1AC LEXINGTON

1AC

1AC Plan
The United States federal government should eliminate its
domestic surveillance programs using computer software
vulnerabilities or exploits unknown to relevant vendors.

1AC Cyberattacks Advantage

CONTENTION 1: CYBERATTACKS
Loopholes still allow the executive to purchase zero-day
software vulnerabilities from third parties.
Zetter, 2014 [Kim, award-winning journalist who covers cybercrime, civil
liberties, privacy, and security for Wired, Obama: NSA must reveal bugs like
Heartbleed, unless they help the NSA, Wired,
http://www.wired.com/2014/04/obama-zero-day/] //khirn
public statements on the new policy leave a lot of questions unanswered and
raise the possibility that the government has additional loopholes that go beyond
the national security exception. The statement by the Office of the Director of National Intelligence about the new
bias toward disclosure, for example, specifically refers to vulnerabilities discovered by federal agencies ,
but doesnt mention vulnerabilities discovered and sold to the government by
contractors, zero-day brokers or individual researchers, some of whom may insist in
their sale agreements that the vulnerability not be disclosed. If purchased zero days
vulnerabilities dont have to be disclosed, this potentially leaves a loophole for the secret
use of these vulnerabilities and also raises the possibility that the government may
decide to get out of the business of finding zero days, preferring to purchase them
instead. It would be a natural bureaucratic response for the NSA to say why
should we spend our money discovering vulnerabilities eanymore if were going to
have to disclose them?' Healey says. You can imagine a natural reaction would be for
them to stop spending money on finding vulnerabilities and use that money to buy
them off the grey-market where they dont have to worry about that bias. The
governments new statement about zero days also doesnt address whether it applies only
to vulnerabilities discovered in the future or to the arsenal of zero-day
vulnerabilities the government already possesses.
Healey notes that the

That drives the global zero-day market an overly active US

makes vulnerability proliferation and cyberattacks inevitable.
Pierluigi Paganini 13, Chief Information Security Officer at Bit4Id, firm leader
in identity management, member of the ENISA (European Union Agency for
Network and Information Security) Treat Landscape Stakeholder Group. He is also
a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at
"Cyber Defense Magazine", Zero-day Market, the Government are the Main
Buyers, http://securityaffairs.co/wordpress/14561/malware/zero-day-marketgovernments-main-buyers.html
Governments, and in particular US one, are principal buyers of zero-day vulnerabilities according a
report published by Reuters. Zero-days exploits are considered a primary ingredient for success
of a cyber attack, the knowledge of zero-day flaw gives to the attacker guarantee of success, state-sponsored hackers and cyber criminals
consider zero-day exploits a precious resources around which is grown a booming market. Zero-day exploits could be used to as an essential component
for the design of a cyber weapon or could be exploited for cyber espionage purposes, in both cases governments appear the most interested entities for
the use of these malicious code. Recent cyber attacks conducted by Chinese hackers might lead us to think Chinese Government is primary

claimed the US government is the

biggest buyer in a burgeoning gray marke t where hackers and security firms sell
tools for breaking into computers. Reuters revealed that the US Government, in particular its intelligence
buyer/developer for zero-day vulnerabilities, but a report recently published by Reuters

agency and the DoD are spending so heavily for information on holes in commercial computer systems, and on
exploits taking advantage of them, that they are turning the world of security research on its
head., its a news way to compete with adversary in cyberspace. Recent tension between China and US gave security experts the opportunity to
discuss about the development of the two countries of efficient cyber strategy that improve both offensive and defensive cyber capabilities. Both
countries are largely invested in the creation of new cyber units, but according intelligence sources, offensive approach seems to be most stimulated by
the need to preserve the security in the cyberspace. NSA chief General Keith Alexander told Congress that the US Government is spending billions of
dollars every year on cyberdefense and constructing increasingly sophisticated cyberweapons this led to the birth of more than a dozen offensive
cyber units, designed to mount attacks, when necessary, at foreign computer networks. Popular hacker Charlie Miller, security researcher at Twitter,
with a past collaboration with NSA confirmed the offensive approach to cyber security: The only people paying are on the offensive side, The emerging

defense
contractors and intelligence agencies spend at least tens of millions of dollars a
year just on exploits. The zero-day market is very complex due high perishability of the goods, following some key figures of a so
zero-day market is fueled by intense activities of talented hackers who sell information on flaws in large use products. According Reuters

complex business Difficulty finding buyers and sellers Its a closed market not openly accessible. Find a buyer or identify a possible seller is a critical
phase. Checking the buyer reliability The reduced number of reliable brokers able to locate a buyer pushes the researcher to try to tell many
individuals about the discovery in an attempt to find a buyer with obvious risks. Value cannot be demonstrated without loss One of the most fascinating
problems a researcher attempting to sell vulnerability information or a 0-day exploit may face is proving the validity of the information without
disclosing the information itself. The only way to prove the validity of the information is to either reveal it or demonstrate it in some fashion. Obviously,
revealing the information before the sale is undesirable as it leaves the researcher exposed to losing the intellectual property of the information without
compensation. Exclusivity of rights The final hurdle involves the idea of the exclusive rights of the information. In order to receive the largest payoffs,

However, the buyer has no way to

protect themselves from the researcher selling the information to numerous
parties, or even disclosing the information publicly, after the sale. Current
approaches to zero-day vulnerabilities are to be bought up exploits avoiding that
they could be acquired by governments opponents such as dictators or organized
criminals, many security firms sell subscriptions for exploits, guaranteeing a
certain number per year. The trend to exploit zero-day for offensive purposes has been followed by intelligence agencies and also
the researcher must be willing to sell all rights to the information to the buyer.

private companies, both actors have started to code their own zero-day exploits. Private companies have also sprung up that hire programmers to do
the grunt work of identifying vulnerabilities and then writing exploit code. The starting rate for a zero-day is around $50,000, some buyers said, with the
price depending on such factors as how widely installed the targeted software is and how long the zero-day is expected to remain exclusive. The
Reuters report also revealed the participation of government representatives to the Secret Snoop Conference for Government and law enforcement
spying, clearly with the intent to acquire new technologies to conduct cyber espionage through malware based attacks able to compromise target

The choice of a government to acquire a zero-day exploit to use it against a

foreign governments hide serious risks for its country, cyber terrorist, cyber
criminals or state-sponsored hackers could reverse engineer the source code to
compose new malicious agent to use against the same authors.
networks.

Current US zero day policy will incentivize a cyber arms race

the plan is key.
Steve Ranger 14, UK editor of TechRepublic, and has been writing about the
impact of technology on people, business and culture for more than a decade.
'Inside The Secret Digital Arms Race: Facing The Threat Of A Global Cyberwar Feature'. 4/24/14. Techrepublic. http://www.techrepublic.com/article/inside-thesecret-digital-arms-race, VL
the last decade has seen rapid investment in what governments and the
military have dubbed "cyberwar" sometimes shortened to just "cyber." Yes, it sounds like a cheaply sensational term
As such,

borrowed from an airport thriller, (and to some the use of such an outmoded term reflects the limited level of understanding of the issues involved by
those in charge) but the intent behind the investment is deadly serious. The UK's defence secretary Philip Hammond has made no secret of the country's
interest in the field, telling a newspaper late last year, "We will build in Britain a cyber strike capability so we can strike back in cyberspace against
enemies who attack us, putting cyber alongside land, sea, air and space as a mainstream military activity." The UK is thought to be spending as much as

General Alexander revealed the NSA

was building 13 teams to strike back in the event of an attack on the US. "I would like to be
500m on the project over the next few years. On an even larger scale, last year

clear that this team, this defend-the-nation team, is not a defensive team," he said told the Senate Armed Services Committee last year. And of course,

it's not just the UK and US that are building up a digital army. In a time of
declining budgets, it's a way for defence ministries and defence companies to see
growth, leading some to warn of the emergence of a twenty-first century cyberindustrial complex. And the shift from investment in cyber-defence initiatives to
cyber-offensives is a recent and, for some, worrying trend. Peter W. Singer, director of the Center for 21st

