Académique Documents
Professionnel Documents
Culture Documents
1AC
1AC Plan
The United States federal government should eliminate its
domestic surveillance programs using computer software
vulnerabilities or exploits unknown to relevant vendors.
agency and the DoD are spending so heavily for information on holes in commercial computer systems, and on
exploits taking advantage of them, that they are turning the world of security research on its
head., its a news way to compete with adversary in cyberspace. Recent tension between China and US gave security experts the opportunity to
discuss about the development of the two countries of efficient cyber strategy that improve both offensive and defensive cyber capabilities. Both
countries are largely invested in the creation of new cyber units, but according intelligence sources, offensive approach seems to be most stimulated by
the need to preserve the security in the cyberspace. NSA chief General Keith Alexander told Congress that the US Government is spending billions of
dollars every year on cyberdefense and constructing increasingly sophisticated cyberweapons this led to the birth of more than a dozen offensive
cyber units, designed to mount attacks, when necessary, at foreign computer networks. Popular hacker Charlie Miller, security researcher at Twitter,
with a past collaboration with NSA confirmed the offensive approach to cyber security: The only people paying are on the offensive side, The emerging
defense
contractors and intelligence agencies spend at least tens of millions of dollars a
year just on exploits. The zero-day market is very complex due high perishability of the goods, following some key figures of a so
zero-day market is fueled by intense activities of talented hackers who sell information on flaws in large use products. According Reuters
complex business Difficulty finding buyers and sellers Its a closed market not openly accessible. Find a buyer or identify a possible seller is a critical
phase. Checking the buyer reliability The reduced number of reliable brokers able to locate a buyer pushes the researcher to try to tell many
individuals about the discovery in an attempt to find a buyer with obvious risks. Value cannot be demonstrated without loss One of the most fascinating
problems a researcher attempting to sell vulnerability information or a 0-day exploit may face is proving the validity of the information without
disclosing the information itself. The only way to prove the validity of the information is to either reveal it or demonstrate it in some fashion. Obviously,
revealing the information before the sale is undesirable as it leaves the researcher exposed to losing the intellectual property of the information without
compensation. Exclusivity of rights The final hurdle involves the idea of the exclusive rights of the information. In order to receive the largest payoffs,
private companies, both actors have started to code their own zero-day exploits. Private companies have also sprung up that hire programmers to do
the grunt work of identifying vulnerabilities and then writing exploit code. The starting rate for a zero-day is around $50,000, some buyers said, with the
price depending on such factors as how widely installed the targeted software is and how long the zero-day is expected to remain exclusive. The
Reuters report also revealed the participation of government representatives to the Secret Snoop Conference for Government and law enforcement
spying, clearly with the intent to acquire new technologies to conduct cyber espionage through malware based attacks able to compromise target
borrowed from an airport thriller, (and to some the use of such an outmoded term reflects the limited level of understanding of the issues involved by
those in charge) but the intent behind the investment is deadly serious. The UK's defence secretary Philip Hammond has made no secret of the country's
interest in the field, telling a newspaper late last year, "We will build in Britain a cyber strike capability so we can strike back in cyberspace against
enemies who attack us, putting cyber alongside land, sea, air and space as a mainstream military activity." The UK is thought to be spending as much as
clear that this team, this defend-the-nation team, is not a defensive team," he said told the Senate Armed Services Committee last year. And of course,
it's not just the UK and US that are building up a digital army. In a time of
