The market for zero-days — a business largely focused on the indiscriminate sale of undisclosed security flaws — exists in a quasi-legal grey zone that must be curtailed by the U.S. government, according to a research paper released by D.C.-based think tank New America.
New America’s Open Technology Institute offered five recommendations to mitigate existing regulatory and security concerns in the existing zero-day market, including that the U.S. government “minimize its participation” — despite being one of the market’s largest customers.
“The U.S. government is in a unique position to significantly shrink this [zero-day] market simply by not participating, as it is one of the largest buyers — indeed, probably the single largest buyer — in that market,” the report reads.
Vulnerability research firms and dark web dealerships are often responsible for selling security vulnerabilities to the highest bidder, the research paper suggests. Typically, the zero-days are purchased by independent actors rather than companies whose products are consequently open to a breach due to the covert nature in which zero-days are discovered.
Some security experts cited in the OTI paper, however, disagree with the clandestine use of zero-days because their existence promotes a poor security environment across the internet.
“The economics of the zero-day market are not good for security. Period. If we mess with that a little bit and the market changes to some degree then that may not be for the worse,” Ari Schwartz, a former senior director for cybersecurity on the National Security Council, told FedScoop.
Schwartz, who was not quoted in the paper, said a better route would be for the government to find the vulnerabilities themselves, then disclose them to the responsible companies.
“I think that would really weaken the market for zero-days even more,” said Schwartz, now a managing director of cybersecurity services for D.C.-based law firm, Venable LLP. “Our government has the ability to find their own [zero-days], so I think they probably won’t purchase as many in the future.”
The private sphere has become cognizant of the zero-day vulnerability marketplace’s influence on their security operations. As a result, companies have started relying on “bug bounty programs” — open, crowdsourced events where hackers are invited to discover vulnerabilities — to find flaws before they can be exploited.
Prominent technology brands like Facebook, Google and Twitter have all launched formal bug bounty programs in the past several years to help improve security.
New America’s report concludes that legislation must be created to incentivize — rather than punish — researchers and other security experts who help disclose vulnerabilities they find.
“If policymakers want to increase online security, they must first understand the building blocks of the insecurity: software vulnerabilities. The U.S. has an obligation to examine its role in the vulnerabilities market,” Ross Schulman, co-director of New America’s cybersecurity initiative and senior counsel at OTI, wrote in a statement.
Schulman told FedScoop in an email that the think tank has begun to share the vulnerability research paper with “colleagues on the Hill” and that it has received “interest from those offices.”