100 nations are building cyber military

commands of that there are about 20 that are serious players, and a smaller
number could carry out a whole cyberwar campaign. And the fear is that by emphasising
their offensive capabilities , governments will up the ante for everyone else. "We
are seeing some of the same manifestations of a classic arms race that we saw in
the Cold War or prior to World War One. The essence of an arms race is where the sides spend more and more on
Century Security and Intelligence at the Brookings Institution, said

building up and advancing military capabilities but feel less and less secure and that definitely characterises this space today," he said. It's taken less
than a decade for digital warfare to go from theoretical to the worryingly possible. Politicians may argue that building up these skills is a deterrent to
others, and emphasise such weapons would only be used to counter an attack, never to launch one. But for some, far from scaring off any would-be
threats, these investments in offensive cyber capabilities risk creating more instability. "In international stability terms, arms races are never a positive
thing: the problem is it's incredibly hard to get out of them because they are both illogical [and] make perfect sense," Singer said. Similarly Richard
Clarke, a former presidential advisor on cybersecurity told a conference in 2012, "We turn an awful lot of people off in this country and around the world

We need cooperation from a

lot of people around the world and in this country to achieve cybersecurity and
militarising the issue and talking about how the US military have to dominate the
cyber domain is not helpful." Thomas Rid, a reader in War Studies at King's College London said that many countries now feel
that to be taken seriously they need to have a cyber command too. "What you see is an escalation of preparation.
All sorts of countries are preparing and because these targets are intelligence
intensive you need that intel to develop attack tools you see a lot of probing,
scanning systems for vulnerabilities, having a look inside if you can without doing anything, just seeing
what's possible," Rid said. As a result, in the shadows, various nations building up their digital
military presence are mapping out what could be future digital battlegrounds and
seeking out potential targets, even leaving behind code to be activated later in any conflict that might arise. As nations race to
build their digital armies they also need to arm them. And that means developing new types of weapons. While state-sponsored
cyberwarfare may use some of the same tools as criminal hacker s, and even some of the same
targets, its wants to go further. So while a state-sponsored cyber attack could use the old hacker standby of the denial of service
when we have generals and admirals running around talking about 'dominating the cyber domain'.

attack (indeed the UK's GCHQ has already used such attacks itself, according to leaks from Edward Snowden), something like Stuxnet built with the
aim of destroying the centrifuges used in the Iranian nuclear project is another thing entirely. "Stuxnet was almost a Manhattan Project style in terms
of the wide variety of expertise that was brought in: everything from intelligence analysts to some of the top cyber talent in the world to nuclear
physicists to engineers, to build working models to test it out on, and another entire espionage effort to put it in to the systems in Iran that Iran thought

The big difference between military-grade cyber

weapons and hacker tools is that the most sophisticated digital weapons want to
breaking things. To create real, physical damage. And these weapons are bespoke, expensive to build, and
were air-gapped. This was not a couple of kids," said Singer.

have a very short shelf life. To have a real impact, these attacks are likely to be levelled at the industrial software that runs production lines, power
stations or energy grids, otherwise known as SCADA (supervisory control and data acquisition) systems. Increasingly, SCADA systems are being
internet-enabled to make them easier to manage, which of course, also makes them easier to attack. Easier doesn't mean easy though. These complex
systems, often build to last for decades, are often built for a very narrow, specific purpose sometimes for a single building. According to Rid, this
makes them much harder to undermine. A bespoke, highly specific system requires a bespoke, highly specific attack, and a significant amount of

"The essence of an arms race is where the sides spend more and more on
building up and advancing military capabilities but feel less and less secure and
that definitely characterises this space today." Peter W. Singer, Center for 21st Century Security and Intelligence
intelligence, too.

"The only piece of target intelligence you need to attack somebody's email or a website is an email address or a URL. In the case of a control system, you
need much more information about the target, about the entire logic that controls the process, and legacy systems that are part of the process you are
attacking," Rid said. That also means that delivering any more than a few of these attacks at a time would be almost impossible, making a long cyberwar

these weapons need to exploit a unique weakness to be

effective: so-called zero day flaws. These are vulnerabilities in software that have
not been patched and therefore cannot be defended against. This is what makes them
potentially so devastating, but also limits their longevity. Zero-day flaws are relatively rare and expensive and hard to come by.
campaign hard to sustain. Similarly,

They're sold for hundreds of thousands of dollars by their finders. A couple of years ago a Windows flaw might have earned its finder $100,000 on the
black market, an iOS vulnerability twice that. Zero-day flaws have an in-built weakness, though: they're a one-use only weapon. Once an attack has been
launched, the zero-day used is known to everyone. Take Stuxnet. Even though it seems to have had one specific target an Iranian power plant once
it was launched, Stuxnet spread very widely, meaning security companies around the world could examine the code, and making it much harder for
anyone to use that exact same attack again. "It's like dropping the bomb, but also [saying] here's the blueprint of how to build the bomb," explains

As governments
stockpile zero-day flaws for use in their cyber-weapons, it means they aren't being
reported to the software vendors to be fixed leaving unpatched systems around
the world at risk when they could easily be fixed.
Singer, author of the recent book Cybersecurity and Cyberwar. But this leads to another, unseen problem.

Scenario 1 is Grids theyre exposed and vulnerable.

Andrew Krepinevich 12, PhD & MPA at Harvard, West Point graduate, served
25 years in the Army, worked in the DOD Office of Net Assessment for 3 defense
secretaries, president of the Center for Strategic and Budgetary Assessments, p.
53-8, http://www.csbaonline.org/publications/2012/08/cyber-warfare-a-nuclearoption/
A VULNERABLE GRID Could a cyber attack take the United States, or major parts of it, off the electric grid for significant periods of time? While it is

U.S. power
grid control systems (i.e., SCADA systems) were on closed networks that were not
connected to the Internet. Over time, however, the electric industry began relying on
SCADA systems to improve the efficiency and performance of their systems. As it is
cheaper to maintain an open network than a closed one, firms opted to move to
open networks. Access to the Internet, with its attendant benefits and
vulnerabilities, became essential for operations.190 In addition to penetrating power
companies via the Internet, hackers can compromise SCADA systems by
exploiting outdated modems used for maintenance purposes, or by exploiting
wireless access pointsjumping the air gap. Again, irrespective of being on an open
or closed network, the problems of supply chain security and insider threats
remain. Finally, power companies may buy and trade power among one another,
creating the prospect that hackers breaching the defenses of one firm will have
effectively penetrated all its partners as well.191 The U.S. power grids vulnerability
is heightened by two additional factors. First, most grid asset owners and
operators have been historically resistant to report cyber attacks against their
networks or to make the necessary investments to upgrade and secure their
networks.192 Second, the U.S. power grid is highly centralized ; the power grid
serving the contiguous forty-eight states is composed of three distinct power grids,
or interconnectionsthe Eastern Interconnection, the Western Interconnection, and the Electric Reliability Council of Texas
Interconnection.193 These interconnections provide power to the continental United States, Canada, and a small part of Mexico. The
combination of centralized grids and a lack of emphasis on defensive measures
could make the power grid more vulnerable to cascading failures, as have been
triggered by other events in the past. As roughly 90 percent of the Defense
Departments most critical assets are entirely dependent on the bulk power grid,
there is the potential for a Cyber Pearl Harbor to result from a successful attack
on the grid.194 A recent case points out just how vulnerable the grid may be. In
2008 a power company hired a cyber security firm to test the security of the
network it employs to oversee its power grid. The cyber security team took only a
day to organize its cyber tools before launching its attack. The penetration team monitored SCADA user
not possible to provide a definitive answer, there is sufficient evidence to justify concern that such an event could occur. Initially

groups, harvesting the email addresses of people working at the targeted power company. It then sent the workers an email describing the companys
intention to reduce their benefits along with a link to an Internet site where they could obtain more information. When the employees clicked on the
link, they were directed to an Internet server set up by the penetration team. The employees machines displayed an error message; however, the

The situation may

become worse before it gets better. In particular, the recent move by the United States to
develop a smart grid could increase the U nited S tates vulnerability to cyber
attacks on its electric power infrastructure.196 The U.S. Department of Energy (DoE) is working to
build security into the smart grid, but the challenge is very complex .197
Internet server down- loaded malware enabling the team to take command of the machines in less than one day.195

