Zero-Sum Game: The Global Market for Software Exploits

On July 13, 2013, Nicole Perlroth and David Sanger published a story entitled “Nations Buying as Hackers Sell Flaws in Computer Code” in the New York Times. Perlroth and Sanger wrote:

All over the world, from South Africa to South Korea, business is booming in what hackers call “zero days,” the coding flaws in software like Microsoft Windows that can give a buyer unfettered access to a computer and any business, agency or individual dependent on one.

. . .

But increasingly the businesses are being outbid by countries with the goal of exploiting the flaws in pursuit of the kind of success, albeit temporary, that the United States and Israel achieved three summers ago when they attacked Iran’s nuclear enrichment program with a computer worm that became known as “Stuxnet.”

The flaws get their name from the fact that once discovered, “zero days” exist for the user of the computer system to fix them before hackers can take advantage of the vulnerability. A “zero-day exploit” occurs when hackers or governments strike by using the flaw before anyone else knows it exists, like a burglar who finds, after months of probing, that there is a previously undiscovered way to break into a house without sounding an alarm.

The cybersecurity challenge created by the emerging global market in “zero day” exploits has been recognized before by experts (see, e.g., efforts by Christopher Soghoian of the ACLU to highlight this issue) and journalists (see, e.g., this story entitled “The Digital Arms Trade” from The Economist on March 30, 2013). But the Times article gives this problem heightened exposure and will increase political attention on it. With companies–such as Microsoft, Google, and Facebook–and countries–such as Brazil, Britain, China, India, Iran, Israel, Malaysia, North Korea, Russia, Singapore, South Africa, South Korea, and the US–willing to buy “zero day” exploits, Perlroth and Sanger report that “the market for information about computer vulnerabilities has turned into a gold rush.”

Among the many cybersecurity issues the development of this market creates is the question of whether to regulate it, and, if regulation is thought prudent, how to regulate the problem effectively. In its article, The Economist noted that:

Laws to ban the trade in exploits are being mooted. Marietje Schaake, a Dutch member of the European Parliament, is spearheading an effort to pass export-control laws for exploits. It is gathering support, she says, because they can be used as “digital weapons” by despotic regimes. For example, they could be used to monitor traffic on a dissident’s smartphone. However, for a handful of reasons, new laws are unlikely to be effective.

The effort to turn to export-control laws as a way to regulate the sale of “zero day” exploits or, more broadly, the development and sale of purpose-built malware, suggests that strategies and “soft” or “hard” regimes used in non-proliferation and arms control might serve as a basis for thinking about what to do about the market for “digital weapons,” including:

• National export-control laws with multinational coordination of such regimes among countries (a cyber version of something like the Wassenar Arrangement);
• Bans or limitations on development, transfer, and use of certain weaponized code intended to have specific purposes or effects considered illegitimate (a cyber version of something like the Protocol Banning Blinding Laser Weapons); or
• Confidence-building measures, including declaratory policy strategies, aiming for heightened transparency and trust (cyber versions of the CBMs used in the BWC or of “no first use” declaratory statements).

The attractiveness of drawing on ideas from non-proliferation and arms control experience in the realm of cyber weapons exists, as made clear by, among other things, a provision in the proposed National Defense Authorization Act for Fiscal Year 2014 for the President to “establish an interagency process to provide for the establishment of an integrated policy to control the proliferation of cyber weapons through unilateral and cooperative export controls, law enforcement activities, financial means, and diplomatic engagement, and such other means as the President considers appropriate” (Sec. 946, Control of the Proliferation of Cyber Weapons).

Without question, reasons why cyber versions of these approaches would not work can multiply rapidly, including arguments related to the questionable effectiveness of these strategies in their traditional non-proliferation and arms control contexts. In addition, as in many areas of cybersecurity policy and law, reasoning by analogy to policies and regimes designed for other challenges breaks down rather quickly because cyber presents such a different kind of problem attached to technologies unlike what non-proliferation and arms control efforts have addressed in the past.

These various reasons are often why cybersecurity experts exhibit skepticism about “arms control” in the cyber context. Here are Paul Rosenzweig’s thoughts on this question in his blog post on the Perlroth and Sanger article on “zero day” exploits:

In the physical world, the production of weaponry is restricted by the need for an industrial base. In cyberspace, weapons are bits and bytes and produced as intellectual property. With such an ease of manufacture (comparatively) and a global market, there seems to be precious little prospect for an arms-control type approach to eliminating the trade. The market for zero-day exploits will, I think, grow exponentially in the years to come.

Rosenzweig’s prediction might well prove accurate, but policy concerns with this uncontrolled global market for “zero day” exploits and other purpose-built malware are mounting, as illustrated by the ideas being floated in the European Parliament and (perhaps ironically given significant US government participation in this market) by proposed Section 946 of the National Defense Authorization Act for Fiscal Year 2014. As the market charges on, policy anxieties and demands for action will also increase, which will make efforts to control behavior amounting to “beggar thy neighbor’s software” one of the most interesting and difficult cybersecurity challenges governments and companies face.