declining budgets, it's a way for defence ministries and defence companies to see
growth, leading some to warn of the emergence of a twenty-first century cyberindustrial complex. And the shift from investment in cyber-defence initiatives to
cyber-offensives is a recent and, for some, worrying trend. Peter W. Singer, director of the Center for 21st
building up and advancing military capabilities but feel less and less secure and that definitely characterises this space today," he said. It's taken less
than a decade for digital warfare to go from theoretical to the worryingly possible. Politicians may argue that building up these skills is a deterrent to
others, and emphasise such weapons would only be used to counter an attack, never to launch one. But for some, far from scaring off any would-be
threats, these investments in offensive cyber capabilities risk creating more instability. "In international stability terms, arms races are never a positive
thing: the problem is it's incredibly hard to get out of them because they are both illogical [and] make perfect sense," Singer said. Similarly Richard
Clarke, a former presidential advisor on cybersecurity told a conference in 2012, "We turn an awful lot of people off in this country and around the world
attack (indeed the UK's GCHQ has already used such attacks itself, according to leaks from Edward Snowden), something like Stuxnet built with the
aim of destroying the centrifuges used in the Iranian nuclear project is another thing entirely. "Stuxnet was almost a Manhattan Project style in terms
of the wide variety of expertise that was brought in: everything from intelligence analysts to some of the top cyber talent in the world to nuclear
physicists to engineers, to build working models to test it out on, and another entire espionage effort to put it in to the systems in Iran that Iran thought
have a very short shelf life. To have a real impact, these attacks are likely to be levelled at the industrial software that runs production lines, power
stations or energy grids, otherwise known as SCADA (supervisory control and data acquisition) systems. Increasingly, SCADA systems are being
internet-enabled to make them easier to manage, which of course, also makes them easier to attack. Easier doesn't mean easy though. These complex
systems, often build to last for decades, are often built for a very narrow, specific purpose sometimes for a single building. According to Rid, this
makes them much harder to undermine. A bespoke, highly specific system requires a bespoke, highly specific attack, and a significant amount of
"The essence of an arms race is where the sides spend more and more on
building up and advancing military capabilities but feel less and less secure and
that definitely characterises this space today." Peter W. Singer, Center for 21st Century Security and Intelligence
intelligence, too.
"The only piece of target intelligence you need to attack somebody's email or a website is an email address or a URL. In the case of a control system, you
need much more information about the target, about the entire logic that controls the process, and legacy systems that are part of the process you are
attacking," Rid said. That also means that delivering any more than a few of these attacks at a time would be almost impossible, making a long cyberwar
They're sold for hundreds of thousands of dollars by their finders. A couple of years ago a Windows flaw might have earned its finder $100,000 on the
black market, an iOS vulnerability twice that. Zero-day flaws have an in-built weakness, though: they're a one-use only weapon. Once an attack has been
launched, the zero-day used is known to everyone. Take Stuxnet. Even though it seems to have had one specific target an Iranian power plant once
it was launched, Stuxnet spread very widely, meaning security companies around the world could examine the code, and making it much harder for
anyone to use that exact same attack again. "It's like dropping the bomb, but also [saying] here's the blueprint of how to build the bomb," explains
As governments
stockpile zero-day flaws for use in their cyber-weapons, it means they aren't being
reported to the software vendors to be fixed leaving unpatched systems around
the world at risk when they could easily be fixed.
Singer, author of the recent book Cybersecurity and Cyberwar. But this leads to another, unseen problem.
