Yesterday, a new stage of the “roaring debate” over cyber policy made the news, thanks to David Sanger of the New York Times. He revealed that the U.S. government is now one of the biggest purchasers of information about “zero days,” which are software coding flaws that can be used by cyber criminals to penetrate computers and (potentially) wreak havoc on the power grid, financial institutions, or other infrastructure sectors.
When the government identifies a zero day, Sanger reported, the Obama Administration will ordinarily recommend that the vulnerabilities be disclosed so software manufacturers and users can patch them. However, because cyber weapons that exploit zero days can have such devastating effects, the Administration has also decided to keep knowledge of them secret when there is “a clear national security or law enforcement need” to do so.
The United States is one of many buyers in the thriving, unregulated marketplace for zero day exploits, which Michele Goldman and I recently analyzed in Curbing the Market for Cyber Weapons. Russia, China, North Korea, and Iran also eagerly purchase the zero days that hackers sell in this market to any client with the cash, no questions asked.
On balance, allowing this free-for-all cyber weapons bazaar to flourish weakens our national security. Our government gets to purchase powerful zero days, but so do our potential adversaries, who can use them to attack our critical infrastructure and other networks. As more and more nations (and non-state actors such as Al Qaeda) gain access to cyber weapons they could never build on their own, helping the zero day market flourish by sustaining U.S. purchases in it is a dangerous strategy.
The more difficult question is what the United States can do to clamp down on this market. Unilateral disarmament makes no sense: as long as potential adversaries are in the game, stopping our own purchases would be counter-productive. Instead, the Obama Administration should explore how international agreements might be forged to limit the zero day market, and how stronger invectives can be created for software manufacturers to eliminate zero day exploits before our adversaries find them. Both opportunities for progress are examined in Curbing the Market for Cyber Weapons.