[Dailydave] Neal Stephenson, the EFF and Exploit Sales

Wed Aug 15 05:28:03 EDT 2012

Fascinating post and good comments! I did some research on this, and I'm trying to push some international regulation on 0days (sorry about that..), so I'd like to add a few thoughts.

(1) 0days are not the only attack vector of course, but they are important for APTs. APTs want to have high confidence into their attacks, and they usually go for high value targets. High value targets (should) have fairly good IT-sec and awareness, so a highly reliable attack path can best be created by a combination of 0days and secret service tactics. They will use some other stuff with sufficient reliability too, but 0days will be important. 

(2) Because of this, 0days could be considered potential weapons and controlled respectively. In Germany, we have the "Kriegswaffenkontrollgesetz" (War Weapons Control Act), controlling the creation, sale and export of any kind of weapons, and it's likely that we will have to enforce a similar kind of transparency regarding 0days. The US has something similar, the EAR (Export Administration Regulations). This doesn't inhibit your research. You can still research and sell. But: (1) there will be paperwork, (2) you might have to implement more security in your own offices so no bad guys from other militaries steal your exploits (which they will certainly try from now on, by the way), (3) very dangerous exploits might be confiscated or disclosure might be limited to those affected only, and (4) you will only be able to sell to friends, not to potential adversaries (every country has a list).

(3) Some governments are hoarding 0days already (as far as possible NOT cooperating with any kind of industry on this), and they are refining tools, modularization and methodologies to extend the shelf-life and render them into multi-purpose tools, so the CBRs get better (whoever brought up this idea of "cyber"weapons being single-use only was an idiot). This is a fact from now on. And because governments are hoarding, but frequently don't pay enough to afford high-end researchers and developers, a new kind of industry is already developing: the hacker mercenary. This is a business model for the nearer future and a great concern for us regulators. Governments are dangerous, but they behave along certain rational patterns and will not do with certain things. Many mercenaries will simply sell to whoever has the money, no matter what the plan is. If we do not control them, they might sell exploits for allied IC4R-C&C-systems to the Taliban, to state a worst case example. That would turn a crucial advantage into a crucial disadvantage, and it could turn the tides there.

(4) To confront this whole thing, a friend of mine and I once made a fairly rough thought experiment (rough because many of the numbers had to be educated guesses) on this question: how many 0days would have to be discovered per month to discourage APTs for good and finish the whole story at this most dangerous end. If a high amount of 0days would be discovered each month, APTs couldn't be certain that the one they are developing or using at present isn't among them, blowing up their whole attack prematurely, which has a couple of very negative side-effects. Concluding, they will lose confidence into this kind of tool and turn back to more old-fashioned vectors. From our admittedly rather hypothetical assumptions, it turned out that a sufficient effort on mass discovery of 0days could be undertaken, if only 20 willing nations would invest about 20 million Euros per year - a fairly small price to pay in comparison with the risks and the costs associated with high-security IT as an alternative. So this could be a goal of international IT-defense cooperation. It would completely destroy the 0day market, of course (although you could presumably assume very good posts in government, academia and consulting), and there will be a couple of other problems like getting the sufficient amount of hackers to do the job and getting the industry to patch all that stuff in time. But those problems could be preferable to the vast spectrum of alternative problems. The paper on this is here: http://www.cyberdialogue.ca/readings/ (it's called "Zero Day Governance"), and we'd love to get some critical comments on our assumptions, should you feel inclined to read into it. We'll try to get those substantiated by more empirical research, by the way - promised! :)

So sorry if there's a bunch of bad news here, but 0days have turned into an important military asset these days. Stuxnet started it as a proof of concept, and it's an irreversible trend. It just makes a lot of sense from an offensive point of view. Associated with that, being a security researcher will change quite a bit over the next few years.

Best,
Sandro (since most of you won't know me: a university researcher and a government guy (in Germany))