The U.S. Government and Zero Day Vulnerabilities
Jay Kesan | Publications

In May, Secretary of Defense Ashton Carter addressed reporters at a news conference in California, where he talked about technology and cyber defense.Carter spoke about the United States’ use of electronic attack methods to disrupt the activities of ISIS. But, he warned, we are not the only country with those types of capabilities.

Technology is an equalizer.This has pretty much always been true.A lot of technology allows us to do old tasks in new ways to get things done faster, and this is also true for military technology. Considerable time and resources are required for an airstrike or an espionage operation. It takes much less effort to develop and deploy an electronic weapon that could have similar effects. Experts estimate that Stuxnet, the infamous worm that destroyed hundreds of nuclear centrifuges in Iran, cost a million dollars to develop. That sounds like a lot to you and me, but keep in mind that Congress budgets hundreds of billions of dollars for the Department of Defense every year. Stuxnet’s development costs are within the reach of a small country, or even a very determined group of individuals.

This is why Defense Secretary Carter was in California with other high-ranking policy officials to meet with technology companies. Relationships between technology companies and the government have been strained lately, as law enforcement calls for breakable encryption. But, the encryption controversy aside, cooperation between technology experts and the government is essential for national security. The government needs the technology expertise of the private sector, and vice versa.Cyber defense, however, requires innovative thought, not just money.

A major obstacle to effective cyber defense is the unpredictability of zero day vulnerabilities. Zero days are security holes that are unknown and unpatched before an attacker uses them. Security researchers around the world identify zero days, and some of these zero days are sold on the open market. One of the purchasers in the market for zero day vulnerabilities is the U.S. government.Zero day vulnerabilities give our military and intelligence communities an edge as they develop cyber weapons and surveillance tools. But these security holes are discovered, not made. If we can find it and figure out how to use it against people who want to hurt us, there is also nothing stopping those people from using the same security holes against the U.S. military, U.S. infrastructure, and U.S. citizens.

This should concern the technology companies—the software vendors—that are being asked to collaborate with the government on cyber defense. Our critical infrastructure has to be protected and civilians have to be protected too. But by supporting the market for zero day vulnerabilities and exploits, the U.S. government is tacitly condoning everyone else’s efforts to develop cyber weapons, regardless of whether this is in the best interest of the public.

Even if the U.S. government moves all zero day research in-house (in other words, the government agencies look for the zero day vulnerabilities themselves, instead of buying them from others), anyone else could find the same vulnerabilities with enough resources and time. Offense and defense may be more closely related in cyber conflict than in any other context. Cyber defense isn’t just about building a better wall to keep out better weapons. The “better wall” has to be designed with specific weapons in mind, and the technologies of these weapons need to be integrated into this wall to some degree. Only by giving cyber defense at least as much emphasis as cyber offense will we be able to mitigate threats to our society and our way of life.

Author – Jay Kesan

The U.S. Government and Zero Day Vulnerabilities
Tagged on: