Zero-Day Exploits and Cyberwarfare

On Sunday, Lawfare’s Paul Rosenzweig authored an interesting post discussing zero-day exploits.  Zero-day exploits are flaws in the code of programs that are unknown to software manufacturers.  Because they take advantage of unknown problems, it is virtually impossible to defend against an attack that employs a zero-day exploit.  This means that security considerations demand a different approach to zero-day exploits compared to defense against other, well-known attacks such as Directed Denial of Service (DDoS) attacks, where hackers use programs to gain control of a network of computers and launch organized, repeated data requests that seek to knock systems offline.

Rosenzweig notes that zero-day exploits are troubling not only because they can cause substantial, unexpected damage, but also because they can be discovered with relatively low resources.  He critiques the National Defense Authorization Act’s (NDAA’s) current policy on preventing the proliferation of cyberweapons, arguing that the Act seems “off-target.”

Aside from the act being vague, it is not clear what specific problems Rosenzweig has with the NDAA.  The act does note that one of the goals of the interagency process for dealing with the proliferation of cyberweapons is to identify relevant cyberweapons.  The act also notes that the agency may take financial measures to prevent the proliferation of these cyberweapons, although the apparent focus of these measures is financial sanctions, with §946(b)(2) identifying financial tools as “financial sanctions” tools.  While financial sanctions may be a useful mechanism for combating organizations that purchase and sell zero-day exploits, this should not be the only tool available for combating these weapons.  The government’s financial tools should probably include measures that allow the purchase of zero-day exploits.  Even if the government does not use them, it is better that the government have the exploits to either fix the errors the exploits are designed to exploit or to prevent another buyer from getting hold of the exploit.

Even with financial measures to purchase zero-day exploits, the ease with which zero-day exploits can be discovered and sold means that their use against the United States is likely inevitable.  In light of this, I found Derek Bombauer’s article, Ghost in the Network, 162 U. Penn. L. Rev. (forthcoming, 2014), to be a thorough and innovative treatment of this problem.  If the government focuses on taking mitigative rather than preventative measures against inevitably successful attacks, this strategy will not prevent all damage from these attacks, but it will be a far more effective strategy overall.