Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:30 AM
Nir Gaist
Nir Gaist
Connect Directly
E-Mail vvv

To Stockpile or Not to Stockpile Zero-Days?

As the debate rages on, there is still no simple answer to the question of whether the government should stockpile or publicly disclose zero-day vulnerabilities.

In the post-Snowden years, there has been a fair amount of discussion about the federal government's efforts to weaken encryption standards, introduce backdoors in commercial software, and hack into commercial organizations for the purpose of data collection. High-profile efforts by federal agents to gain access to an iPhone used by the San Bernardino shooters and an ensuing, albeit short, court battle with Apple has made the encryption issue a dinnertime conversation.

What has received less attention is the government's use and stockpiling of zero-day exploits. Until recently, the relevant discussion was mostly focused on the process surrounding the vulnerability review. A recent RAND Corporation study introduces academic research on the zero-day stockpiling versus disclosure debate.

The term "zero-day vulnerability" refers to the fact that developers have zero days to address and patch a previous undiscovered vulnerability. To take advantage of such a vulnerability, an exploit needs to be created. The government's use of zero-day exploits has exploded over the last decade, feeding a lucrative market for defense contractors and others who uncover critical flaws in the software (and hardware), and sell information about these vulnerabilities to the government. For example, the infamous Stuxnet, a digital weapon used to attack Iran's uranium enrichment program, used four zero-day exploits to spread.

The argument in favor of stockpiling is that the discovery of zero-days is a costly process, but when successful, gives the government an asymmetric advantage versus our adversaries, allowing for practically undetectable intelligence gathering and even the ability to disable or sabotage opponents' infrastructure.

On the other hand, there is a chance that other parties (including our adversaries) have discovered the same zero-day and could be using it against our governmental and commercial entities. This is the argument in favor of disclosure, which allows affected vendors to patch the vulnerability.

The Disclosure Debate
Almost five years ago, in the wake of Edward Snowden's leaks, President Obama convened a presidential advisory committee to develop a set of recommendations for how to strike a balance between protecting national security interests, advancing the administration's foreign policy agenda, and respecting citizens' privacy and civil liberties. The resulting 308-page report issued by the panel included 46 recommendations, including the topic of zero-day disclosure. Recommendation 30 of the report states, "US policy should generally move to ensure that zero-days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks." The report continues, "In rare instances, US policy may briefly authorize using a zero-day for high priority intelligence collection, following senior, interagency review involving all appropriate departments."

It is clear that the panel's recommendation favors disclosure. In response, the government stated that "there is a [zero-day review] process, there is rigor in that process, and the bias is very heavily tilted toward disclosure."

However, when in April 2014 a new vulnerability dubbed Heartbleed appeared, Bloomberg News reported that the NSA "knew for at least two years" about the flaw and "regularly used it to gather critical intelligence." Note that the NSA has denied the allegation.

In August 2016, a group calling itself Shadow Brokers released a cache of cyber exploits almost certainly belonging to the NSA. Several were zero-days. Worryingly, these vulnerabilities were in security products produced by Cisco, Juniper, and Fortinet, among others, each widely used to protect US companies and critical infrastructure, as well as other systems worldwide. And those leaks were followed in 2017 by the zero-day leveraged in the crippling WannaCry.

So, did the government take the recommendations of the panel to heart? Should it?

US Director of National Intelligence Dan Coats compares the situation around cyberattacks targeting the United States infrastructure today to the months before September 11, 2001, noting, "Here we are nearly two decades later, and the warning lights are blinking red again." With that in mind, it would seem that a confidential stockpile could be invaluable for conducting reconnaissance and offensive campaigns, especially against state-sponsored cyberattackers.

On the other side of the spectrum is the commentary from Joe Nye, the veteran national security scholar, who suggested "...if the United States unilaterally adopted a norm of responsible disclosure of zero-days to companies and the public after a limited period, it would destroy their value as weapons — simultaneously disarming ourselves, other countries, and criminals without ever having to negotiate a treaty or worry about verification. Other states might follow suit. In some aspect, cyber arms control could turn out to be easier than nuclear arms control."

Stockpiling Pros & Cons
The question of whether the government should stockpile or publicly disclose zero-days is a difficult one, and the answer is not a simple "yes" or "no." Enter the RAND Corporation's fascinating report, "Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits." It reveals that zero-day exploits and their underlying vulnerabilities have a 6.9-year life expectancy, on average. That's 2,521 days after the initial discovery, with 25% of those zero-days surviving for more than 9.5 years.

Not only can zero-day exploits enjoy long life spans, but when a vulnerability is discovered, it can be put to work very quickly. When it comes to the time required to create an exploit, RAND found that almost a third are developed in a week or less, with the majority being developed in approximately 22 days.

Most importantly, the report does a deep dive into the issue of stockpiling and hypothesizes that if zero-day vulnerabilities are very hard to find and/or the likelihood of stumbling across the same vulnerability that was discovered by the other party is low, then it makes sense to stockpile. The research estimates that approximately only 5.7% of zero-day vulnerabilities are discovered by an outside entity per year. Hence, the "collision" rate, or the chance of the same vulnerability being discovered independently by multiple parties, is quite low. For that reason, stockpiling rather than disclosing may be beneficial for offensively focused entities.

Still, the 2013 presidential advisory committee's report referenced above counters RAND's conclusion: "In almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection. Eliminating the vulnerabilities — 'patching' them — strengthens the security of US Government, critical infrastructure, and other computer systems."

Which part of the stockpile or disclosure debate are you on? Share your thoughts in the comments.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Nir Gaist is a senior information security expert, ethical hacker, and a gifted individual. He started programming at age 6 and began his studies at the Israeli Technion University at age 10. Nir holds significant cybersecurity experience after serving as a security ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
11/30/2018 | 6:40:30 AM
Same old same old
In no way should any government , and especially ours, be trusted with something like ZDE's or private crypto keys.  Want proof?  Go back 100+ years and look at guns.  FBI agents and most other federal authorities could not carry guns, mostly because the founders of this republic knew they could not be trusted and for the most part, we had a VERY law abiding society.  It literally took an act of Congress to give them permission to do so and the result is what we have today.  Darn near any federal authority can carry a gun but citizens have to suck it up, and in some places beg, to even purchase a gun.  See the parallel?  If you don't your grandchildren or great grandchildren will, should our country stand that long.  Yes, I'm an old man if you need to know and yes, I understand the concept of the camels nose in the tent.  Do you?
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.