U.S. power
grid control systems (i.e., SCADA systems) were on closed networks that were not
connected to the Internet. Over time, however, the electric industry began relying on
SCADA systems to improve the efficiency and performance of their systems. As it is
cheaper to maintain an open network than a closed one, firms opted to move to
open networks. Access to the Internet, with its attendant benefits and
vulnerabilities, became essential for operations.190 In addition to penetrating power
companies via the Internet, hackers can compromise SCADA systems by
exploiting outdated modems used for maintenance purposes, or by exploiting
wireless access pointsjumping the air gap. Again, irrespective of being on an open
or closed network, the problems of supply chain security and insider threats
remain. Finally, power companies may buy and trade power among one another,
creating the prospect that hackers breaching the defenses of one firm will have
effectively penetrated all its partners as well.191 The U.S. power grids vulnerability
is heightened by two additional factors. First, most grid asset owners and
operators have been historically resistant to report cyber attacks against their
networks or to make the necessary investments to upgrade and secure their
networks.192 Second, the U.S. power grid is highly centralized ; the power grid
serving the contiguous forty-eight states is composed of three distinct power grids,
or interconnectionsthe Eastern Interconnection, the Western Interconnection, and the Electric Reliability Council of Texas
Interconnection.193 These interconnections provide power to the continental United States, Canada, and a small part of Mexico. The
combination of centralized grids and a lack of emphasis on defensive measures
could make the power grid more vulnerable to cascading failures, as have been
triggered by other events in the past. As roughly 90 percent of the Defense
Departments most critical assets are entirely dependent on the bulk power grid,
there is the potential for a Cyber Pearl Harbor to result from a successful attack
on the grid.194 A recent case points out just how vulnerable the grid may be. In
2008 a power company hired a cyber security firm to test the security of the
network it employs to oversee its power grid. The cyber security team took only a
day to organize its cyber tools before launching its attack. The penetration team monitored SCADA user
not possible to provide a definitive answer, there is sufficient evidence to justify concern that such an event could occur. Initially
groups, harvesting the email addresses of people working at the targeted power company. It then sent the workers an email describing the companys
intention to reduce their benefits along with a link to an Internet site where they could obtain more information. When the employees clicked on the
link, they were directed to an Internet server set up by the penetration team. The employees machines displayed an error message; however, the
and customers are the ones who pay the highest prices for ZDEs. Reportedly, markets in the Middle East cannot yet match the higher prices offered by
Western governments (Greenberg 2012b ). Cyber experts involved in the design and sale of ZDEs include scientists, researchers, national military warfi
ghters, students, and individual criminals. Individuals with sophisticated programming skills are actively recruited as workers by a variety of
organizations, including law enforcement agencies, criminal organizations, and also possibly some extremist groups (Paganini 2012 ).
Government agencies may explain to the sellers that the malware is intended for
use to monitor communications of criminal suspects, or temporarily disable the
computers and phones of suspects and targets as part of intelligence gathering
programs. However, the growing body of ZDEs and malicious code are contributing to a
cyber arms race , along with the familiar questions and concerns about containment and nonproliferation normally associated with CBRN
weapons. ZDEs that are designed and purchased for use by the military and law
enforcement may eventually come to threaten civilian critical infrastructure systems if
they should fi nd their way into the hands of terrorists and extremist groups. Reports have started to emerge that this
gradual leakage of malicious ZDE code originally intended for use by law enforcement is already
starting to take place .
the head of the National Security Agency (NSA) and U.S. Cyber Command told a congressional panel
on Thursday. Admiral Michael Rogers told the hearing that software had been detected in China that could significantly damage the nation's
economic future by interfering with power company networks and other critical systems. Describing the malware, he told the House Intelligence
"It enables you to shut down very segmented, very tailored parts of our
infrastructure that forestall the ability to provide that service to us as citizens." "It is only a matter of the when, not the if, that we are going
Committee that:
to see something traumatic," he added. When asked by Republican representative for Michigan Mike Rogers, who chairs the intelligence committee,
what other countries have this capability, the NSA director responded "one or two others," but declined to name them for security reasons. "We're
the
interconnectedness of power grids means that they are liable to " cascading
failures ". As nearby grids take up the slack for the failed system, they become overloaded
and they too fail in a chain reaction. Rogers said that such attacks are part of "coming
trends" in which so-called zero-day vulnerabilities in U.S. cyber systems are
exploited. A zero-day vulnerability refers to a hole in software that is unknown to the vendor, which can be exploited by hackers before the
watching multiple nation states invest in this capability," he said. According to cyber expert Caroline Baylon of thinktank Chatham House,
vendor becomes aware and hurries to patch it up. They are becoming an increasingly powerful weapon of cyber espionage as countries become more
country's interest to attack the power grid of another country, now is the time for countries to look for these vulnerabilities because this is when they
strictly illegal yet - for zero-day vulnerabilities now exists, with companies like Vupen in France selling them to governments for use in espionage.
