Regulating the Global Market of Zero-Day Exploits

Nicole Perlroth and David E. Sanger describe in the July 14 New York Times the increasingly global trade in computer vulnerabilities. The recent growth of this hacker market has been fueled by purchases by the U.S. and other governments. Can this market be effectively regulated? And if it is eventually regulated, would it be for the wrong reasons?

Let’s take a step back. Let’s say there is some hacker, call him DarthBorgen, who seeks out holes in company firewalls, e-mail systems, online payment systems, cellphone operating systems, and so on. The most interesting hole to find is a “zero-day exploit,” a vulnerability that the company does not even know about. (“There are zero days between the vulnerability being discovered and the first attack.” ) If DarthBorgen is a “black hat” hacker he may use that exploit to steal from the company himself or he may sell it to a rival company what would use it in some illegal corporate espionage.

However, he may post the exploit to one of the hacker boards and as a means to burnish his reputation as a skilled hacker. His goal would not be to steal but to show off. Once he posts, the company would also probably learn of the exploit and they would patch it. Maybe, when a company was looking for a security specialist down the line, they might contact DarthBorgen, due to his formidable skills and reputation in the hacker community, and offer him a consulting fee. DarthBorgen might even become a computer security consultant who only tests a company’s systems at their request so that they may better understand their own vulnerabilities. (Maybe he changes his tag to ObiWanBorgen.)

Hackers started to increasingly go directly to companies where they found zero-day exploits and offering to sell their information to that company. This meant that exploits began to have a market value based on what the vulnerable company would be willing to pay for the information about the exploit.

At the crux of the Perlroth and Sanger article is how the arrival of government money has transformed the exploits market.

The U.S. government was an early mover in paying increasingly larger sums for exclusive access to exploits. And, importantly, while companies paid for exploits in their own system so that they may patch the holes, the U.S. government paid for exploits so that they could hack computers in intelligence operations or law enforcement investigations. Keep in mind that Internet Explorer and iPhones (to take two examples) are used all around the world by private citizens, governments, and companies.

Other governments followed suit. Perlroth and Sanger report that:

Israel, Britain, Russia, India and Brazil are some of the biggest spenders. North Korea is in the market, as are some Middle Eastern intelligence services. Countries in the Asian Pacific, including Malaysia and Singapore, are buying, too, according to the Center for Strategic and International Studies in Washington.

At a cyberconflict conference that we had at St. Johns in April, Christopher Soghoian of the ACLU spoke about the exploits market. In an interview for Sunday’s New York Times he said:

“The [company-funded] bounties pale in comparison to what the government pays.” The military establishment, he said, “created Frankenstein by feeding the market.”

The March 20 issue of The Economist had an article on the “digital arms trade” that included minimum prices for zero-day exploits for various programs. That article listed Internet Explorer exploits fetching at least $500,000, Windows 8 about $250,000, and iPhone 5 about $200,000 per exploit. The Times article quotes some lower prices, stating that “[t]he average flaw now sells from around $35,000 to $160,000.” Regardless of which figures are more accurate, all this government money is irrigating the hacker economy. Companies have sprung-up to take reap the benefits of the money being poured into the exploits market with a business model around finding exploits and then sending them to the highest bidder (often intelligence agencies).

The Times article noted a 2007 paper on the exploits market by Charlie Miller, a former NSA employee who was offered $80,000 by the U.S. government for a bug that he had found in Linux. He detailed how there is a demand for zero day exploits but concluded:

From the perspective of a security researcher, selling vulnerability information or 0-day exploits is a very risky ordeal. Due to the secretive nature of the market at the present time, it is difficult for them to find a buyer, determine a price for the information, prove the value of the vulnerability, and exchange the goods for money. On top of this, at any point in this process, the vulnerability may be announced by someone else, making the discovery worthless.

Some solutions exist which help to alleviate some of these problems, however their actual implementation remains far off in the future.

The future is now. The New York Times article reports that difficulties in finding buyers are overcome by brokers or by just plain old advertising. Moreover, considering the Times and Economist articles, ione finds that pricing information is increasing as more and more exploits are purchased and information shared in the hacker community. The risk of the vulnerability being announced by someone else still exists, but this is simply a common problem of the race to be first to the market.

In short, the sale of zero-day exploits is maturing into what we would recognize as a functioning market. So now the question is whether and how this market should be regulated. This was a topic that various audience members at the St. John’s conference returned to again and again. The Economist article noted:

Laws to ban the trade in exploits are being mooted. Marietje Schaake, a Dutch member of the European Parliament, is spearheading an effort to pass export-control laws for exploits. It is gathering support, she says, because they can be used as “digital weapons” by despotic regimes. For example, they could be used to monitor traffic on a dissident’s smartphone. However, for a handful of reasons, new laws are unlikely to be effective.

Exploits are a form of knowledge, expressed in computer code. Attempting to stop people from generating and spreading knowledge is futile, says Dave Aitel, a former computer scientist at America’s National Security Agency (NSA) who went on to found Immunity, a computer-security firm in Florida. He says that legal systems would not even agree on which code is good and which is bad. Many legal experts say code should be protected by free-speech laws—it is, after all, language expressed as strings of zeros and ones.

Weapon and/or speech? This is a battle of analogies that is unlikely to lead to regulation that will enhance online security. The U.S. could use  its formidable market power to purchase exploits in order to help companies actually plug up holes. But, as far as I can tell,  this would mean a fundamental shift in U.S.strategy. More likely is that the U.S. and other states will try to dry up the market that they have been flooding with their money and try to move as much of it “in-house” as possible. The Economist piece concludes:

On the head of the Pentagon’s Cyber Command, General Keith Alexander, warned the Senate Armed Services Committee that state-sponsored groups are stepping up efforts to steal and destroy data using “cybertools” purchased in illicit online markets. As an American military-intelligence official points out, governments that buy exploits are “building the black market”, thereby bankrolling dangerous R&D. For this reason, governments appear increasingly keen to develop exploits in-house. Paulo Shakarian, a cyberwar expert at West Point, an American military academy, says China appears to be moving in this direction.

Developing exploits in-house reduces the risk that a double-dealing vendor will resell code meant to be exclusive. Even so, the trade isn’t likely to fade away…

Once governments have increased their own internal means of supplying of exploits, they may be more willing to try regulate (either unilaterally or multilaterally) the external trade. In part to make sure that the exploits that they have found are not discovered by others and then either sold to other intelligence agencies for their use or to the companies that would then patch the holes. If this is accurate, this would mean that governments may eventually choose to regulate the zero-day exploit market in order to maintain holes.

All in all, this would be a rather perverse set of incentives. I hope we won’t regulate the exploits market in order to make the world safe for exploits.