Specifically, US zero day policy ensures leaks and exposes

unforeseen weaknesses in grids.
Clay Wilson 14, Program Director for Cybersecurity graduate studies at the
American Public University, past Program Director for Cybersecurity Policy at the
University of Maryland University College (UMUC), former analyst for national
defense policy at the Congressional Research Service, member of the Landau
Network Centro Volta, International Working Group, an organization that studies
issues for non-proliferation of CBRN and Cyber Weapons. Cyber Threats to Critical
Information Infrastructure, Cyberterrorism 2014, p. 123-36, VL
Both Flame and Stuxnet reportedly contain multiple zero-day exploits (ZDEs) which
enabled them to bypass the cybersecurity controls for the top-secret computer systems
in Irans nuclear facility. A ZDE is special code that takes advantage of a previously unknown vulnerability in computer software.
There is no technical defense against a ZDE until after it has been discovered and
its stealthy methods have been analyzed by researchers. Traditional antivirus and intrusion
detection security products have difficulty in detecting or blocking the actions of a ZDE. If ZDE stealth is
added onto malicious code, it can enable that code to be secretly inserted and installed on a targeted computer system. Because of increasingly

sometimes months or years can pass until a systems administrator

notices something suspicious is going on inside their computer system. Stealth capability and international tensions
linked to cyber espionage have together created a growing demand for ZDEs. Highly-skilled cyber experts who design
and develop ZDEs have discovered that governments and industries will pay them
handsomely (Miller 2007 ), and they can also offer ZDEs for sale to other organizations for use with
cyberattacks (Greenberg 2012a ). Sales of zero-day exploits are reportedly made to
government customers in the U.S., Russia and China, plus European agencies and
their supporting contractors, including for example, Northrop Grumman and Raytheon (Timm 2012 ). The Western governments
sophisticated stealth features,

and customers are the ones who pay the highest prices for ZDEs. Reportedly, markets in the Middle East cannot yet match the higher prices offered by
Western governments (Greenberg 2012b ). Cyber experts involved in the design and sale of ZDEs include scientists, researchers, national military warfi
ghters, students, and individual criminals. Individuals with sophisticated programming skills are actively recruited as workers by a variety of
organizations, including law enforcement agencies, criminal organizations, and also possibly some extremist groups (Paganini 2012 ).

Government agencies may explain to the sellers that the malware is intended for
use to monitor communications of criminal suspects, or temporarily disable the
computers and phones of suspects and targets as part of intelligence gathering
programs. However, the growing body of ZDEs and malicious code are contributing to a
cyber arms race , along with the familiar questions and concerns about containment and nonproliferation normally associated with CBRN
weapons. ZDEs that are designed and purchased for use by the military and law
enforcement may eventually come to threaten civilian critical infrastructure systems if
they should fi nd their way into the hands of terrorists and extremist groups. Reports have started to emerge that this
gradual leakage of malicious ZDE code originally intended for use by law enforcement is already
starting to take place .

Zero-days are unique causes long-term vulnerabilities and

cascading failures that shut down grid supply.
Amelia Smith 14, Newsweek, 11/21/14. 'China Could Shut Down U.S. Power Grid
With Cyber Attack, Says NSA Chief'. http://europe.newsweek.com/china-couldshut-down-us-power-grid-cyber-attack-says-nsa-chief-286119, VL
China and "one or two" other countries have the ability to launch a cyber attack
that could shut down the entire U.S. power grid and other critical infrastructure,

the head of the National Security Agency (NSA) and U.S. Cyber Command told a congressional panel
on Thursday. Admiral Michael Rogers told the hearing that software had been detected in China that could significantly damage the nation's
economic future by interfering with power company networks and other critical systems. Describing the malware, he told the House Intelligence

"It enables you to shut down very segmented, very tailored parts of our
infrastructure that forestall the ability to provide that service to us as citizens." "It is only a matter of the when, not the if, that we are going
Committee that:

to see something traumatic," he added. When asked by Republican representative for Michigan Mike Rogers, who chairs the intelligence committee,
what other countries have this capability, the NSA director responded "one or two others," but declined to name them for security reasons. "We're

the
interconnectedness of power grids means that they are liable to " cascading
failures ". As nearby grids take up the slack for the failed system, they become overloaded
and they too fail in a chain reaction. Rogers said that such attacks are part of "coming
trends" in which so-called zero-day vulnerabilities in U.S. cyber systems are
exploited. A zero-day vulnerability refers to a hole in software that is unknown to the vendor, which can be exploited by hackers before the
watching multiple nation states invest in this capability," he said. According to cyber expert Caroline Baylon of thinktank Chatham House,

vendor becomes aware and hurries to patch it up. They are becoming an increasingly powerful weapon of cyber espionage as countries become more

"Once an attacker finds an open

vulnerability, he or she can get into the system," Baylon told Newsweek. "This allows the
adversary to place a 'backdoor' in that system, as China are doing in the U.S.,
which they can use to access that system again at a later date." "Whilst at present it is not in any
connected to the internet. As well as espionage, there are also fears of cyber warfare.

country's interest to attack the power grid of another country, now is the time for countries to look for these vulnerabilities because this is when they

a number of countries are looking for

vulnerabilities in the power grids of other countries." A so-called 'grey-market' - a black market that isn't
are open," she added. "It is a dangerous situation because

strictly illegal yet - for zero-day vulnerabilities now exists, with companies like Vupen in France selling them to governments for use in espionage.

the U.K and the U.S. are particularly at risk because they have a huge
amount of critical infrastructure connected to the internet. Some countries however, like Russia, have
According to Baylon,

clear government policy about being connected to the internet. "There is a huge asymmetry going on," she said. Russia is also regarded as having an
aggressive cyber programme. Rogers's testimony comes shortly after the release of a report from the Pew Internet and American Life Project that says
that it is likely that a catastrophic cyber-attack would have occurred by 2025, causing significant losses in life and financial damage. "Intelligence

Baylon. She predicts that the most likely scenario

would be a coordinated attack. "In the event of major attack, we might see a series
of simultaneous attacks on a number of areas , for example attacking a power grid and paralyzing communications
networks at the same time." This, she says, is something we could see in the next five to 10 years.
agencies and governments are very concerned about it," says

However she stresses that whilst "it is very hard to find solutions", governments and experts are working very hard on the issue. In his testimony to the

"The Chinese intelligence services that conduct these attacks

have little to fear because we have no practical deterrents to that theft. This
problem is not going away until that changes ."
intelligence committee, Rogers said:

A zero-day attack collapses critical infrastructure key to a

litany of services.
Fred Guterl 12, Executive Editor of Scientific American, Armageddon 2.0,
Bulletin of the Atomic Scientists, 11/28/12, http://thebulletin.org/bio/fred-guterl, VL
If Stuxnet-like malware were to insinuate itself into a few hundred power
generators in the United States and attack them all at once, the damage would be enough to cause
blackouts on the East and West Coasts. With such widespread destruction, it could take many
months to restore power to the grid. It seems incredible that this should be so, but the worldwide capacity to
manufacture generator parts is limited. Generators generally last 30 years, sometimes 50, so normally there's little
need for replacements. The main demand for generators is in China, India, and other parts of rapidly developing Asia. That's where the manufacturers

Even if the United States, in crisis mode, put full diplomatic pressure on
supplier nations -- or launched a military invasion to take over manufacturing facilities -- the capacity to ramp up
production would be severely limited. Worldwide production currently amounts to
only a few hundred generators per year. The consequences of going without power
for months, across a large swath of the United States, would be devastating.
are -- not in the United States.

