In a world filled with the relentless advancement of information technology and complex technological systems, the need for cyber security is more pressing now than ever before. A devastating cyber attack capability that holds significant value for potential attackers is known as a “zero-day exploit”. These exploits represent cyber attacks that cannot be stopped due to the unknown nature of the vulnerability within a software program, up until the point when an attack occurs. A zero-day vulnerability is an undisclosed hole in software that hackers with malicious intentions can use to destroy entire computer networks, essential computer programs and important data. It is known as a “zero-day” because once the flaw in the software is revealed, there is no time for the software writer to stop the use of this vulnerability for exploitative purposes. Through this unidentified vulnerability, attackers can release damaging malware before the software developer even has time to realize they are under fire. Zero-day attacks are technological weapons that pose an imminent threat to the cyber security of networks connected to governments, firms, and individuals.
Throughout the course of this research, the numerous policy challenges associated with regulating the development and sale of these zero-day capabilities will be addressed. I will first be discussing the key stakeholders in the zero-day vulnerability trade, clarifying and analyzing their objectives related to the development, sale, and purchase of these vulnerabilities. After introducing the main players in the vulnerability trade, I will discuss the markets on which zero-days are traded and the security concerns that stem from both legal and illegal markets. Then, I will examine the cyber provisions of the multilateral export control regime known as the Wassenaar Arrangement and discuss why the historically legal sale and use of zero-days has been complicated due to the United States’ involvement in this agreement. Once the details of the Wassenaar Arrangement have been discussed, I will explore the types of regulatory approaches that could be used in regards to domestic regulation through increased executive oversight and international regulation through collective defense organizations, such as NATO. Lastly, out of this research will come reasonable goals and policy suggestions that effectively account for the political and economic ramifications caused by altering the zero-days market through regulation.
II. The Range of Stakeholder Interests
Regulation of the global zero-day vulnerabilities trade is made extremely complex due to the range of stakeholder interests. Some of the key players include governments, firms, independent researchers and sellers, security analysts and intelligence agencies. Zero-day exploits are especially valuable to hackers with malicious intent, agents of espionage, and intelligence or defense agencies such as the National Security Agency or United States Cyber Command. With the amount of governments buying vulnerabilities increasing and the independent entities selling them keeping up with demand, the zero-day market spans the globe and can be very profitable. Zero-day vulnerabilities markets are largely driven by national intelligence agencies that use them for various reasons, including providing their security analysts with real-world scenarios for testing their security systems against potential threats.
The United States government is a big buyer of zero-day exploits, with the NSA reportedly spending over $25 million to obtain “software vulnerabilities from private malware vendors” (Fung). Other governments such as Russia, India Brazil, Singapore, North Korea, Israel, Britain and Malaysia have also been known to purchase zero-days for their own national intelligence interests. Zero-days can be used for cyber espionage, improving cyber defense capabilities, and conducting offensive [military] cyber operations. The participation of the U.S. government in this market has certainly raised concerns in the global cybersecurity community. Within the last five years, the U.S. government has been rumored to have been secretly stockpiling vulnerabilities in order to protect their military and intelligence capabilities for national security purposes. In 2014, security researchers discovered a vulnerability bug in OpenSSL, a common software that is widely used to encrypt data from the internet, which came to be known as “Heartbleed.” Heartbleed left huge amounts of data vulnerable to exploitation and quickly became cyberspace’s largest security threat. When the Heartbleed vulnerability was exposed, many questions were raised by the public about the government’s possible prior knowledge of the vulnerability and their intentions with letting it remain undisclosed. The Obama Administration’s response to these negative allegations were to, for the first time, make a public statement about the government’s zero-day vulnerabilities policies.
In essence, President Obama acknowledged the fact that the NSA and other security agencies exploit the software vulnerabilities they find, rather than contact the vendors and disclose them so they can be patched. In early 2014, President Obama was tasked with extensively reviewing recommendations by a presidential advisory committee on what course of action to take in light of recent disclosures about the National Security Agency’s actions. The White House did not publicize Obama’s decision on these matters, but they did state that when such vulnerabilities are discovered, “there is now a ‘bias’ in the government to share that knowledge with computer and software manufacturers so a remedy can be created and distributed to industry and consumers” (Sanger). Former National Security Council spokeswoman Caitlin Hayden stated that as a result of reviewing the presidential advisory committee’s recommendations, there would now be a “reinvigorated” process to weigh the value of keeping the discovery of a vulnerability secret for intelligence purposes against the value of disclosure when a vulnerability is found. She again used the word “biased” when stating that the renewed process would lean towards responsible disclosure of software holes opposed to stockpiling and secrecy. There is no concrete evidence that the NSA took part in the creation or use of the Heartbleed vulnerability, but when asked, officials have equated giving up the capabilities to use zero-days to complete disarmament, claiming that it could be catastrophic to national security if every vulnerability found was disclosed. Security officials have made it clear that the use of cyberspace as an offensive weapon will inevitably increase in the future and that there is a great need for command and control strategies, especially against enemy nation-states.