the U.K and the U.S. are particularly at risk because they have a huge
amount of critical infrastructure connected to the internet. Some countries however, like Russia, have
According to Baylon,
clear government policy about being connected to the internet. "There is a huge asymmetry going on," she said. Russia is also regarded as having an
aggressive cyber programme. Rogers's testimony comes shortly after the release of a report from the Pew Internet and American Life Project that says
that it is likely that a catastrophic cyber-attack would have occurred by 2025, causing significant losses in life and financial damage. "Intelligence
However she stresses that whilst "it is very hard to find solutions", governments and experts are working very hard on the issue. In his testimony to the
Even if the United States, in crisis mode, put full diplomatic pressure on
supplier nations -- or launched a military invasion to take over manufacturing facilities -- the capacity to ramp up
production would be severely limited. Worldwide production currently amounts to
only a few hundred generators per year. The consequences of going without power
for months, across a large swath of the United States, would be devastating.
are -- not in the United States.
Backup electrical generators in hospitals and other vulnerable facilities would have to rely on
fuel that would be in high demand. Diabetics would go without their insulin; heart
attack victims would not have their defibrillators; and sick people would have no place
to go. Businesses would run out of inventory and extra capacity. Grocery stores
would run out of food, and deliveries of all sorts would virtually cease (no gasoline for trucks and
airplanes, trains would be down). As we saw with the blackouts caused by Hurricane Sandy, gas stations couldn't pump gas
from their tanks, and fuel-carrying trucks wouldn't be able to fill up at refueling
stations. Without power, the economy would virtually cease, and if power failed over a large enough portion
of the country, simply trucking in supplies from elsewhere would not be adequate to cover
the needs of hundreds of millions of people. People would start to die by the thousands,
then by the tens of thousands, and eventually the millions. The loss of the power
grid would put nuclear plants on backup, but how many of those systems would
fail, causing meltdowns, as we saw at Fukushima? The loss in human life would
quickly reach, and perhaps exceed, the worst of the Cold War nuclear-exchange
scenarios. After eight to 10 days, about 72 percent of all economic activity, as measured by GDP, would shut down, according to an analysis by
Scott Borg, a cybersecurity expert.
would certainly take note and presumably follow suit. Moreover, if the United States, Russia and China adopted policies threatening an early nuclear
other domains.13 But news outlets frequently describe incidents of cyber exploitation
against the U.S. Government as cyber attacks and evidence of an ongoing war in cyberspace.14
Conflating these operations contributes to the impression that U.S. deterrence has
already failed. Potential adversaries might conclude that U.S. threats to respond to
cyber attacks in other domains lack credibility based on how the United States reacted to previous exploitation
operations.
This
might affect how they calculate risks and benefits of cyber attacks
perception
in crises.
How can U.S. officials publicly convey that cyber exploitation and attacks pose different threats and require different responses, especially given the
overlap between the two? Emphasizing that the real-world effects of attacks and exploitation differ might be a first step toward establishing a threshold
between the two. This message would reinforce that deterrence has not failed because the effects of exploitation in cyberspace have not yet warranted
U.S. military responses in other domains. It clarifies the types of actions that the United States is attempting to deter.
infinite number of scenarios that are neither indicative of a minor harassing incident of jamming nor strategic attack in space and cyberspace.15
Assessing the effects of such attacks and choosing appropriate responses amid the
stress and confusion of a military crisis might be difficult. U.S. and foreign officials
likely will have differing views about the severity of nonkinetic disruptions that defy easy
categorization, and the obstacles to developing a common framework might be too
formidable.
coding of software or hardware Levi explains. There are also backdoors which can be planned or covertly inserted in the software/hardware
The most valuable resource for a cyber criminal is what is called Zero Day
vulnerability, a vulnerability that has not been publicly disclosed. Those vulnerabilities are
unknown to the general public or the software or hardware developers and therefore can be exploited by an attacker, says Levi, adding that these
are literally a free-pass to the organizations IT systems that can be used
sometimes for over a year, according to research done by Symantec. Space Systems Vulnerability Space systems, which in turn
development process.
