premium on dangerous vulnerabilities, and thus may put the social and economic benefits of the Internet at risk. While the US might think it has an advantage in this competition, as a leader in the Internet economy and one of the most cyber-dependent countries, it also has the most to lose.
Unfortunately, so far the only policy response proposed has been vague calls for “regulation.” Chris Soghoian in particular has made “regulation” the basis of his response, calling suppliers “modern-day merchants of death” and claiming that “Security researchers should not be selling zero-days to middle man firms…These firms are cowboys and if we do nothing to stop them, they will drag the entire security industry into a world of pain.”
Such responses, however, are too long on moral outrage and too short on hard-headed analysis and practical proposals. The idea that “regulation” can solve the problem overlooks major constraints:
- The market is transnational and thus regulation of supply would require agreement among contending nation-states. National security interests are implicated, making agreement among states difficult.
- Disclosure and enforcement would be challenging. Unlike physical weapons systems, exploits are invisible and traded digitally. Buyers and sellers have strong incentives not to disclose deals. James Lewis of CSIS, who worked on a project to restrict access to or exports of software claims it “was impossible to control – there were so many ways to beat any restrictions, so many people who could write the code.”
- The line between legitimate security services/research and the market for zero-day exploits is thin and blurry. Regulating exploit supply may translate into regulating all security software development, which would be costly and economically stifling;
- It would be relatively easy for this type of market to go underground if regulation chafed. Governments could bring such R&D in-house instead of using an external market. Sales to terrorist or criminal groups are unlikely to be affected by any national or international system of regulation.
Despite these constraints, we do need to seriously consider ways to redirect incentives away from the discovery and possible exploitation of vulnerabilities towards discovering, publicizing and fixing them for the public benefit.
We suggest focusing policy responses on the demand side rather than the supply side. The zero-day market is largely a product of buyers, with sellers responding to that demand. And if it is true that much of the demand comes from the US Government itself, we should have a civilian agency such as DHS compile information about the scope and scale of our participation in the exploits market. We should also ask friendly nations to assess and quantify their own efforts as buyers, and share information about the scope of their purchases with us. If U.S. agencies and allies are key drivers of this market, we may have the leverage we need to bring the situation under control.
One idea that should be explored is a new federal program to purchase zero-day exploits at remunerative prices and then publicly disclose the vulnerabilities (using ‘responsible disclosure’ procedures that permit directly affected parties to patch them first). The program could systematically assess the nature and danger of the vulnerability and pay commensurate prices. It would need to be coupled with strong laws barring all government agencies – including military and intelligence agencies – from failing to disclose exploits with the potential to undermine the security of public infrastructure. If other, friendly governments joined the program, the costs could be shared along with the information.
In other words, instead of engaging in a futile effort to suppress the market, the US would attempt to create a near-monopsony that would pre-empt it and steer it toward beneficial ends. Funds for this purchase-to-disclose program could replace current funding for exploit purchases.
Obviously, terrorists, criminals or hostile states bent on destruction or break-ins would not be turned away from developing zero-days by the prospect of getting well-paid for their exploits. But most of the known supply side of the market does not seem to be composed of terrorists or criminals, but rather profit-motivated security specialists. And it’s likely that legitimate, well-paid talent will discover more flaws than “the dark side” in the long run.
Obviously the details regarding the design, procedures and oversight of this program would need to be developed. But on its face, a demand-side approach seems much more promising than railing against the morality of so-called cyber arms dealers.