The private market for zero-day exploits and vulnerabilities is becoming increasingly lucrative, with vulnerabilities selling from anywhere between $500 – $250,000. Private information security companies such as Vupen Security (or its new company Zerodium) specialize in discovering zero-day vulnerabilities in software from major vendors such as Microsoft or Google for the purpose of selling them to intelligence or law enforcement agencies. A major problem with information security firms selling zero-days to governments or other entities is transparency. Aside from national governments, the other two main purchasers of vulnerabilities are private sector clients and brokers who resell vulnerabilities.
Private sector buyers are often companies using vulnerabilities in cyber defense research or penetration testing, which is essential information in the security world. Brokers who are reselling vulnerabilities usually resell them to governments, who may have intent to keep them secret for exploitative purposes. The value of secrecy in the zero-day vulnerability trade notably complicates efforts to regulate the market. Secrecy contributes to the lack of market transparency about the information of buyers and sellers, which could be particularly important in international security and defense efforts. The global nature of the zero-day market means that the sale and purchase of vulnerabilities has the potential to enable malicious actors such as criminals, unfriendly governments, and non-state actors to obtain damaging capabilities. With the secretive nature of the trade, it is questionable whether effective regulation will be a viable option.
III. Zero-Day Markets
Zero-day vulnerabilities are traded in three types of markets: the white market, the black market, and the gray market. On each of these markets, the value of a vulnerability is dependent on what it can be used for and its capabilities to achieve the buyer’s goals. The market for zero-days is segmented in three tiers, each of which have a diverse group of entities operating within them. The very nature of buying and selling zero-days on three types of markets implicates that there is a wide range of interests being served through purchasing these vulnerabilities. Most of the time, buyers on the black market do not simultaneously operate on the white market because the purpose of their purchase could easily involve criminal activities. Software vulnerabilities are the most useful [exploitable] when kept secret. Given this fact, the high value of secrecy contributes to the lack of transparency in zero-day markets.
The information security industry has two practical approaches to zero-day vulnerabilities: defense and offense. The use of zero-days in the white market can be seen as a defensive approach where the discovery and revelation of zero-days is used primarily for the benefit of products and customers. This approach is designed to improve software coding standards and patch security flaws in existing software by minimizing the threat of an attack and proactively preventing exploitation. For the most part, the main sellers in the white market include hackers involved with bug bounty offers and security researchers who are not necessarily motivated by financial gain, but recognition and prestige. Consequently, buyers in the white market are generally large software vendors such as Google, Microsoft, Facebook and Mozilla who have a large stake in preventing attacks on their networks. These vendors have been known to hire “bug-hunters” or freelance security researchers to search for flaws in their software whom are motivated to participate in the white market for ethical reasons. Having the reputation of responsible disclosures gives white-hat hackers a leg up in the bug-hunting community. This notoriety is often accompanied by moderate financial gain, but unlike the gray and black markets, it is not the main motivation for engagement in this line of work.
Unlike the white market, the black market for zero-days is extremely lucrative and extremely illegal. Generally, buyers of vulnerabilities on the black market are paying for knowledge of a flaw in a particular software that they are certain can be exploited for malicious purposes. Black markets pave the way for a hacker who finds a vulnerability and creates an exploit to auction it off to the highest bidder. Hackers on the black market have been known to charge up to $250,000 for software exploits in programs such as iOS (Davis). The sellers in the black market are usually freelance hackers who sell vulnerabilities for significantly more money than they could on the white market. According to a new-age technology blog known as “WIRED” in their article titled Hacking Team’s Leak Helped Researchers Hunt Down a Zero-Day, they argue that “criminal hackers and intelligence agencies use zero day exploits to open a stealth door into your system, and because antivirus companies also don’t know about them, the exploits can remain undetected for years before they’re discovered” (Zetter). This quote represents the frightening realities of this black market and is indicative of what could happen to sensitive information with the use of zero-day exploits.