are composed of a network of ground stations and spacecrafts using satellite communication for specific purposes, are themselves potentially subject to
these same vulnerabilities. The
adding that this dependency could be used to attack space assets from cyberspace. From a cyberspace perspective, its irrelevant how high above the
Space
systems are computer systems; this requires a new approach to better safeguard
satellite systems from attacks, Levi says. Such protection should include not only focusing on the protection of the satellite
ground a computer is positioned. But attacking the services a satellite provides is not the only approach to compromise a satellite system.
itself, but thinking about broader protection. A broader protection would need to take into account the supporting systems that enable the satellite to
provide service, like communication, electricity, water supply, sewage and so on. Such protection is much more complex, but possible. Considerations
to this sort of protection should include re-analysis of the systems and the dependence of the satellite systems computer systems and their sensitivity to
Cyber-Attacks.
past was built on nuclear weapons. But strategic warfare in the information age is cyber warfare, the report said. With the reliance of information
warfare on space, cyberspace will surely become a hot spot in the struggle for cyberspace control, the report said. The new details of Chinese plans for
cyber and space warfare were revealed in a report Study on Space Cyber Warfare by four engineers working at a Chinese defense research center in
Shanghai. The report presents a rare inside look of one of Beijings most secret military programs: Cyber warfare plans against the United States in a
future conflict. Cyber warfare is not limited to military personnel. All personnel with special knowledge and skills on information system may
participate in the execution of cyber warfare. Cyber warfare may truly be called a peoples warfare, the report says. Peoples War was first developed
by Chinas Communist founder Mao Zedong as a Marxist-Leninist insurgency and guerrilla warfare concept. The article provides evidence that Chinese
military theorists are adapting Maos peasant uprising stratagem for a future conflict with the United States. A defense official said the report was
recently circulated in military and intelligence circles. Its publication came as a surprise to many in the Pentagon because in the past, U.S. translations
of Chinese military documents on similar warfighting capabilities were not translated under a directive from policy officials seeking to prevent
disclosure of Chinese military writings the officials feared could upset U.S.-China relations. A Chinese government spokesman could not be reached for
Chinas space
warfare development programs with its extensive cyber warfare capabilities. Both programs are considered
trump card weapons that would allow a weaker China to defeat a militarily stronger
United States in a conflict. Cyber warfare is an act of war that utilizes space technology; it combines space technology and cyber
technology and maintains and seizes the control of cyberspace, the study says. Because cyberspace relies on satellites, space
comment. However, Chinese spokesmen in the past have denied reports that China engages in cyber attacks. The study links
will surely be the main battlefield of cyber warfare, the report said. Satellites and space vehicles are
considered the outer nodes of cyber space and are clear targets for attack and may be approached directly, the report said, adding that groundbased cyberspace nodes are more concealed and thus more difficult to attack. Additionally, satellites have limited defenses and anti-jamming
For militaries that rely on some of those satellites for modern warfare, space has
become the ultimate high ground, with the U.S. as the undisputed king of the hill. Now, as China and Russia
aggressively seek to challenge U.S. superiority in space with ambitious military
space programs of their own, the power struggle risks sparking a conflict that could cripple
the entire planets space-based infrastructure. And though it might begin in space, such a conflict could easily ignite fullblown war on Earth. The long-simmering tensions are now approaching a boiling point
due to several events, including recent and ongoing tests of possible anti-satellite
weapons by China and Russia, as well as last months failure of tension-easing
talks at the United Nations.
surveillance.
Ensures retaliation.
