Hackers’ Bazaar: the President’s NSA Speech and the Market for Zero-Day Exploits

All Things Considered ran an interview this past Monday with Alex Fowler, the chief privacy officer of Mozilla (developer of the Firefox web browser), stemming from a blog post Fowler had written critiquing President Obama’s speech last week concerning NSA activities. When asked about the “most glaring reform needs” that were not addressed in the President’s speech, Fowler said:

right now, we have a policy approach in Washington which is focused on not closing security holes but actually [on] hoarding information about security backdoors and holes in our public security standards and using those then to exploit them for intelligence needs. In our perspective, and I think certainly those of your listeners – as you think about the news related to Target data breaches and breaches with Snapchat and other common tools that we use every day – that what we really need is to actually focus on securing those communications platforms so that we can rely on them. And that we know that they are essentially protecting the communications that we’re engaged with.

This relates to the market for so-called “zero-day exploits,”  where the U.S. government pays hackers for information about holes in software security that its intelligence and law enforcement agencies can then use for surveillance. (The market for zero-day exploits is described in greater detail in this previous post.) The U.S. also pays the sellers of these exploits to keep the holes secret, not even warning the company that has the security hole, so that the exploit may remain useful to the U.S. government for as long as possible. Unfortunately, this also means it will remain open for criminal hackers who have also discovered the hole.

The injection of U.S. government funds has transformed a formerly loose, reputation-based, market into a lucrative global bazaar with governments driving up prices and the formation of firms with business models based on finding and selling exploits to the U.S. and other governments. Although cash-rich companies like Microsoft are responding by trying to out-bid state actors for information about zero day exploits in their own products, the money in the market has shifted from rewarding security into incentivizing insecurity:

…nearly everyone seems to be in the market for zero-days; a report earlier this year claimed that the U.S. government is the biggest buyer of zero-day vulnerabilities. Even the NSA contracts with zero-day exploit vendors like the French firm Vupen Security. In fact, Professor Ross Anderson, of the University of Cambridge, previously told TechWeekEurope that “researchers are purposefully placing bugs in open source software during the development stages, so that when code appears in completed products, those same researchers can highlight the flaws and profit from them where companies are willing to pay.”

As mentioned in my previous post on the exploits market, there have been calls for regulation.  The Internet Governance Project has written about one possible form for such regulation:

We suggest focusing policy responses on the demand side rather than the supply side. The zero-day market is largely a product of buyers, with sellers responding to that demand. And if it is true that much of the demand comes from the US Government itself, we should have a civilian agency such as DHS compile information about the scope and scale of our participation in the exploits market. We should also ask friendly nations to assess and quantify their own efforts as buyers, and share information about the scope of their purchases with us. If U.S. agencies and allies are key drivers of this market, we may have the leverage we need to bring the situation under control.

One idea that should be explored is a new federal program to purchase zero-day exploits at remunerative prices and then publicly disclose the vulnerabilities (using ‘responsible disclosure’ procedures that permit directly affected parties to patch them first)…

In other words, instead of engaging in a futile effort to suppress the market, the US would attempt to create a near-monopsony that would pre-empt it and steer it toward beneficial ends. Funds for this purchase-to-disclose program could replace current funding for exploit purchases.

[Emphases added.]

It’s an interesting idea that uses a combination of regulation and the U.S. dominant position in the market to set new norms, the most important of which would be the U.S. disclosing the vulnerabilities it purchases. This would essentially reverse the goal of the purchases from keeping exploits secret and unpatched to publicly disclosed and fixed. The latter would allow the affected company to increase its security and consumers to beware or possible loss of privacy/ data.

But what would be the government incentive to pay money to do this?  Couldn’t this be left to the companies themselves to purchase exploits in order to fix their own systems; in other words, the market as it existed before the large-scale entrance of the U.S. government? The problem is that the entrance of the U.S. into the market has brought other governments into the bidding as well. It may not be easy, or as cheap, for companies to defensively purchase exploits, even without the U.S. bidding up the price. China, Russia, or some other countries may be there to outbid private actors. So there may well be a need for U.S. government action in the exploits market to help secure systems.

Moreover, the IGP writers noted the possibility of coordinating with other countries, This is a point worthy of emphasis. Although the U.S. government is, for the moment, seemingly the biggest purchaser of exploits, multilateral cooperation may be crucial for effective market regulation.  A group of states acting together could have much broader reach in protecting the data of their companies and the privacy of their citizens. However, it would make spying by the NSA and other such agencies more difficult.

Right now, the U.S. cyberstrategy is largely offensive: finding as many ways to scoop up data and exploit target computer systems as possible.  What the IGP and others have suggested is switching to a defensive strategy: trying to make the internet as secure as possible.  Some have balked that robust data security on the internet is not feasible given its architecture, and so offense has to be the default strategy.  I am not a computer scientist and I don’t know how to resolve that debate.

I do understand that the President would not want to discuss the exploits market in his surveillance speech, particularly when the U.S. is itself the main market actor on the demand side.

But,  as we have an ongoing public debate about our cyberstrategy in the coming weeks, we need to  consider the costs and benefits of pursuing a primarily offensive or defensive strategy (or various combinations of the two). And, assessing such strategies will require addressing  the hackers’ bazaar of zero-day exploits, and not passing it by in silence.