The Policy Tension on Zero-Days Will Not Go Away

The proposition that NSA should under no circumstances stockpile zero-day vulnerabilities, but should in all cases disclose them in order to perfect defenses, apparently has appeal in some quarters.  It is based on at least two false assumptions.  The first is that the number of zero-days is finite, or, if not finite, then at least small enough that, at prevailing market prices, the United States could clear the market without either bankrupting the Treasury or creating inflation of Argentine dimensions.  Someone should do the math on this, but surely the assumption is incorrect.  The number of zero-days is unknowably huge and will continue to grow as long as people write software.  Markets are notoriously difficult to corner.  Consequently, one must always assume that there are (1) undiscovered zero-days and (2) zero-days that have been and will continue to be discovered by adversaries but not by us.

The second false assumption is that the Russians, the Chinese, the Iranians, and other cyber-capable actors would adopt the same disarmament policy.  Indeed, our unilateral adoption of that policy would make it less likely they would follow.

The sigint vs. security tension has existed at NSA for many years.  When I arrived at NSA in 2002, sigint nearly always had the upper hand over defense.  As I have observed the agency, the balance since then has shifted significantly in favor of defense.   I cannot quantify this observation, however, and I do not know precisely how this tension is now being managed.  What I do know is that the tension will not go away, and that pretending otherwise would lead to a very dangerous policy.