Backup electrical generators in hospitals and other vulnerable facilities would have to rely on
fuel that would be in high demand. Diabetics would go without their insulin; heart
attack victims would not have their defibrillators; and sick people would have no place
to go. Businesses would run out of inventory and extra capacity. Grocery stores
would run out of food, and deliveries of all sorts would virtually cease (no gasoline for trucks and
airplanes, trains would be down). As we saw with the blackouts caused by Hurricane Sandy, gas stations couldn't pump gas
from their tanks, and fuel-carrying trucks wouldn't be able to fill up at refueling
stations. Without power, the economy would virtually cease, and if power failed over a large enough portion
of the country, simply trucking in supplies from elsewhere would not be adequate to cover
the needs of hundreds of millions of people. People would start to die by the thousands,
then by the tens of thousands, and eventually the millions. The loss of the power
grid would put nuclear plants on backup, but how many of those systems would
fail, causing meltdowns, as we saw at Fukushima? The loss in human life would
quickly reach, and perhaps exceed, the worst of the Cold War nuclear-exchange
scenarios. After eight to 10 days, about 72 percent of all economic activity, as measured by GDP, would shut down, according to an analysis by
Scott Borg, a cybersecurity expert.

Current Pentagon policy mandates retaliation against

cyberattack.
Richard Clarke and Steven Andreasen 13, * former National Coordinator
for Security, Infrastructure Protection, and Counter-terrorism for the United
States, **national security consultant to the Nuclear Threat Initiative, teaches
courses on National Security Policy and Crisis Management in Foreign Affairs at
the University of Minnesota, director for defence policy and arms control on the
National Security Council staff at the White House from 1993 to 2001, Cyberwars
threat does not justify a new policy of nuclear deterrence, Washington Post
6/14/13, https://www.washingtonpost.com/opinions/cyberwars-threat-does-notjustify-a-new-policy-of-nuclear-deterrence/2013/06/14/91c01bb6-d50e-11e2-a73e826d299ff459_story.html, VL
The Pentagons Defense Science Board concluded this year that China and Russia could develop
capabilities to launch an existential cyber attack against the United States that is,
an attack causing sufficient damage that our government would lose control of the
country. While the manifestation of a nuclear and cyber attack are very different, the board concluded, in the end, the existential impact to the
United States is the same. Because it will be impossible to fully defend our systems against
existential cyberthreats, the board argued, the United States must be prepared to
threaten the use of nuclear weapons to deter cyberattacks. In other words: Ill see your cyberwar and
raise you a nuclear response. Some would argue that Obama made clear in his 2010 Nuclear
Posture Reviewthat the United States has adopted the objective of making
deterrence of nuclear attacks the sole purpose of our nuclear weapons. Well, the
board effectively reviewed the fine print and concluded that the Nuclear Posture
Review was essentially silent on the relationship between U.S. nuclear weapons and cyberthreats, so
connecting the two is not precluded in the stated policy. As the board noted, cyberattacks
can occur very quickly and without warning, requiring rapid decision-making by
those responsible for protecting our country. Integrating the nuclear threat into
the equation means making clear to any potential adversary that the United States
is prepared to use nuclear weapons very early in response to a major cyberattack
and is maintaining nuclear forces on prompt launch status to do so. Russia and China

would certainly take note and presumably follow suit. Moreover, if the United States, Russia and China adopted policies threatening an early nuclear

Its hard to see how this cyber-nuclear

action-reaction dynamic would improve U.S. or global security. Its more likely to
lead to a new focus by Pentagon planners on generating an expanding list of cyberrelated targets and the operational deployment of nuclear forces to strike those
targets in minutes.
response to cyber attacks, more countries would surely take the same approach.

Pentagon threats lack credibility and cyberattacks are

interpreted differently by attackers.
Vincent Manzo 11, fellow in the Defense and National Security Group of the
CSIS International Security Program, specializes in U.S. defense strategy, nuclear
weapons, missile defense, space and cyber policy, with a focus on exploring
deterrence, employment strategies and escalation control in the emerging
strategic environment, former research analyst at the National Defense
Universitys Institute for National Strategic Studies, Deterrence and Escalation in
Cross-domain Operations: Where Do Space and Cyberspace Fit? pgs. 6-7, Institute
for National Strategic Studies Strategic Forum at the National Defense University,
December 2011, https://www.law.upenn.edu/live/files/1323-manzo-deterrence-andescalation, VL
*ableist language modified
The balance between offense and defense in these domains will also influence perceptions
of effects, escalation and proportionality, and optimal deterrence strategies. For example, if
offense continues to dominate in space and cyberspace and potential adversaries
want to attack U.S. assets in these domains precisely because they are the U.S.
militarys soft underbelly, U.S. stakes in any conflict would grow exponentially
after such attacks occur because the effects in other domains would be profound. As
a result, U.S. officials might feel pressure to take preemptive action prior to such an attack, or they
might take risks to quickly terminate a conflict and punish the adversary in its aftermath. The linkage between vulnerabilities in space and cyberspace
and the effectiveness of U.S. capabilities in other domains that makes U.S. satellites and computer networks high-value targets also makes the threat of
a strong reprisal more credible: it would be proportionate to the effects of the attack. Conveying this to potential adversaries would be a central
component of a deterrence strategy. Emphasizing this link might even enhance the credibility of the U.S. commitment to retaliate.
Alternatively, the United States might become capable of denying adversaries the benefits of attacks in these domains through cyber defenses and
substituting terrestrial assets for satellites. In this case, U.S. deterrence strategy would strive to convince potential adversaries that they cannot affect
U.S. ground, air, naval, and nuclear forces by attacking satellites and computer networks. Such a message might make U.S. threats to respond
offensively appear disproportionate and less credible, but this would be a worthwhile tradeoff if the United States developed a defensive advantage in
space and cyberspace.

Decisionmakers will also perceive attacks in space and cyberspace differently

depending on the context. Attacks on military satellites and computer networks
might be expected and accepted once a conventional war has started. But similar
attacks might trigger a conventional conflict if they occur prior to hostilities, when
both countries want to prevent a crisis from escalating into a war but are
concerned about being left blind, deaf, and dumb [unoperational] by a first strike in space
and cyberspace. Proportionality and escalation are relative concepts: actions that are escalatory
during crises might be proportionate in limited wars and underwhelming responses as the scope and intensity of a conflict increase.

A related issue is whether U.S. reactions to cyber exploitation during peacetime

would affect deterrence in crises. Though the technology and operations of cyber exploitation and cyber attacks are similar,
the goals and effects are different: exploitation extracts information from computers and networks
without authorization; attacks destroy, degrade, or alter them to achieve effects in

other domains.13 But news outlets frequently describe incidents of cyber exploitation
against the U.S. Government as cyber attacks and evidence of an ongoing war in cyberspace.14
Conflating these operations contributes to the impression that U.S. deterrence has
already failed. Potential adversaries might conclude that U.S. threats to respond to
cyber attacks in other domains lack credibility based on how the United States reacted to previous exploitation
operations.

This

might affect how they calculate risks and benefits of cyber attacks

perception
in crises.
How can U.S. officials publicly convey that cyber exploitation and attacks pose different threats and require different responses, especially given the
overlap between the two? Emphasizing that the real-world effects of attacks and exploitation differ might be a first step toward establishing a threshold
between the two. This message would reinforce that deterrence has not failed because the effects of exploitation in cyberspace have not yet warranted
U.S. military responses in other domains. It clarifies the types of actions that the United States is attempting to deter.

strategists may conclude that proportionate counterspace and cyber responses

are impossible because escalation control in these domains is too difficult. There are an
Some

infinite number of scenarios that are neither indicative of a minor harassing incident of jamming nor strategic attack in space and cyberspace.15

Assessing the effects of such attacks and choosing appropriate responses amid the
stress and confusion of a military crisis might be difficult. U.S. and foreign officials
likely will have differing views about the severity of nonkinetic disruptions that defy easy
categorization, and the obstacles to developing a common framework might be too
formidable.

