Should the U.S. Government Change Its Approach to Zero-Day Exploits?

Dan Geer, the chief of information security for In-Q-Tel (essentially, the venture capital fund that supports tech innovation for the CIA) gave a wide-ranging keynote speech at Black Hat, a convention of cybersecurity experts.  A video of the speech is available here.

I want to focus on one specific issue among the many he discussed: his call for the US government to publicly disclose the software loopholes and hacks that it purchases.

I have discussed in other posts (1, 2) the market for information regarding security loopholes known as “zero-day exploits.”  The U.S. is already a big player in this market,  purchasing exploits for use by its intelligence and law-enforcement agencies.

Rather than informing producers, purchasers, or users of the software of the flaws, the U.S. government (and other governments that participate in the exploits market) allegedly require non-disclosure agreements from the hackers who sell exploits so that the holes will stay open as long as possible. This has been called a strategy of offense: trying to maximize intelligence gathering capabilities. Geer  paraphrases a former senior NSA official:

If we were to score cybersecurity the way we score soccer, we would be twenty minutes into the game and the score would be 462 to 456. That is to say: all offense.

He further explains: “Offense is where is where the innovations that only states can afford is going on.”

Some have argued that the result is the widespread use of software riven with security flaws that could have been fixed.  Instead, the U.S. should use its market power to make software more secure by purchasing and then disclosing zero-day exploits.  As reported by Wired, Geer argues that by incentivizing disclosure:

the U.S. can drastically lower the impact of international cyberwarfare. [He explains:] “We don’t need intelligence on what weapons our adversaries have if we have something close to a complete inventory of the world’s vulns and have shared that with all the affected software suppliers.”

As far as I understand, proponents of a strategy of maximizing offensive capability assume that computer systems will always have many holes and the U.S. might as well use these flaws to get as much useful intelligence as possible rather than chasing what they view as the illusory promise of real defense.

I do not know enough about the ins-and-outs of computer security architecture to opine as to whether the U.S. should maintain an offensive strategy or move to securing vulnerable systems with a primarily defensive strategy of disclosure. However, I would suggest that a defensive strategy may be strengthened by international coordination.

In any case, if you are interested in issues of cyber-security then Geer’s speech is a must-listen.

[This post has been corrected to fix the misspelling of Dan Geer’s name.]