Zero-days are often sold on the “dark web” to anonymous users through the underground web technology of the Tor Network or with the use of Bitcoins. The black market for zero-days is representative of how the market for selling these vulnerabilities and exploits has matured over a relatively short period of time. It was not long ago that security researchers who happened to discover a zero-day in software simply informed the software developer of it for nominal monetary compensation (if any) and little recognition – but now, it’s a whole different ball game. The legitimate market provides significant bargaining power to black market sellers, some of whom operate on both legal and illegal markets. As editor of Ars Technica UK Sebastian Anthony reports, in his article titled The first rule of zero-days is no one talks about zero-days (so we’ll explain), that
“some security researchers pay little heed to who the ultimate buyer of the zero-day is or what they might do with it because they just want the money. This is the scenario that has most piqued the interest of the media even if there’s little evidence for the narrative—that there’s a huge, shadowy marketplace where lone-wolf hackers are peddling their zero-days to North Korea, Sudan, or some other country that has a history of abusing its citizens” (Anthony).
Financial motivation is the ultimate driver of the black market for zero-days, and as we will see later in this research, is one of the underlying problems with regulating the market.
The last market that will be discussed in this research is the legal and unregulated gray market for zero-day exploits. Despite the looming threat to international security and potential negative consequences for cybersecurity as a whole, historically, the sale and purchase of zero-days has been legal. The gray market encompasses trade between vulnerability sellers and governments, private sector clients, and brokers who resell vulnerabilities to cyber defense or intelligence agencies. Governments are the most typical buyers on the gray market and often privately purchase zero-days from private-sector defense companies such as Northrop Grumman, Lockheed Martin and Raytheon. As previously mentioned, the NSA is a confirmed U.S. government agency that has been known to dedicate a large amount of money to the purchase of vulnerabilities. Other agencies that have an incentive to engage in the gray market for intelligence gathering and cybersecurity research include the CIA, DoD, DHS and the FBI. Given that nation-states with well-financed [or prioritized] intelligence agencies probably purchase vulnerabilities, the gray market spans across the globe to every corner of the world. Confirmed government buyers like the United States, the United Kingdom, India, Russia, India, Brazil, Singapore, Iran, Malaysia and North Korea have been known to be particularly active on the gray market. The U.S. government pays extremely high prices (anywhere from $16,000-250,000) per zero-day vulnerability [and in some cases employ their own security researchers] to conduct offensive cyber attacks and espionage.
In her thesis titled Anarchy or Regulation: Controlling the Global Trade in Zero-Day Vulnerabilities, technology and policy researcher Mailyn Fidler assesses the need for regulation in the global trade of zero-days, especially within the U.S. government. On the topic of public understanding of U.S. government policy regarding the gray market, she asserts that the public believes that the government does not need to notify affected companies about vulnerabilities they acquire. By doing this, the government effectively “leaves companies and citizens vulnerable to exploitation if other parties discover the flaw, which undermines citizen cybersecurity in pursuit of other national security objectives” (Fidler 100). Although some may argue that the U.S. government must participate in the zero-day market to achieve certain national security objectives, it is clear that the government’s involvement in the gray market and its current policy towards zero-days may have greater cybersecurity consequences than initially expected. Despite the market’s global reach, no existing international institution appears ready and willing to address this issue through regulation and binding policy. The next section will explore the cyber provisions of the Wassenaar Arrangement that has recently complicated questions of legality of the development and sale of zero-day exploits in the United States.
IV. The Wassenaar Arrangement
The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is a multilateral export control regime with 41 member states, some of whom are the most technologically developed nations in the world. The Arrangement’s purpose is to “contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dual-use (i.e. those having civil and military uses) goods and technologies to prevent destabilizing accumulations of those items”, particularly by terrorist organizations (www.wassenaar.org). Members of the Wassenaar Arrangement (WA) must also pledge to abide by other international regimes to promote security such as the Nuclear Nonproliferation Treaty (NPT), Chemical Weapons Convention (CWC) and the Missile Technology Control Regime (MTCR). Although the Wassenaar Arrangement establishes certain listed items for member countries to apply to their sovereign export controls, the major downfall of is is that it is neither an official treaty nor is it legally binding. Provisions of the Arrangement must be implemented in each individual member state, so there is no oversight or overarching compliance committee to evaluate the effectiveness of enforcement. The recent changes to the Wassenaar Arrangement that are relative to zero-days involve the inclusion of cyber surveillance technologies as a controlled item that encompasses two new classes of export-regulated software: intrusion software and IP network surveillance systems.