Secnario 2 is Satellites: zero-day attacks damage satellite

functions.
Andrea Gini 14, content strategy consultant specialized in space sector
companies, founder of Space Safety Magazine, worked in the European Space
Agency in the Independent Safety Office which overviews the ISS 2011-2013.
Internally cites Ram Levi, Founder and CEO of Konfidas Ltd, a cybersecurity
strategy solutions startup, cybersecurity advisor to the National Research and
Development Council, Ministry of Science and Technology and Space, and senior
researcher at the Yuval Neeman Workshop for Science, Technology and Security,
Tel Aviv University. 'Cyber Crime - From Cyber Space To Outer Space', 2/14/15,
Space Safety Magazine. http://www.spacesafetymagazine.com/aerospaceengineering/cyber-security/cyber-crime-cyber-space-outer-space/, VL
An attack requires four elements: the possibility to access a system, a vulnerability
to exploit, a payload a malicious logic to be executed within the victims system to cause damage once executed, and
command and control to tell it what to do. One scenario could be a distributed denial of service attack (DDoS), Levi
explains. In this scenario the attacker is denying the ability of the system to provide services to its legitimate user by choking the network or
overloading the server with requests to diminish the limited resources of the server. Another attack could grant access to sensitive computers
controlling industrial processes to manipulate the outcome of the process such as changing the speed of an electricity-generating turbine and at the

Such attacks are hard to execute but also

extremely hard to deal with high complexity, high gain attacks. With computer
systems permanently connected to the Internet, the ability to perform an attack
depends on the knowledge of a particular vulnerability. A vulnerability may be due to design errors in
same time showing normal operation status to the control technicians.

coding of software or hardware Levi explains. There are also backdoors which can be planned or covertly inserted in the software/hardware

The most valuable resource for a cyber criminal is what is called Zero Day
vulnerability, a vulnerability that has not been publicly disclosed. Those vulnerabilities are
unknown to the general public or the software or hardware developers and therefore can be exploited by an attacker, says Levi, adding that these
are literally a free-pass to the organizations IT systems that can be used
sometimes for over a year, according to research done by Symantec. Space Systems Vulnerability Space systems, which in turn
development process.

are composed of a network of ground stations and spacecrafts using satellite communication for specific purposes, are themselves potentially subject to
these same vulnerabilities. The

components of space systems are computers, network

components, or components controlled by computers, like uplink antenna motors,

Levi explains. None of them would successfully work without the computers that are
controlling them, including the onboard computer in the satellite. Computers control everything the space systems do and they are
vulnerable to Cyber-Attack on them. The worst-case scenario in space Cyber-Attack would be if someone
managed to hijack a satellite after penetrating the command and control computer
of the satellite. This scenario is an operators nightmare, and we can assume that all measures are being taken to safeguard against such threats, says

one can attack the service

rather than the satellite itself. This could mean, for example attacking communication
links between satellite ground stations and the broadcasting source instead of
jamming the signal. This way, the satellite system would be working perfectly, but its service would be denied. Levi explains that from
the point of view of an attacker, this brings the same result but without the strategic risk of
directly attacking or jamming a satellite system. Levi quotes Gen. William Shelton,
commander of US Air Force Space Command: Theres not an operation conducted
anywhere at any level that is not somehow dependent on space and cyberspace,
Levi. However, if we are looking at the satellite service the service the satellite provides

adding that this dependency could be used to attack space assets from cyberspace. From a cyberspace perspective, its irrelevant how high above the

Space
systems are computer systems; this requires a new approach to better safeguard
satellite systems from attacks, Levi says. Such protection should include not only focusing on the protection of the satellite
ground a computer is positioned. But attacking the services a satellite provides is not the only approach to compromise a satellite system.

itself, but thinking about broader protection. A broader protection would need to take into account the supporting systems that enable the satellite to
provide service, like communication, electricity, water supply, sewage and so on. Such protection is much more complex, but possible. Considerations
to this sort of protection should include re-analysis of the systems and the dependence of the satellite systems computer systems and their sensitivity to
Cyber-Attacks.

Nations are preparing for a cyber conflict involving space

assets.
Bill Gertz 13, lectured on defense, national security, and media issues at the
Defense Departments National Security Leadership Program, Johns Hopkins
University School of Advanced International Studies, the FBI National Academy,
the National Defense University, and the CIA, media fellow at the Hoover
Institution on War, Revolution and Peace at Stanford University,Chinas Military
Preparing for Peoples War in Cyberspace, Space, The Washington Free
Beacon, http://freebeacon.com/china-military-preparing-for-peoples-war-incyberspace-space/
Chinas military is preparing for war in
cyberspace involving space attacks on satellites and the use of both military and civilian
personnel for a digital peoples war, according to an internal Chinese defense report . As cyber
technology continues to develop, cyber warfare has quietly begun, the report concludes, noting that the ability to wage cyber
war in space is vital for Chinas military modernization. According to the report, strategic warfare in the
Translated report reveals high-tech plans for cyber attacks, anti-satellite strikes,

past was built on nuclear weapons. But strategic warfare in the information age is cyber warfare, the report said. With the reliance of information
warfare on space, cyberspace will surely become a hot spot in the struggle for cyberspace control, the report said. The new details of Chinese plans for
cyber and space warfare were revealed in a report Study on Space Cyber Warfare by four engineers working at a Chinese defense research center in
Shanghai. The report presents a rare inside look of one of Beijings most secret military programs: Cyber warfare plans against the United States in a
future conflict. Cyber warfare is not limited to military personnel. All personnel with special knowledge and skills on information system may
participate in the execution of cyber warfare. Cyber warfare may truly be called a peoples warfare, the report says. Peoples War was first developed
by Chinas Communist founder Mao Zedong as a Marxist-Leninist insurgency and guerrilla warfare concept. The article provides evidence that Chinese
military theorists are adapting Maos peasant uprising stratagem for a future conflict with the United States. A defense official said the report was
recently circulated in military and intelligence circles. Its publication came as a surprise to many in the Pentagon because in the past, U.S. translations
of Chinese military documents on similar warfighting capabilities were not translated under a directive from policy officials seeking to prevent
disclosure of Chinese military writings the officials feared could upset U.S.-China relations. A Chinese government spokesman could not be reached for

Chinas space
warfare development programs with its extensive cyber warfare capabilities. Both programs are considered
trump card weapons that would allow a weaker China to defeat a militarily stronger
United States in a conflict. Cyber warfare is an act of war that utilizes space technology; it combines space technology and cyber
technology and maintains and seizes the control of cyberspace, the study says. Because cyberspace relies on satellites, space
comment. However, Chinese spokesmen in the past have denied reports that China engages in cyber attacks. The study links

will surely be the main battlefield of cyber warfare, the report said. Satellites and space vehicles are
considered the outer nodes of cyber space and are clear targets for attack and may be approached directly, the report said, adding that groundbased cyberspace nodes are more concealed and thus more difficult to attack. Additionally, satellites have limited defenses and anti-jamming

Chinas military, which controls the

countrys rapidly growing space program, is preparing to conduct space-based
cyber warfarecyber reconnaissance, jamming, and attackfrom space vehicles. Space-based cyber warfare
will include three categories: space cyber attack, space cyber defense, and space
cyber support. The space cyber support involves reconnaissance, targeting, and intelligence gathering. A space cyberattack is carried out using space technology and methods of hard kill and soft kill ,
the report said. It ensures its own control at will while at the same time uses cyberspace to
disable, weaken, disrupt, and destroy the enemy s cyber actions or cyber installations.
capabilities, leaving them very vulnerable to attack. The report reveals that

Satellites are perceived as key to military posturing

aggression risks sparking war now.
Lee Billings 15, editor at Scientific American covering space and physics, War
in Space May Be Closer Than Ever, 8/10/15, Scientific American,
http://www.scientificamerican.com/article/war-in-space-may-be-closer-than-ever/,
VL
The worlds most worrisome military flashpoint is arguably not in the Strait of
Taiwan, the Korean Peninsula, Iran, Israel, Kashmir or Ukraine. In fact, it cannot be located on any map of Earth, even though it is very
easy to find. To see it, just look up into a clear sky, to the no-mans-land of Earth orbit, where a
conflict is unfolding that is an arms race in all but name. The emptiness of outer space might be the last
place youd expect militaries to vie over contested territory, except that outer space isnt so empty anymore. About 1,300
active satellites wreathe the globe in a crowded nest of orbits, providing worldwide communications, GPS navigation, weather forecasting and planetary

For militaries that rely on some of those satellites for modern warfare, space has
become the ultimate high ground, with the U.S. as the undisputed king of the hill. Now, as China and Russia
aggressively seek to challenge U.S. superiority in space with ambitious military
space programs of their own, the power struggle risks sparking a conflict that could cripple
the entire planets space-based infrastructure. And though it might begin in space, such a conflict could easily ignite fullblown war on Earth. The long-simmering tensions are now approaching a boiling point
due to several events, including recent and ongoing tests of possible anti-satellite
weapons by China and Russia, as well as last months failure of tension-easing
talks at the United Nations.
surveillance.