Karl P. Mueller 13, senior political scientist at the RAND Corporation,
specializes in research related to military and national security strategy,
particularly coercion and deterrence, professor of comparative military studies at
the U.S. Air Force's School of Advanced Air and Space Studies in 2001, currently
an adjunct professor at Johns Hopkins University and the Security Studies Program
at Georgetown, associate director of the RAND Arroyo Centers Strategy and
Resources Program and a faculty member in the Pardee RAND Graduate School,
The Absolute Weapon and the Ultimate High Ground: Why Nuclear Deterrence
and Space Deterrence Are Strikingly Similar - Yet Profoundly Different pgs. 50-51,
Published in Anti-satellite Weapons, Deterrence and Sino-American Space
Relations by Stimson, September 2013,
http://www.stimson.org/images/uploads/Anti-satellite_Weapons.pdf , VL
The two most important of these similarities both derive from the tendency for nuclear and ASAT attacks to be
difficult to defend against. Defending against ASAT attacks tends to be hard because of physics
and the geography of orbital space: Satellites are difficult, even often impossible, to conceal and difficult or costly
to maneuver out of harms way. Defending against nuclear strikes can also be very hard, particularly when the
weapons are delivered by ballistic missiles, but the fundamental problem with trying to intercept incoming
nuclear warheads is that even defenses with a high success rate may be of little strategic value because a very
For these reasons, a widely shared framework for judging how counterspace and cyber
attacks correspond with interactions in other domains and, more broadly, with political
relations between potential adversaries during peacetime, in crises, and in wars
does not yet exist. Without one, decisionmakers will have difficulty distinguishing
between proportional and escalatory attacks and reprisals that cross from
traditional strategic domains into these newer ones and vice versa.
The absence of a shared framework within the U.S. strategic community complicates effective cross-domain contingency planning. Developing coherent,
effective, and usable options for responding to attacks in space and cyberspace requires that military planners in the different Services and combatant
Yet there are a variety of types of counterspace attacks and even more potential nonspace targets for U.S. reprisals. A common framework would help
planners determine which nonspace responses best correspond with counterspace attacks of varying scope and severity.
The absence of a shared framework between the United States, allies, and potential adversaries undermines deterrence and increases the potential for
miscalculation. Effective deterrence requires that U.S. officials influence potential adversaries perceptions of the likely consequences of the actions the
United States wishes to deter. The United States might threaten to respond to a particular type of attack in space or cyberspace by employing different
capabilities against different targets in other domains. Such threats, however, are less likely to resonate as credible with potential adversaries if they do
not understand U.S. assumptions about how domains are linked and why a particular response is a logical and proportional reaction to the initial attack.
As an example, imagine the United States threatened to respond to ASAT attacks on U.S. intelligence, surveillance, and reconnaissance (ISR) satellites
with attacks against the adversarys air defense network.
The logic underlying this policy is that the United States might employ ISR aircraft over the adversarys territory to compensate for the lost satellites.
Attacks on the air defense network would be necessary to ensure that the aircraft could effectively penetrate the countrys airspace. This policy is
proportional because the United States is restoring its lost ISR capability, thereby denying the benefits of the ASAT attack.
the U.S. response would be different from the adversarys attack. Instead of
responding in space, the United States would attack targets on or around the
adversarys homeland. To further complicate the situation, the United States might
use conventional weapons to destroy the air defense network even if the initial
ASAT attack was nonkinetic. Without a shared framework, potential adversaries might consider this deterrence threat illogical
However,
but they would also understand it to be a likely consequence of employing ASATs against the United States before authorizing an attack.
1AC Solvency
CONTENTION 2: SOLVENCY
Current NSA policy virtually guarantees non-disclosure
banning surveillance removes all disincentives to disclose
Kim Zetter 15, award-winning journalist who covers cybercrime and security
for Wired, 'Turns Out The US Launched Its Zero-Day Policy In Feb 2010'. WIRED.
Accessed July 24 2015. http://www.wired.com/2015/06/turns-us-launched-zero-daypolicy-feb-2010, VL
When the NSA or another agency discovers a software vulnerability, they use the
Equities process to determine whether there is more to be gained from keeping the
vulnerability secret or from disclosing it to be patched. That process was apparently weighted on the side of exploiting
vulnerabilities over disclosing them until last year when the government had to reinvigorate the policy because it was not being implemented in the
The Presidents Privacy and Civil Liberties Oversight Board had determined
that the Equities process wasnt being implemented as the board thought it should
be, suggesting that more zero days were being kept secret than the board thought
intended manner.
wise. Information about vulnerabilities also wasnt being shared among all the agencies that needed to have a say in the decision-making process.