The challenges associated with implementing these changes in cyber provisions of the Wassenaar Arrangement stem from the ambiguous language that is used to identify specific characteristics of a software as potentially malicious. In the policy and security debate revolving around the issue, it has been extremely difficult to define the tools that are to be regulated under the export control in such a way that it does not interfere with security research tools or other software mechanisms that have positive value. Some cyber security experts have questioned whether or not zero-day vulnerabilities and exploits fall into the category of targeted items, and with good reason. Confusion exists as to how exactly intrusion software is defined and what components of a system should actually be controlled under the WA. In the United States, the sale and use of zero-days has been complicated with the involvement in Wassenaar because of the interpretation of the intrusion software clause in the cyber provisions section.
Government agencies who regularly buy and stockpile vulnerabilities such as the NSA and other intelligence arms may not have as much freedom as they have had in the past. For example, after the changes to the cyber provisions of the WA in 2013, Vupen (a French information security firm who sold zero-days to the NSA and other intelligence/surveillance agencies) determined that the new restrictions were indeed applicable to their exploit sales. Because of the changes to the cyber provisions of the WA, this firm declared that they would be restricting the sales of exploits only by selling them to verified buyers in “approved countries” (Fidler 148). The founder of Vupen launched a new cybersecurity company in 2015 with a different way of handling zero-days called Zerodium. Instead of finding and selling exploits to intelligence agencies, Zerodium’s business model now focuses on acquiring zero-days from independent researchers and reporting them to its clients. Presumably, this change in business model was not fully due to having to adjust to the changes in the cyber provisions of the WA, but it may have had something to do with it.
In May of 2015, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) published its proposed implementation of the 2013 changes to the cyber provisions of the WA. Unfortunately, despite suggestions from security researchers and policy experts to narrow the definitions to more precisely describe what parts of software need to be controlled, the BIS proposal was still rather broad. The BIS proposal actually added more technology controls to the list including “systems, equipment, components and software specially designed for the generation, operation of delivery of, or communication with, intrusion software including network penetration testing products that use intrusion software to identify vulnerabilities” and “technology for the development of intrusion software includes proprietary research on the vulnerabilities and exploitation of computers and network-capable devices” (www.bis.doc.gov). The language in the BIS proposal suggests that the sharing of information regarding vulnerability research without a license would be prohibited. When asked about the scope of regulation, the Director of the Information Technology Controls Division of the BIS told reporters that any software used to develop zero-day exploits for sale is covered by the proposal. This statement suggests that security researchers will have to be regulated in their research also because they are using the same software tools as they are for developing zero-days for sale.
Nate Cardozo, staff attorney for the Electronic Frontier Foundation (EFF), argues that the proposed BIS rules are not required by the WA and should not be implemented as such. In his article, What is the U.S. Doing About Wassenaar, and Why do we Need to Fight It?, he compares the U.S.’ BIS proposal to the U.K’s implementation of policy in regards to the changes in the WA. He maintains that the U.K. provision “does not attempt to control the export of exploits or “intrusion software” itself…doesn’t affect jail-breaking, fuzzing, or vulnerability reporting… the U.S. proposed implementation disregards the protections of Wassenaar’s General Notes and goes much further than the equivalent UK rules” (Cardozo). He argues that the U.S. proposal encompasses a more in-depth approach opposed to the U.K., another participatory state in the WA that has been affected by the changes. The blatant inconsistency in policy implementation across participating states causes great concern in the eyes of security analysts and policymakers. This confusion and exaggeration in policy represents one of the challenges associated with using the WA as a framework for controlling the exports of certain software. However, as some legislators pointed out, the implementation of the proposal in the United States does have the potential to prevent the previously sale of zero-day exploits to foreign governments by American cybersecurity researchers, which could prove more beneficial than harmful for national security.
