The Global Market For Security Exploits - Zero Day
I’ve previously written about why everything is so easy to hack. I’ve come at the issue from two sides. On one side, the organizations that are targeted don’t understand how to defend themselves. On the other side, governments are building powerful teams of hackers that can break the most powerful and expensive security that’s already in place.
There’s a third side to the issue, however, and it makes security professionals bite their nails off. The government has deliberately invested in weakening commercially-available cyber defenses.
In my last article, I wrote that state-sponsored hacking groups will often use a zero-day exploit to accomplish a breach. These exploits are rather rare, but in terms of effectiveness they’re about as deadly as a bunker-buster bomb. What makes a zero-day exploit so dangerous?
Most commercially-available software is tested rigorously before being released. In theory, this is not just to ensure that the product is functional, but also to make sure that any consumer data is securely stored.
Software development is an extremely competitive market, however, and deadlines are always creeping up. Because of this, most testing focuses on the functionality side, and less on the security side. Oftentimes, a product is released with security flaws that a developer knows nothing about. That, in a nutshell, is a zero-day exploit.
Software developers aren’t stupid, and most software products are supported for a certain duration after they’re released. Even if a product gets pushed out with security holes in it, they’re usually patched in the first week s or months after launch. This process is still imperfect.
There are widely-used, well-supported products out there today that almost certainly have holes in them, holes that would allow a clever attacker to obtain your personal data. One good example of this from recent history was the Heartbleed bug. This vulnerability existed for two years before it was discovered, and affected some of the most heavily-trafficked sites on the internet.
In the world of zero-days, Heartbleed was a comparatively lucky find. The exploit was discovered by researchers, not hackers, and was solved with a widely-distributed patch. When an exploit is discovered by someone less ethical, bad things happen.
Remember: If you discover a flaw in a company’s product, you’ll be lucky to just get rudely brushed off, if not threatened with legal action. Faced with this intransigent attitude, many hackers and researchers decide instead to sell their findings – and the biggest buyer is the U.S. government.
The U.S. government is the world’s largest buyer of zero-day exploits. There are other buyers out there – there’s even, inevitably, a darknet marketplace that will pay in bitcoin for undiscovered bugs. No one is purchasing this data out of a concern for anyone’s well-being. Information on previously unknown security holes is being used almost entirely for the purpose of stealing data from countries believed to be hostile. This is a flawed and reckless strategy.
A good defense is also a strong offense, right? Not in this instance. Let’s go back to the Heartbleed example. Let’s say that instead of Heartbleed being discovered by security researchers, it was first discovered by a bunch of bad guys – black hats – who then sell it to the government. (This, by the way, almost certainly did not happen.)
The government then goes around and uses the bug to profitably hack several foreign governments and terrorist organization – so far, so good. The thing about black hats, however, is that there are a lot of them. They’re very smart, in their criminal way, and they tend to devote their efforts to similar problems. It is entirely possible that two groups of bad guys, working independently, might discover the same security vulnerability.
Once two groups have discovered the same zero-day exploit, things get complicated. While the U.S. is busy hacking China or North Korea, the second group might be hacking businesses in America. They could even sell it to another non-aligned state, which might conceivably start hacking the U.S. government with the same exploit that the U.S. is hacking it with.
Essentially, the result of this secrecy equates twice as much theft and intrigue, which might directly result in human misery in the real world. People lose their jobs after security breaches. Their reputations are damaged; their savings and identities are stolen. There is an increasingly likelihood of real-world, physical damage and loss of life. Compare this result to the scenario in which the U.S. government discloses the Zero Day to the public.
In a world in which governments transparently disclose information security vulnerabilities, there’s a lot less strife. Heartbleed caused a large kerfuffle, but as soon as it was discovered there was a patch that could fix it.
Transparency, in the world of cybersecurity, is always going to provide better outcomes than secrecy. Unfortunately, this better world is probably beyond our reach, as it was recently revealed that the U.S. government, in conjunction with Israel, has not just been hoarding zero days, but also hacking security companies in order to reverse-engineer their products.