Ensures retaliation.
Karl P. Mueller 13, senior political scientist at the RAND Corporation,
specializes in research related to military and national security strategy,
particularly coercion and deterrence, professor of comparative military studies at
the U.S. Air Force's School of Advanced Air and Space Studies in 2001, currently
an adjunct professor at Johns Hopkins University and the Security Studies Program
at Georgetown, associate director of the RAND Arroyo Centers Strategy and
Resources Program and a faculty member in the Pardee RAND Graduate School,
The Absolute Weapon and the Ultimate High Ground: Why Nuclear Deterrence
and Space Deterrence Are Strikingly Similar - Yet Profoundly Different pgs. 50-51,
Published in Anti-satellite Weapons, Deterrence and Sino-American Space
Relations by Stimson, September 2013,
http://www.stimson.org/images/uploads/Anti-satellite_Weapons.pdf , VL

The two most important of these similarities both derive from the tendency for nuclear and ASAT attacks to be
difficult to defend against. Defending against ASAT attacks tends to be hard because of physics
and the geography of orbital space: Satellites are difficult, even often impossible, to conceal and difficult or costly
to maneuver out of harms way. Defending against nuclear strikes can also be very hard, particularly when the
weapons are delivered by ballistic missiles, but the fundamental problem with trying to intercept incoming
nuclear warheads is that even defenses with a high success rate may be of little strategic value because a very

If an attacker has high

confidence that an attack of either type will be at least operationally successful
because defenses are not effective, deterrence efforts will need to focus on
punishment and reward strategies because deterrence by denial will have little to
offer. This is a problem that extends beyond the confines of crisis stability, but it can be especially
acute in a crisis by creating powerful incentives for a first strike if war appears inevitable,
or even merely likely. Moreover, when the stakes are high, making punitive threats (or
reward offers) that are powerful enough to deter, absent being able to threaten an attacker with
actual defeat, can be a very difficult strategic mountain to climb.
small number of leakers can be sufficient to cause vast destruction.

Under conditions of real or perceived first-strike

advantage, and with weapons for which tactical warning from detection to attack
may be measured in minutes (or even less for some directed energy attacks or for attacks by
prepositioned space mines), decision-making timelines are likely to be very compressed.
18 This can cause or contribute to a witchs brew of pathological effects, limiting
opportunities for communication and signaling between adversaries or mediation
by third parties, constraining the collection and analysis of information and
consideration of alternative options, even causing panic and other psychological
problems for decision makers under intense pressure.19
The second issue is closely related.

Yes war an absence of a shared framework means any attack

uniquely causes cross-domain responses and escalation.
Vincent Manzo 11, fellow in the Defense and National Security Group of the
CSIS International Security Program, specializes in U.S. defense strategy, nuclear
weapons, missile defense, space and cyber policy, with a focus on exploring
deterrence, employment strategies and escalation control in the emerging
strategic environment, former research analyst at the National Defense
Universitys Institute for National Strategic Studies, Deterrence and Escalation in
Cross-domain Operations: Where Do Space and Cyberspace Fit? pgs. 4-5, Institute
for National Strategic Studies Strategic Forum at the National Defense University,
December 2011, https://www.law.upenn.edu/live/files/1323-manzo-deterrence-andescalation, VL
countries lack a shared framework for interpreting how counterspace and
cyber attacks fit into an escalation ladder. Competition and vulnerability in space
and cyberspace are new relative to land, air, and sea. Countries have less experience fighting
wars in which space and cyberspace are part of the battlefield. Unlike conventional and nuclear
weapons, experts are less certain about the precise effects of attacks in these domains.9
Unfortunately,

For these reasons, a widely shared framework for judging how counterspace and cyber
attacks correspond with interactions in other domains and, more broadly, with political
relations between potential adversaries during peacetime, in crises, and in wars
does not yet exist. Without one, decisionmakers will have difficulty distinguishing

between proportional and escalatory attacks and reprisals that cross from
traditional strategic domains into these newer ones and vice versa.
The absence of a shared framework within the U.S. strategic community complicates effective cross-domain contingency planning. Developing coherent,
effective, and usable options for responding to attacks in space and cyberspace requires that military planners in the different Services and combatant

Principal Deputy Under

Secretary of Defense for Policy James Miller testified that U.S. responses to
counterspace attacks could include necessary and proportional responses outside
of the space domain.10
commands possess similar assumptions about cross-domain proportionality and escalation. For example,

Yet there are a variety of types of counterspace attacks and even more potential nonspace targets for U.S. reprisals. A common framework would help
planners determine which nonspace responses best correspond with counterspace attacks of varying scope and severity.
The absence of a shared framework between the United States, allies, and potential adversaries undermines deterrence and increases the potential for
miscalculation. Effective deterrence requires that U.S. officials influence potential adversaries perceptions of the likely consequences of the actions the
United States wishes to deter. The United States might threaten to respond to a particular type of attack in space or cyberspace by employing different
capabilities against different targets in other domains. Such threats, however, are less likely to resonate as credible with potential adversaries if they do
not understand U.S. assumptions about how domains are linked and why a particular response is a logical and proportional reaction to the initial attack.
As an example, imagine the United States threatened to respond to ASAT attacks on U.S. intelligence, surveillance, and reconnaissance (ISR) satellites
with attacks against the adversarys air defense network.
The logic underlying this policy is that the United States might employ ISR aircraft over the adversarys territory to compensate for the lost satellites.
Attacks on the air defense network would be necessary to ensure that the aircraft could effectively penetrate the countrys airspace. This policy is
proportional because the United States is restoring its lost ISR capability, thereby denying the benefits of the ASAT attack.

the U.S. response would be different from the adversarys attack. Instead of
responding in space, the United States would attack targets on or around the
adversarys homeland. To further complicate the situation, the United States might
use conventional weapons to destroy the air defense network even if the initial
ASAT attack was nonkinetic. Without a shared framework, potential adversaries might consider this deterrence threat illogical
However,

and therefore not credible.

they might perceive such a U.S. response as arbitrary and escalatory.

Even with a shared framework, they may still consider this response as escalatory,
If deterrence failed,

but they would also understand it to be a likely consequence of employing ASATs against the United States before authorizing an attack.

1AC Solvency
CONTENTION 2: SOLVENCY
Current NSA policy virtually guarantees non-disclosure
banning surveillance removes all disincentives to disclose
Kim Zetter 15, award-winning journalist who covers cybercrime and security
for Wired, 'Turns Out The US Launched Its Zero-Day Policy In Feb 2010'. WIRED.
Accessed July 24 2015. http://www.wired.com/2015/06/turns-us-launched-zero-daypolicy-feb-2010, VL
When the NSA or another agency discovers a software vulnerability, they use the
Equities process to determine whether there is more to be gained from keeping the
vulnerability secret or from disclosing it to be patched. That process was apparently weighted on the side of exploiting
vulnerabilities over disclosing them until last year when the government had to reinvigorate the policy because it was not being implemented in the

The Presidents Privacy and Civil Liberties Oversight Board had determined
that the Equities process wasnt being implemented as the board thought it should
be, suggesting that more zero days were being kept secret than the board thought
intended manner.

wise. Information about vulnerabilities also wasnt being shared among all the agencies that needed to have a say in the decision-making process.

