On Sunday, Lawfare’s Paul Rosenzweig authored an
interesting post discussing zero-day exploits.
Zero-day exploits are flaws in the code of programs that are unknown to
software manufacturers. Because they
take advantage of unknown problems, it is virtually impossible to defend
against an attack that employs a zero-day exploit. This means that security considerations
demand a different approach to zero-day exploits compared to defense against
other, well-known attacks such as Directed Denial of Service (DDoS) attacks,
where hackers use programs to gain control of a network of computers and launch
organized, repeated data requests that seek to knock systems offline.
Rosenzweig notes that zero-day exploits are
troubling not only because they can cause substantial, unexpected damage, but
also because they can be discovered with relatively low resources. He critiques the National Defense
Authorization Act’s (NDAA’s) current policy on preventing the proliferation of
cyberweapons, arguing that the Act seems “off-target.”
Aside from the act being vague, it is not clear
what specific problems Rosenzweig has with the NDAA. The act does note that one of the goals of
the interagency process for dealing with the proliferation of cyberweapons is
to identify relevant cyberweapons. The
act also notes that the agency may take financial measures to prevent the
proliferation of these cyberweapons, although the apparent focus of these measures
is financial sanctions, with §946(b)(2) identifying financial tools as
“financial sanctions” tools. While
financial sanctions may be a useful mechanism for combating organizations that
purchase and sell zero-day exploits, this should not be the only tool available
for combating these weapons. The government’s
financial tools should probably include measures that allow the purchase of
zero-day exploits. Even if the
government does not use them, it is better that the government have the
exploits to either fix the errors the exploits are designed to exploit or to
prevent another buyer from getting hold of the exploit.
Even with financial measures to purchase zero-day
exploits, the ease with which zero-day exploits can be discovered and sold
means that their use against the United States is likely inevitable. In light of this, I found Derek Bombauer’s
article, Ghost in
the Network, 162 U. Penn. L. Rev. (forthcoming, 2014), to be a thorough and
innovative treatment of this problem. If
the government focuses on taking mitigative rather than preventative measures
against inevitably successful attacks, this strategy will not prevent all
damage from these attacks, but it will be a far more effective strategy
overall.
No comments:
Post a Comment