Friday, July 03, 2015
Weekly Analysis

Policy debate looms on U.S. role in market for 'zero-day' cyber threats

Posted: May 5, 2014
Bookmark and Share

In a bid to address questions about the federal government's willingness to conceal and exploit cybersecurity vulnerabilities for intelligence purposes, the White House last week issued a statement on how it decides whether to reveal such a flaw, noting a key factor is protecting critical infrastructure. But there remains a looming policy debate about how to control the proliferation of zero-day exploits and whether the United States is in some ways contributing to the problem.

The United States has been accused of creating and fueling the market for zero-day exploits by paying very high prices for them, former Pentagon homeland-defense chief Paul Stockton and a co-author noted earlier this year in an essay for the Yale Law and Policy Review.

Both "white hat" and "black hat" markets have emerged for identified zero-day threats, which exploit previously unknown vulnerabilities. There is also a "burgeoning gray market," the essay notes, where companies sell the exploits to governments and other unreported customers with screening that is "far too lenient to safeguard critical U.S. infrastructure from attack."

Stockton's essay -- which underscored the risk the exploits pose to the U.S. electric grid and other critical infrastructure sectors -- urged U.S. policymakers to consider reining in the practice of paying so much for the flaws, adding there is "no evidence" that the agencies who exploit them weigh the benefits against the "potentially catastrophic risks" that the zero-day market poses to U.S. security.

"The time has come for Congress, Executive Branch leaders, the software industry, and scholars to bring this tradeoff analysis into the open and determine whether staying at the extreme end of the policy spectrum -- that of de facto support for a dangerous bazaar for zero-day-exploits -- best serves U.S. national security," wrote Stockton and co-author Michele Golabek-Goldman, a student at Yale University Law School.

Last spring, in a speech at Georgetown University, Eric Rosenbach, then the Pentagon's deputy assistant secretary of defense for cyber policy, voiced serious concern about the black market for cyber vulnerabilities. "I am very, very concerned about that growing market for zero-day exploits, for destructive malware," he said at the time.

But when asked last week whether the Obama administration is considering reducing purchases of zero-day exploits to control the booming market, Laura Lucas Magnuson, a spokeswoman for White House Cybersecurity Coordinator Michael Daniel, disputed the notion of a booming market.

"The U.S. government does not see evidence that there is a booming market for zero-day exploits," she told Inside Cybersecurity. "Instead, the private sector is stepping up to create innovative solutions to our cybersecurity challenges such as 'bug bounty' programs or crowd-sourcing the process of vulnerability discovery."

These kinds of "innovative solutions . . . are critical to improving how we identify and patch unknown vulnerabilities and protect U.S. networks and the Internet as a whole," she continued. "We are looking at whether the U.S. government can or should play a role in encouraging the development of such solutions."

Congress has taken an interest in controlling the proliferation of zero-day and other cyber exploits. How the administration responds to recent legislation could shed light on the way ahead. The fiscal year 2014 National Defense Authorization Act directs the president to launch an interagency process to create an integrated policy to control the proliferation of cyber weapons through various means. The legislation also mandates the development of a new cyber deterrence policy.

One example of progress, the White House spokeswoman said, is the December 2013 pact by the United States and other members of the Wassenaar Arrangement to control the export of certain cyber-related tools. -- Christopher J. Castelli (This e-mail address is being protected from spambots. You need JavaScript enabled to view it )


Free Trial

Inside Cybersecurity is a subscription-based premium news service for policy professionals who need to know about evolving federal policies to protect cyberspace.

Sign up for a free one-month trial to Inside Cybersecurity. You'll get a morning email Daily Report each business day, news alerts throughout the day, access to hard-to-find policy documents and reports, and our exclusive Weekly Analysis every Monday.

Subscribe now and save 50%. Your free trial will include this special introductory offer: You'll save 50% off the first-year subscription price for Inside Cybersecurity. You'll pay just $447.50 for a full twelve months of service for a single-reader license. This is an unbeatable deal for exclusive news on the hottest issue in federal policymaking.

Additional readers can be added to a single-reader license for just $200 each, up to five. The 50% discount will be applied to the entire cost of the license. If you have more than five readers, or would like an organization-wide site license, even further discounts will apply. Contact or call 703-562-8992.

Form for a free trial

Get exclusive news on the cybersecurity debate in Congress and more.

Sign up for a free one-month trial to Inside Cybersecurity for daily news and analysis on emerging federal standards for cybersecurity, including the debate over information sharing, liability waivers and privacy protections.

Form for a free trial

Already a subscriber? Click here to log in.