With the BIS’ original proposal in place, researchers would have to obtain licenses, which could require them to have to relinquish information about zero-days that they did not have to share publicly before. This could do some serious damage to security research, which is why there was widespread outrage and opposition from the information security and technology community about the proposal. The Institute for Security, Technology, and Society’s chief security advisor Sergey Bratus explains “the authors of this regulation may have believed that they were targeting a narrow group of products; as written, their regulation actually targets fundamental security technologies, and the most promising paths of their future development” (Blue). The 60-day comment period on the BIS’ proposal provided a way for the BIS to take into account opposition from over 300 technology companies and individual researchers on the issue. The main concern that echoed through nearly every comment of opposition was that the imposed rules would stifle security research because of the requirement for export licenses in order to be considered legitimate under the WA. Additionally, researchers argued that product security would be deeply affected because all vulnerabilities that could be exploited would be left unpatched.
A Washington, D.C. based security researcher described the BIS proposal as an “information-seeking process” for the government, in that they relied heavily on input from the security community about this law because of their limited ability to understand the impacts of the proposal on the security industry. After hearing the opposition of the initial proposal by security industry experts, the BIS decided to rewrite the proposed implementation of the WA rules in July of 2015. Again, EFF’s staff attorney Nate Cardozo weighed in on the informational gap that existed between the security industry and the government stating that “BIS pretty clearly didn’t understand the actual market for the type of software they’re trying to get at…we have some thoughts on how this export control regime might look different. We want to define the end uses and end users you want to control sales and support to” (www.digital-era.net). Cardozo’s statement clearly reflects the cyber security world’s desire to participate in policy design on an issue that is could affect everyone involved in a big way. After the failed first round, it comes as no surprise that experts in the U.S. are expected to be involved in creating the next draft of the BIS proposal. The next section of this research aims to explore the various types of domestic and international regulatory approaches that are applicable, and the pros and cons of each.
V. Regulating the Zero-Day Market
With an international consensus on regulation yet to be reached, there are significant security concerns in the regulation debate and serious policy questions that must be addressed. There are two types of approaches to regulating the zero-day trade: domestic regulation and international approaches to regulation. On one end of the spectrum surrounding the policy debate, some argue that heavy-handed regulation will just drive sellers to the black market so the less regulation, the better. This is a controversial argument due to the fact that it does not take into account the serious consequences that these cyber weapons could have on national and international security. On the opposite side of the policy debate, some cybersecurity experts maintain that software vendors should be responsible for any damages incurred with a third-party’s use of zero-day exploits. The rationale for this would be that the vendor should be responsible because the damage was caused by flaws in their software that opened up the window for exploitation. I will explore different measures that have been proposed by cyber experts, researchers, and policymakers alike with the goal of eliminating the threat to cybersecurity posed by zero-day exploits. The following regulatory suggestions have been borne primarily through policy research conducted by three scholars – Paul Stockon and Michele Golabek-Goldman from the Yale Law and Policy Review and Mailyn Fidler from Stanford University’s Freeman Spogli Institute for International Studies.
In the policy analysis paper published by the Yale Law and Policy Review, Curbing the Market for Cyber Weapons, Stockton and Golabek-Goldman suggest three policy proposals for mitigating the potential cyber threats of zero-day exploits. The first proposal is to create additional incentives for vendors to “eliminate defects in critical infrastructure industrial control systems and applications layer software” (Stockton 242) and invest in robust security measures. The second proposal is to establish a uniformly complied with international export control regime to oversee transactions and the zero-day market, such as the Wassenaar Arrangement. The final suggestion is to strengthen domestic and international prosecution law for sellers on the gray and black markets who sell exploits to rival governments who may use them to damage critical infrastructure of the target government or for illicit espionage purposes. These three policy suggestions encompass both domestic and international regulatory approaches to curb the “weaponized” uses of zero-day exploits. In their analysis of these proposals, Stockton and Golabek-Goldman illuminate the possible challenges that these initiatives could have in regards to stifling innovation, the scope of enforcement, and implementation impracticalities.
Creating greater incentives for companies to invest in improving the security of critical software infrastructure could be an effective solution to avert the ability of security researchers to discover and “weaponize” zero-days. This policy suggests that companies should be held liable for defects in their software, similar to car manufacturers or toy companies when they are legally forced to recall defective products. The only way this would be feasible is if the software users who had been attacked were able to prove that the cyber attack was successful because the vendor’s software was defective or flawed. The software developers of the critical infrastructure would refute this claim and defend their code by placing the blame on the negligence of the user. The primary concern of the authors in regards to incentivizing robust software security measures is that it shouldn’t stifle innovation or prevent software developers from developing better products. Innately, software development is extremely complex and therefore, vulnerabilities can be [unknowingly] embedded into its underlying design. This presents a problem due to the unintended consequences of forcing a company to be liable for cyber attacks that occur when a user is simply running that vendor’s software (Stockton 253).
