The Market in Zero-Day Exploits

By Paul Rosenzweig
Sunday, July 14, 2013, 1:27 PM

Today's New York Times, brings a rich article by Nicole Perlroth and David Sanger on the growing market in zero-day exploits.  Zero-day exploits are previously unknown flaws in computer programming that make it possible to subvert the program.  They are, if you will, the coin of the realm in cyber espionage or intrusion.  Here are the opening paragraphs:

On the tiny Mediterranean island of Malta, two Italian hackers have been searching for bugs — not the island’s many beetle varieties, but secret flaws in computer code that governments pay hundreds of thousands of dollars to learn about and exploit.

The hackers, Luigi Auriemma, 32, and Donato Ferrante, 28, sell technical details of such vulnerabilities to countries that want to break into the computer systems of foreign adversaries.

Code flaws that researchers previously reported to software manufactures as a matter of altruism now routinely sell for six-figure sums.  And though the manufacturers, like Microsoft, bid high they are now being outbid by nations who purchase and stockpile the exploits for use as offensive weapons.

In the physical world, the production of weaponry is restricted by the need for an industrial base.  In cyberspace, weapons are bits and bytes and produced as intellectual property.   With such an ease of manufacture (comparatively) and a global market, there seems to be precious little prospect for an arms-control type approach to eliminating the trade. The market for zero-day exploits will, I think, grow exponentially in the years to come.

All of which makes the latest efforts to address cyber weapons in the NDAA notably off-target, in my judgment.   The National Defense Authorization Act for Fiscal Year 2014 includes recommendations for controls on "cyber weapons."


(a) Interagency Process for Establishment of Policy- The President shall establish an interagency process to provide for the establishment of an integrated policy to control the proliferation of cyber weapons through unilateral and cooperative export controls, law enforcement activities, financial means, diplomatic engagement, and such other means as the President considers appropriate.

(b) Objectives- The objectives of the interagency process established under subsection (a) shall be as follows:

(1) To identify the types of dangerous software that can and should be controlled through export controls, whether unilaterally or cooperatively with other countries.

(2) To identify the intelligence, law enforcement, and financial sanctions tools that can and should be used to suppress the trade in cyber tools and infrastructure that are or can be used for criminal, terrorist, or military activities while preserving the ability of governments and the private sector to use such tools for legitimate purposes of self-defense.

(3) To establish a statement of principles to control the proliferation of cyber weapons, including principles for controlling the proliferation of cyber weapons that can lead to expanded cooperation and engagement with international partners.

(c) Recommendations- The interagency process established under subsection (a) shall develop, by not later than 270 days after the date of the enactment of this Act, recommendations on means for the control of the proliferation of cyber weapons, including a draft statement of principles and a review of applicable legal authorities.

While the objective is certainly noble, I suspect the effort will be relatively unsuccessful.