In a bid to address questions about the federal government's willingness to conceal and exploit cybersecurity vulnerabilities for intelligence purposes, the White House last week issued a statement on how it decides whether to reveal such a flaw, noting a key factor is protecting critical infrastructure. But there remains a looming policy debate about how to control the proliferation of zero-day exploits and whether the United States is in some ways contributing to the problem.
The United States has been accused of creating and fueling the market for zero-day exploits by paying very high prices for them, former Pentagon homeland-defense chief Paul Stockton and a co-author noted earlier this year in an essay for the Yale Law and Policy Review.
Both "white hat" and "black hat" markets have emerged for identified zero-day threats, which exploit previously unknown vulnerabilities. There is also a "burgeoning gray market," the essay notes, where companies sell the exploits to governments and other unreported customers with screening that is "far too lenient to safeguard critical U.S. infrastructure from attack."
Stockton's essay -- which underscored the risk the exploits pose to the U.S. electric grid and other critical infrastructure sectors -- urged U.S. policymakers to consider reining in the practice of paying so much for the flaws, adding there is "no evidence" that the agencies who exploit them weigh the benefits against the "potentially catastrophic risks" that the zero-day market poses to U.S. security.
"The time has come for Congress, Executive Branch leaders, the software industry, and scholars to bring this tradeoff analysis into the open and determine whether staying at the extreme end of the policy spectrum -- that of de facto support for a dangerous bazaar for zero-day-exploits -- best serves U.S. national security," wrote Stockton and co-author Michele Golabek-Goldman, a student at Yale University Law School.
Last spring, in a speech at Georgetown University, Eric Rosenbach, then the Pentagon's deputy assistant secretary of defense for cyber policy, voiced serious concern about the black market for cyber vulnerabilities. "I am very, very concerned about that growing market for zero-day exploits, for destructive malware," he said at the time.
But when asked last week whether the Obama administration is considering reducing purchases of zero-day exploits to control the booming market, Laura Lucas Magnuson, a spokeswoman for White House Cybersecurity Coordinator Michael Daniel, disputed the notion of a booming market.
"The U.S. government does not see evidence that there is a booming market for zero-day exploits," she told Inside Cybersecurity. "Instead, the private sector is stepping up to create innovative solutions to our cybersecurity challenges such as 'bug bounty' programs or crowd-sourcing the process of vulnerability discovery."
These kinds of "innovative solutions . . . are critical to improving how we identify and patch unknown vulnerabilities and protect U.S. networks and the Internet as a whole," she continued. "We are looking at whether the U.S. government can or should play a role in encouraging the development of such solutions."
Congress has taken an interest in controlling the proliferation of zero-day and other cyber exploits. How the administration responds to recent legislation could shed light on the way ahead. The fiscal year 2014 National Defense Authorization Act directs the president to launch an interagency process to create an integrated policy to control the proliferation of cyber weapons through various means. The legislation also mandates the development of a new cyber deterrence policy.