The second proposal these scholars suggest is uniform compliance with an export control regime, such as the Wassenaar Arrangement, in order to make it more difficult for sellers on the black market. Sellers with malicious intentions in the U.S. would be thwarted by the government requiring them to acquire licenses from the Department of Commerce’s Bureau of Industry and Security. A benefit to using the Wassenaar Arrangement would be that its existing infrastructure and framework would allow member states to bypass any organizational difficulties that arise when creating a new multilateral arrangement. Essentially, the existing procedures of this export control regime that are already in place could potentially make it easier for governments to enforce dual-use export controls on zero-days and would provide an effective model for export control of potential cyber weapons. Stockton and Golabek-Goldman woefully urge members of the Wassenaar Arrangement who are working on developing criteria for the export control of zero-days to “focus on the exploit’s end-use, end-purchaser, and country of destination. Although sales of dangerous exploits to terrorist organizations, rogue states, and other entities seeking to target critical infrastructure must be denied, controls must not impede legitimate white-hat researchers from selling exploits to software vendors” (Stockton 257). This recommendation reflects an attempt to prevent the occurrence of a catch-22 type situation, keeping researchers from getting into legal trouble while also making it harder for bad actors to successfully obtain zero-day exploits that could damage critical infrastructure.
The third and final proposal from Stockton and Golabek-Goldman is to build a stronger framework for prosecution of those who sell dangerous zero-days to rival governments. This expansion of the prosecutorial framework would entail holding individual sellers responsible for every exploit they have sold that has been used for malicious purposes, with or without their knowledge. One of the main problems with this is that the seller could claim that they did not know whether the exploit was going to be used for good or bad purposes. In these types of situations, the U.S. currently employs the Computer Fraud and Abuse Act (CFAA) to determine what the punishment should be for malicious zero-day exploit uses. Unfortunately, researchers who sell zero-day exploits for malicious purposes both inside and outside of the U.S. often avoid prosecution under the CFAA through legal loopholes. In their defense, they are merely selling zero-days to customers who individually determine what their purpose is and do not have the required intent to be held liable for any damages that may occur due to their exploit. The extended prosecutorial framework would have to extend from the United States under international law to other states and enable prosecutions of vulnerability research firms located in other states. However, a major downfall of this process is that it is complicated by bureaucratic measures and requires a large amount of time and resources to be dedicated to its execution.
Regulating the zero-day exploit trade requires increased transparency and strategic maneuvers that are effective in preventing the use of zero-days for weaponized, intensively damaging, or malicious purposes. In her thesis on controlling the global market for zero-days, Mailyn Fidler suggests three types of approaches towards domestic regulation (inside of the U.S.) and three types of international regulation. Of the domestic regulatory techniques, she analyzes criminalization, unilateral export controls, and increased oversight of the United States’ executive branch’s actions. Regarding international regulatory suggestions, she analyzes the utilization of international law, voluntary collective action (the WA), and collective defense organizations (NATO). These domestic and international policy strategies provide a diverse array of approaches to regulating the zero-day trade and should be considered by policymakers to some extent.
The domestic regulatory approach Fidler argues will be the most effective is increased oversight of the executive branch of government. The primary argument for this approach is that the intelligence agencies are the main purchasers of zero-days within the U.S. government and have a history of finding ways to avoid oversight in order to keep their activities covert. The executive branch provides the greatest amount of oversight for the intelligence agencies through executive orders. A main benefit to this oversight would be that “an executive order or presidential policy directive could establish common definitions and policies across agencies”, which would be extremely beneficial to regulating the vulnerability trade in that it would eliminate confusion and establish credible criteria that would need to be followed (Fidler 108). A downfall to this approach is that increased congressional oversight is difficult to achieve a political consensus for (especially within our current Congress). Oversight generally is used with a broader lens that can be applicable across intelligence programs, not specifically for one cyber-weapon. Overall, it is evident that with all three of these approaches, there are complications that need to be worked out from a political and economic perspective.