The new document, which is heavily redacted, provides little additional information about the Equities process or the governments use
of zero-days. But it does describe the order of events after a zero-day vulnerability is
discovered. The vulnerability first undergoes a classification process to determine
if it requires special handling. If it reaches a certain thresholdthe threshold
isnt disclosed in the documentthen the executive secretariat is notified
immediately. The executive secretariat, for this purpose, is the NSA/Information Assurance Directorate. The NSA then
notifies other agencies participating in the equities process to give them a chance
to indicate if they have an equity at stake and want to participate in the decision process for determining if the
vulnerability will be disclosed or kept secret. What the document doesnt say , however, is whether all parties
in the decision making process have equal input. The document notes that the purpose of the
Equities process is to ensure that decisions are made in the best interest of
intelligence collection, investigative matters and information assurance. Understanding that
in most circumstances all three interest [sic] will not be satisfied but the best resolution for the overall good will be put forth Nathan
Wessler, staff attorney for the ACLU, says this is the crux of the whole Equities
process. How they make the decision about which interest to prioritize when they find the zero day vulnerability [is] the decision that everything
rides on, he says. But at no point . have government officials ever explained how theyre
going to balance these competing interests and how theyre going to ensure that the
cybersecurity voices at the table will be as loud and respected as the lawenforcement voices.

The grey market incentivizes intentionally weak software plan

spurs long-term cybersecurity.
Schneier 12 [Bruce, security expert with 13 books, fellow at the Berkman Center
for Internet & Society at Harvard Law School, a program fellow at the New
America Foundation's Open Technology Institute and the CTO of Resilient Systems,
The Vulnerabilities Market and the Future of Security, Forbes, 5/30/2012,
http://www.forbes.com/sites/bruceschneier/2012/05/30/the-vulnerabilities-marketand-the-future-of-security/] //khirn
Recently, there have been several articles about the new market in zero-day exploits: new and unpatched computer vulnerabilities. Its not just software
companies, who sometimes pay bounties to researchers who alert them of security vulnerabilities so they can fix them. And its not only criminal

governments, and companies who sell to governments, who buy

vulnerabilities with the intent of keeping them secret so they can exploit them . This
market is larger than most people realize, and its becoming even larger. Forbes recently published a price list for
organizations, who pay for vulnerabilities they can exploit. Now there are

zero-day exploits, along with the story of a hacker who received $250K from a U.S. government contractor (At first I didnt believe the story or the
price list, but I have been convinced that they both are true.) Forbes published a profile of a company called Vupen, whose business is selling zero-day
exploits. Other companies doing this range from startups like Netragard and Endgame to large defense contractors like Northrop Grumman, General
Dynamics, and Raytheon. This is very different than in 2007, when researcher Charlie Miller wrote about his attempts to sell zero-day exploits; and a
2010 survey implied that there wasnt much money in selling zero days. The market has matured substantially in the past few years. This new market

the process of
finding vulnerabilities in software system increases overall security . This is because
the economics of vulnerability hunting favored disclosure . As long as the principal
gain from finding a vulnerability was notoriety, publicly disclosing vulnerabilities
was the only obvious path. In fact, it took years for our industry to move from a norm of
full-disclosure announcing the vulnerability publicly and damn the consequences to something called responsible
disclosure: giving the software vendor a head start in fixing the vulnerability. Changing economics is what
perturbs the economics of finding security vulnerabilities. And it does so to the detriment of us all. Ive long argued that

made the change stick: instead of just hacker notoriety, a successful vulnerability finder could land some lucrative consulting gigs, and being a

a disclosed vulnerability is one that at least in

most cases is patched. And a patched vulnerability makes us all more secure. This is why the
new market for vulnerabilities is so dangerous; it results in vulnerabilities remaining secret and
unpatched. That its even more lucrative than the public vulnerabilities market
means that more hackers will choose this path. And unlike the previous reward of notoriety and consulting gigs,
it gives software programmers within a company the incentive to deliberately
create vulnerabilities in the products theyre working on and then secretly sell
them to some government agency . No commercial vendors perform the level of
code review that would be necessary to detect, and prove mal-intent for, this kind of sabotage.
Even more importantly, the new market for security vulnerabilities results in a variety of
government agencies around the world that have a strong interest in those
vulnerabilities remaining unpatched . These range from law-enforcement agencies
(like the FBI and the German police who are trying to build targeted Internet surveillance tools, to intelligence agencies like
the NSA who are trying to build mass Internet surveillance tools , to military organizations who are
responsible security researcher helped. But regardless of the motivations,

trying to build cyber-weapons. All of these agencies have long had to wrestle with the choice of whether to use newly discovered vulnerabilities to
protect or to attack. Inside the NSA, this was traditionally known as the equities issue, and the debate was between the COMSEC (communications
security) side of the NSA and the SIGINT (signals intelligence) side. If they found a flaw in a popular cryptographic algorithm, they could either use that
knowledge to fix the algorithm and make everyones communications more secure, or they could exploit the flaw to eavesdrop on others while at the
same time allowing even the people they wanted to protect to remain vulnerable. This debate raged through the decades inside the NSA. From what Ive

The whole point of

disclosing security vulnerabilities is to put pressure on vendors to release more
secure software. Its not just that they patch the vulnerabilities that are made
public the fear of bad press makes them implement more secure software
development processes. Its another economic process; the cost of designing software securely in the first place is less than the cost
heard, by 2000, the COMSEC side had largely won, but things flipped completely around after 9/11.

of the bad press after a vulnerability is announced plus the cost of writing and deploying the patch. Id be the first to admit that this isnt perfect

but its the best incentive we have. Weve always

expected the NSA, and those like them, to keep the vulnerabilities they discover
secret. We have been counting on the public community to find and publicize vulnerabilities, forcing vendors to fix them. With the rise
of these new pressures to keep zero-day exploits secret, and to sell them for
exploitation, there will be even less incentive on software vendors to ensure the
security of their products. As the incentive for hackers to keep their vulnerabilities secret grows, the incentive for
vendors to build secure software shrinks. As a recent EFF essay put it, this is
security for the 1%. And it makes the rest of us less safe .
theres a lot of very poorly written software still out there

Disclosure resolves countless vulnerabilities.

Jordan Robertson and Michael Riley 14, reporters for Bloomberg, US
Contractors Scale Up Search for Heartbleed-Like Flaws, 5/2/14, Bloomberg
Business, http://www.bloomberg.com/news/articles/2014-05-02/us-contractorsscale-up-search-for-heartbleed-like-flaws, VL
The U.S. has poured billions of dollars into an electronic arsenal built
with so-called zero-day exploits, manipulations of missteps or oversights in code that can make anything that runs on a computer chip
vulnerable to hackers. They go far beyond flaws in web encryption like SSL and OpenSSL,
which the NSA has exploited for years without warning the public about it, according to people
with knowledge of the matter. The agencys stockpile of exploits runs into the thousands, aimed
at every conceivable device, and many are not disclosed even to units within the
agency responsible for defending U.S. government networks, people familiar with the program said.
Zero-day Exploits

Under a directive made public April 11, after Bloomberg News reported the NSAs utilization of the infamous Heartbleed bug -- a use the agency denied
-- the White House said exploits should in most cases be disclosed so computer users can protect themselves.

That disarms hackers globally weapons become useless.

Masnick 14 [Mike, founder and CEO of Floor64 and editor of the Techdirt blog,
Obama Tells NSA To Reveal, Not Exploit, Flaws... Except All The Times It Wants
To Do The Opposite, Techdirt, April 14, 2014,
https://www.techdirt.com/articles/20140413/07094726892/obama-tells-nsa-toreveal-not-exploit-flaws-except-all-times-it-wants-to-do-opposite.shtml] //khirn
However, the NY Times had a story this weekend about how this move has forced the administration to clarify its position on zero day exploits. It's

the NSA buys lots of zero day exploits and makes the internet weaker
as a result of it . Though, in the past, the NSA has indicated that it only makes use of the kinds of exploits that only it can use (i.e., exploits

already known that

that need such immense computing power that anyone outside of the NSA is unlikely to be able to do anything). However, the NY Times article notes
that, following the White House's intelligence review task force recommendation that the NSA stop weakening encryption and other technologies,

Obama put in place an official rule that the NSA should have a "bias" towards
revealing the flaws and helping to fix them, but leaves open a massive loophole: But
President

Mr. Obama carved a broad exception for a clear national security or law enforcement need, the officials said, a loophole that is likely to allow the
N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons. Amusingly, the NY Times initially had a
title on its story saying that President Obama had decided that the NSA should "reveal, not exploit, internet security flaws," but the title then changed to
the much more accurate: "Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say." Of course, the cold war analogy used by people in the article

You are not

going to see the Chinese give up on zero days just because we do. Except, it's
meaningless that no one expects the Chinese (or the Russians or anyone else) to
give up zero days. The simple fact is that if the NSA were helping to stop zero days that
would better protect everyone against anyone else using those zero days. In fact,
closing zero days is just like disarming both sides , because it takes the
vulnerability out of service . It's not about us giving up our "weapons," it's about
building a better defense for the world. And yet the NSA isn't willing to do that.
Because they're not about protecting anyone -- other than themselves .
seems... wrong: We dont eliminate nuclear weapons until the Russians do, one senior intelligence official said recently.