The new document, which is heavily redacted, provides little additional information about the Equities process or the governments use
of zero-days. But it does describe the order of events after a zero-day vulnerability is
discovered. The vulnerability first undergoes a classification process to determine
if it requires special handling. If it reaches a certain thresholdthe threshold
isnt disclosed in the documentthen the executive secretariat is notified
immediately. The executive secretariat, for this purpose, is the NSA/Information Assurance Directorate. The NSA then
notifies other agencies participating in the equities process to give them a chance
to indicate if they have an equity at stake and want to participate in the decision process for determining if the
vulnerability will be disclosed or kept secret. What the document doesnt say , however, is whether all parties
in the decision making process have equal input. The document notes that the purpose of the
Equities process is to ensure that decisions are made in the best interest of
intelligence collection, investigative matters and information assurance. Understanding that
in most circumstances all three interest [sic] will not be satisfied but the best resolution for the overall good will be put forth Nathan
Wessler, staff attorney for the ACLU, says this is the crux of the whole Equities
process. How they make the decision about which interest to prioritize when they find the zero day vulnerability [is] the decision that everything
rides on, he says. But at no point . have government officials ever explained how theyre
going to balance these competing interests and how theyre going to ensure that the
cybersecurity voices at the table will be as loud and respected as the lawenforcement voices.
zero-day exploits, along with the story of a hacker who received $250K from a U.S. government contractor (At first I didnt believe the story or the
price list, but I have been convinced that they both are true.) Forbes published a profile of a company called Vupen, whose business is selling zero-day
exploits. Other companies doing this range from startups like Netragard and Endgame to large defense contractors like Northrop Grumman, General
Dynamics, and Raytheon. This is very different than in 2007, when researcher Charlie Miller wrote about his attempts to sell zero-day exploits; and a
2010 survey implied that there wasnt much money in selling zero days. The market has matured substantially in the past few years. This new market
the process of
finding vulnerabilities in software system increases overall security . This is because
the economics of vulnerability hunting favored disclosure . As long as the principal
gain from finding a vulnerability was notoriety, publicly disclosing vulnerabilities
was the only obvious path. In fact, it took years for our industry to move from a norm of
full-disclosure announcing the vulnerability publicly and damn the consequences to something called responsible
disclosure: giving the software vendor a head start in fixing the vulnerability. Changing economics is what
perturbs the economics of finding security vulnerabilities. And it does so to the detriment of us all. Ive long argued that
made the change stick: instead of just hacker notoriety, a successful vulnerability finder could land some lucrative consulting gigs, and being a
trying to build cyber-weapons. All of these agencies have long had to wrestle with the choice of whether to use newly discovered vulnerabilities to
protect or to attack. Inside the NSA, this was traditionally known as the equities issue, and the debate was between the COMSEC (communications
security) side of the NSA and the SIGINT (signals intelligence) side. If they found a flaw in a popular cryptographic algorithm, they could either use that
knowledge to fix the algorithm and make everyones communications more secure, or they could exploit the flaw to eavesdrop on others while at the
same time allowing even the people they wanted to protect to remain vulnerable. This debate raged through the decades inside the NSA. From what Ive
of the bad press after a vulnerability is announced plus the cost of writing and deploying the patch. Id be the first to admit that this isnt perfect
Under a directive made public April 11, after Bloomberg News reported the NSAs utilization of the infamous Heartbleed bug -- a use the agency denied
-- the White House said exploits should in most cases be disclosed so computer users can protect themselves.
