We have discussed the manifold challenges of zero day vulnerabilities quite a lot on this blog – why they are central to the cybersecurity challenge, how their discovery is vital to both offensive and defensive postures in cybersecurity, optimal USG policy on stockpiling v. publishing and patching vulnerabilities, and the like. One little discussed but important question in this vein is what policies the United States should pursue in regulating the global market in zero days. This is an enormously complex question that combines all of the difficulties of clamping down on zero days with all of the difficulties of global governance.
Michele Golabek-Goldman of the Yale Law School and the Harvard Kennedy School has written what I believe is by far the best analysis of this question. (Disclosure: I advised Michele on this paper.) From her Executive Summary:
This report provides recommendations for mitigating the cybersecurity threat emanating from this global, unregulated market. It acknowledges the immense challenge of regulation and proceeds from the premise that eliminating dangerous Øday sales is virtually impossible. Such transactions are “intangible” and often anonymous, and determined buyers and sellers could frequently circumvent regulations. The threat of dangerous Øday sales to buyers seeking to deploy them for malicious purposes is also one of the most global threats that exist today. Øday discoverers, exploiters, purchasers, brokers, perpetrators, software vendors, and victims reside in nations throughout the world and therefore no single country can mitigate the threat acting alone. Due to the dual-use nature of Ødays, regulatory proposals should also be carefully circumscribed to encourage good-willed researchers who sell their discoveries to software vendors to continue to operate in order to augment global security. While acknowledging these challenges, this report proposes initial measures that would begin to mitigate the current threat, rendering it more difficult and costly to sell Ødays to those who seek us harm.
I formulated this report’s policy recommendations based on extensive secondary research and discussions with experts. The four key criteria that shaped this report’s recommendations are impact on national security and the economy, timeframe and political feasibility, low costs of compliance for industry, and balancing the vital need to safeguard U.S. national security with the need to garner international support for curbing indiscriminate Øday sales.
Michele makes these seven policy recommendations (which are explained and defended in detail in the paper, and some of which build on a previous essay with Paul Stockton):
- Use the carrots of the Support Anti-Terrorism by Fostering Effective Technologies Act of 2002 (“SAFETY Act”) to incentivize software developers to invest in stronger security.
- In order to raise the penalties and risks associated with indiscriminately selling dangerous Ødays, the international community should establish uniform export controls of these sales through the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and .
- The United States should collaborate with international partners to establish a cybersecurity task force on Øday sales modeled after the highly successful Financial Action Task Force on Money Laundering (“FATF”).
- Congress should amend the Computer Fraud and Abuse Act (“CFAA”) to criminalize indiscriminate sales of Ødays in conformity with the task force’s recommendations.
- Although the intangible nature of Øday transactions and anonymous characteristics of the market would make detection of prohibited sales on the underground market difficult, intelligence and law enforcement agents could overcome this challenge through global sting operations.
- In order to stem illicit Øday sales on the underground market, software vendors should offer more competitive prices for Ødays through competitive white hat bounty programs.
- The U.S. government should establish an independent panel, comprised of representatives from the software industry, cyber insurance industry, critical infrastructure industries, export control specialists, law enforcement, and other key stakeholders to review these recommendations before implementation.