NSA cant make effective calls disclosure reasserts

commitments to cybersecurity, which is the necessary
catalyzing factor for international cyberdefense treaties.
Bruce Schneier 14, internationally renowned security technologist, fellow at
the Berkman Center for Internet and Society at Harvard Law School and a
program fellow at the New America Foundation's Open Technology Institute.
Should U.S. Hackers Fix Cybersecurity Holes or Exploit Them?, May 19, 2014,

http://www.theatlantic.com/technology/archive/2014/05/should-hackers-fixcybersecurity-holes-or-exploit-them/371197/, VL
The NSA, and by extension U.S. Cyber Command, tries its best to play both ends of this game. Former
NSA Director Michael Hayden talks about NOBUS, nobody but us. The NSA has a classified
process to determine what it should do about vulnerabilities, disclosing and closing most of the ones it finds, but holding back somewe don't know how

vulnerabilities that nobody but us could find for attack purposes. This approach seems
t the devil is in the details. Many of us in the
security field dont know how to make NOBUS decisions, and the recent
White House clarification posed more questions than it answered. Who makes these decisions,
many

to be the appropriate general framework, bu

and how? How often are they reviewed? Does this review process happen inside Department of Defense, or is it broader? Surely there needs to be a
technical review of each vulnerability, but there should also be policy reviews regarding the sorts of vulnerabilities we are hoarding. Do we hold these
vulnerabilities until someone else finds them, or only for a short period of time? How many do we stockpile? The US/Israeli cyberweapon Stuxnet used
four zero-day vulnerabilities. Burning four on a single military operation implies that we are not hoarding a small number, but more like 100 or more.
Theres one more interesting wrinkle. Cyber-weapons are a combination of a payloadthe damage the weapon doesand a delivery mechanism: the

Imagine that China knows about a

vulnerability and is using it in a still-unfired cyber-weapon, and that the
NSA learns about it through espionage. Should the NSA disclose and patch the
vulnerability, or should it use it itself for attack? If it discloses, then China could find a replacement
vulnerability that the NSA wont know about it. But if it doesnt, its deliberately leaving the U.S.
vulnerable to cyber-attack. Maybe someday we can get to the point where we can patch vulnerabilities faster than the enemy
can use them in an attack, but were nowhere near that point today. The implications of U.S. policy can be felt on a
variety of levels. The NSA's actions have resulted in a widespread mistrust of the
security of U.S. Internet products and services, greatly affecting American
business. If we show that we're putting security ahead of surveillance, we can
begin to restore that trust . And by making the decision process much more public than it is
today, we can demonstrate both our trustworthiness and the value of open
government. An unpatched vulnerability puts everyone at risk, but not to the same degree. The U.S.
and other Western countries are highly vulnerable, because of our critical
electronic infrastructure, intellectual property, and personal wealth. Countries like China and Russia are less vulnerableNorth
Korea much lessso they have considerably less incentive to see vulnerabilities fixed. Fixing vulnerabilities isn't disarmament; it's
making our own countries much safer. We also regain the moral authority to negotiate
any broad international reductions in cyber-weapons ; and we can decide not to use
them even if others do. Regardless of our policy towards hoarding vulnerabilities, the most important thing we
can do is patch vulnerabilities quickly once they are disclosed. And thats what companies are doing,
vulnerability used to get the payload into the enemy network.

even without any government involvement, because so many vulnerabilities are discovered by criminals. We also need more research in automatically
finding and fixing vulnerabilities, and in building secure and resilient software in the first place. Research over the last decade or so has resulted in
software vendors being able to find and close entire classes of vulnerabilities. Although there are many cases of these security analysis tools not being
used, all of our security is improved when they are. That alone is a good reason to continue disclosing vulnerability details, and something the NSA can
do to vastly improve the security of the Internet worldwide. Here again, though, they would have to make the tools they have to automatically find

In today's cyberwar arms race, unpatched

vulnerabilities and stockpiled cyber-weapons are inherently destabilizing, especially
vulnerabilities available for defense and not attack.

because they are only effective for a limited time. The world's militaries are investing more money in finding vulnerabilities than the commercial world is

The vulnerabilities they discover affect the security of us all

investing in fixing them.

. No matter what
cybercriminals do, no matter what other countries do, we in the U.S. need to err on the side of security and fix almost all the vulnerabilities we find. But
not all, yet.

Policy clarity gives the US sufficient credibility for

international modeling conditional limits on zero-days fail.
Fidler 14 (Mailyn Fidler, graduate student at the Center for International
Security and Cooperation Freeman Spogli Institute for International Studies,
Stanford University. ANARCHY OR REGULATION: CONTROLLING THE GLOBAL
TRADE IN ZERO-DAY VULNERABILITIES, May 2014,

https://stacks.stanford.edu/file/druid:zs241cm7504/Zero-Day%20Vulnerability
%20Thesis%20by%20Fidler.pdf)//CLi
International cooperation is needed on the zero-day issue, but U.S. leadership is
required to catalyze such cooperation. Snowdens disclosures have caused
significant problems for the United States, reducing receptivity to cooperation with
the United States on cyber issues. This 178 problem is exacerbated by the need to have the United States, as a major cyber
player, involved in international negotiations. Existing confusion and controversy over national U.S.
policies towards zero-day vulnerabilities create further obstacles to addressing
these issues at an international level. The U nited S tates needs to establish policy
clarity at a national level to set the stage for collective action, signaling to other
nations its seriousness about the problem and the nature of American interests towards it. Richard Clarke and Peter
Swire agree: we create a more secure and useful global Internet if other nations,
including China and Russia, adopt and implement similar policies to what the Obama
administration recently announced about U.S. zero-day policy, but because they [other nations] are unlikely to do so any time soon, the Obama
administration should also step up its efforts and create the basis for an
international norm of behavior.669 This thesis argues that the U.S. government must do more to strengthen its own zero-day
policies as a necessary element of addressing the need for collective action.

Only a complete commitment to de-militarization overcomes

international skepticism.
Adam Segal 11, Maurice R. Greenberg Senior Fellow for China Studies and
Director of the Digital and Cyberspace Policy Program, Ira A. Lipman senior fellow
for counterterrorism and national security studies at the Council on Foreign
Relations, Cyberspace Governance: The Next Step, Policy Innovation
Memorandum No. 2, March 2011, Council on Foreign Relations Press,
http://www.cfr.org/cybersecurity/cyberspace-governance-next-step/p24397, VL
This decentralized strategy is particularly important after Stuxnet , the malware that appears to target
the Iranian nuclear program. It is now widely assumed that the United States, along with Israel, was behind
the code. As a result, many countries will remain skeptical about Washington's intentions. Rules
that appear to be the work of the United States alone will have little chance of gaining international support. But building a coalition of states who will gain from and are willing to

There has been in the United States' international

engagement, however, a tendency to substitute process for strategy . While the decentralized
approach to cyberconflict is the right one, it does not help in identifying strategic goals. The
White House will have to become actively involved in order to push the process
push for new rules may give these norms greater legitimacy.

forward. The National Security Council's Information and Communications Infrastructure Interagency Policy Committee (ICI-IPC) subcommittee on international cyberspace policy

An informal multilateralism is best

suited to cyberspace, and by focusing on some of the norms of interstate cyberconflict, and on thresholds and legitimate targets in particular, the United
efforts should drive action, not just coordinate and share information about what other agencies are doing.

States will be better able to begin shaping international norms.