the NSA buys lots of zero day exploits and makes the internet weaker
as a result of it . Though, in the past, the NSA has indicated that it only makes use of the kinds of exploits that only it can use (i.e., exploits
that need such immense computing power that anyone outside of the NSA is unlikely to be able to do anything). However, the NY Times article notes
that, following the White House's intelligence review task force recommendation that the NSA stop weakening encryption and other technologies,
Obama put in place an official rule that the NSA should have a "bias" towards
revealing the flaws and helping to fix them, but leaves open a massive loophole: But
President
Mr. Obama carved a broad exception for a clear national security or law enforcement need, the officials said, a loophole that is likely to allow the
N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons. Amusingly, the NY Times initially had a
title on its story saying that President Obama had decided that the NSA should "reveal, not exploit, internet security flaws," but the title then changed to
the much more accurate: "Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say." Of course, the cold war analogy used by people in the article
http://www.theatlantic.com/technology/archive/2014/05/should-hackers-fixcybersecurity-holes-or-exploit-them/371197/, VL
The NSA, and by extension U.S. Cyber Command, tries its best to play both ends of this game. Former
NSA Director Michael Hayden talks about NOBUS, nobody but us. The NSA has a classified
process to determine what it should do about vulnerabilities, disclosing and closing most of the ones it finds, but holding back somewe don't know how
vulnerabilities that nobody but us could find for attack purposes. This approach seems
t the devil is in the details. Many of us in the
security field dont know how to make NOBUS decisions, and the recent
White House clarification posed more questions than it answered. Who makes these decisions,
many
and how? How often are they reviewed? Does this review process happen inside Department of Defense, or is it broader? Surely there needs to be a
technical review of each vulnerability, but there should also be policy reviews regarding the sorts of vulnerabilities we are hoarding. Do we hold these
vulnerabilities until someone else finds them, or only for a short period of time? How many do we stockpile? The US/Israeli cyberweapon Stuxnet used
four zero-day vulnerabilities. Burning four on a single military operation implies that we are not hoarding a small number, but more like 100 or more.
Theres one more interesting wrinkle. Cyber-weapons are a combination of a payloadthe damage the weapon doesand a delivery mechanism: the
even without any government involvement, because so many vulnerabilities are discovered by criminals. We also need more research in automatically
finding and fixing vulnerabilities, and in building secure and resilient software in the first place. Research over the last decade or so has resulted in
software vendors being able to find and close entire classes of vulnerabilities. Although there are many cases of these security analysis tools not being
used, all of our security is improved when they are. That alone is a good reason to continue disclosing vulnerability details, and something the NSA can
do to vastly improve the security of the Internet worldwide. Here again, though, they would have to make the tools they have to automatically find
because they are only effective for a limited time. The world's militaries are investing more money in finding vulnerabilities than the commercial world is
https://stacks.stanford.edu/file/druid:zs241cm7504/Zero-Day%20Vulnerability
%20Thesis%20by%20Fidler.pdf)//CLi
International cooperation is needed on the zero-day issue, but U.S. leadership is
required to catalyze such cooperation. Snowdens disclosures have caused
significant problems for the United States, reducing receptivity to cooperation with
the United States on cyber issues. This 178 problem is exacerbated by the need to have the United States, as a major cyber
player, involved in international negotiations. Existing confusion and controversy over national U.S.
policies towards zero-day vulnerabilities create further obstacles to addressing
these issues at an international level. The U nited S tates needs to establish policy
clarity at a national level to set the stage for collective action, signaling to other
nations its seriousness about the problem and the nature of American interests towards it. Richard Clarke and Peter
Swire agree: we create a more secure and useful global Internet if other nations,
including China and Russia, adopt and implement similar policies to what the Obama
administration recently announced about U.S. zero-day policy, but because they [other nations] are unlikely to do so any time soon, the Obama
administration should also step up its efforts and create the basis for an
international norm of behavior.669 This thesis argues that the U.S. government must do more to strengthen its own zero-day
policies as a necessary element of addressing the need for collective action.
forward. The National Security Council's Information and Communications Infrastructure Interagency Policy Committee (ICI-IPC) subcommittee on international cyberspace policy