The range of mechanisms that can be used for international cooperation on regulating the zero-day vulnerability trade as discussed by Fidler include inciting international law, voluntary coordination between states, and collective action defense organizations. Fidler claims that the most attractive international strategy to regulate the zero-day trade is the use of collective defense organizations such as NATO. She maintains that “collective defense organizations offer the potential benefits of closer thinking among allies, a strong organizational and historical basis for cooperation, and the continued need to engage constructively with other member states on national security issues” (Fidler 154). Along with the fact that its country membership includes both supply and demand sides of the market, these reasons are distinct advantages that could be realized when using a leading international defense organization to regulate zero-days. It is true that NATO faces the challenge of its members having divergent political and economic interests, which complicates the ability for the organization to have unanimous approval on certain issues. An important recommendation Fidler offers to NATO is that they could establish a zero-day threat-sharing program, where governments have a platform to share information about zero-day threats they have faced or have thwarted (Fidler 162). Presumably, this would be the most realistic option for regulation by NATO that would face the least amount of resistance. While there is no silver-bullet solution to figuring out how exactly to regulate the zero-day trade, these are some practical and viable options that could be tested for effectiveness over time.
VI. Reasonable Goals and Proposed Policies
Based on all of the information explored so far, some reasonable goals for regulating the global zero-day vulnerability trade include: narrowing the definition of “malicious uses” of zero-days to be targeted by regulation, reduce the possibility of zero-days occurring in software, improving information sharing pathways between the public and private sectors, and identifying legitimate researchers and brokers for zero days to guarantee innovative vulnerability research free from legal constraints.
The first goal of narrowing down the range of applications that vulnerabilities may be used for by better controlling the malicious use of zero-day exploits through definitional specificity is extremely important when creating regulatory policy. The proposed policy that would accompany this goal is to effectively differentiate the language regarding the types of dual-use software [replacing “intrusion” with “exfiltration”] that are targeted in the BIS’ proposal to implement the U.S.-Wassenaar rules. This policy would be beneficial because it would help distinguish between surveillance/espionage and legitimate security research in procedures of regulation.
The second proposed goal and accompanying policy is to reduce the occurrences of zero-day to be found by incentivizing robust security measures in addition to punishing offensive uses of vulnerabilities. The aim would be to shift responsibility for the existence of zero-days to the software companies in order to increase their investment in defensive research. Inevitably, there will be flaws embedded into the software, but the ultimate goal is for software companies to have a robust security apparatus that is unable to be penetrated by hackers.
The third proposed goal is to make information about vulnerabilities more readily available to the responsible parties to expedite the patching process and prevent intrusion and/or attacks. The policy to achieve this goal would require the public disclosure from software companies of known vulnerabilities that will affect consumers. This policy would enable the sharing of exploit information between the public and private sectors, which allows everyone to better defend against attacks with the use of zero-day exploits. Along with this policy, there would have to be an accessible platform for sharing zero-day information, which would prevent asymmetric information between the private sector and the black market. There would be less incentive for a black market trade of zero-days because zero-day information would be available to security researchers, companies, governments, and consumers alike. This would allow companies to be aware of their vulnerabilities and to develop patches before an attack has a chance to occur.
The final goal to regulate the zero-day market is to identify legitimate brokers for zero-days and guarantee research freedom for security researchers and legitimate organizations. The policy that should be implemented to reach this desired goal is to create a licensing system for researchers and organizations with ethical rules for conduct and capability standards that must be abided by. These licenses would signify that the brokers are legitimate and that they do not have malicious intentions. Selling zero-day exploits without a license would be illegal and sellers would be subject to prosecution under the CFAA.
VII. Concluding Remarks
In order to address the zero-day vulnerability trade as a whole, it is necessary for U.S. policy to encourage collective action with allies in the international community through diplomacy and effective political solutions. The zero-day exploit market is growing rapidly and requires immediate attention on creating solutions to mitigate the threat of attack by zero-days. The United States should take a front line position in regulating the zero-day vulnerability trade in order to maintain its position in the international community as a leading country on issues of cyber security. It is evident from the research conducted by myself and many other scholars that addressing the regulation of zero-day exploits through policy will neither be easy nor quick. Current international attitudes regarding the trade of zero-day vulnerabilities encompass a balanced mix of confusion and controversy, which is indicative of the dire need for agreement and cooperation between states. The threats that zero-day exploits pose have a global reach and could have severely damaging effects on any government entity if deployed properly. This is a cybersecurity issue that requires excessive time to be devoted to crafting policy and setting up a framework for international regulatory measures. Despite the many difficulties that may arise in policy implementation, in the interest of international security, it is necessary that action be taken by the international community to regulate the zero-day trade.