The Policy Tension on Zero-Days Will Not Go Away
The proposition that NSA should under no circumstances stockpile zero-day vulnerabilities, but should in all cases disclose them in order to perfect defenses, apparently has appeal in some quarters. It is based on at least two false assumptions. The first is that the number of zero-days is finite, or, if not finite, then at least small enough that, at prevailing market prices, the United States could clear the market without either bankrupting the Treasury or creating inflation of Argentine dimensions. Someone should do the math on this, but surely the assumption is incorrect. The number o
Published by The Lawfare Institute
in Cooperation With
The proposition that NSA should under no circumstances stockpile zero-day vulnerabilities, but should in all cases disclose them in order to perfect defenses, apparently has appeal in some quarters. It is based on at least two false assumptions. The first is that the number of zero-days is finite, or, if not finite, then at least small enough that, at prevailing market prices, the United States could clear the market without either bankrupting the Treasury or creating inflation of Argentine dimensions. Someone should do the math on this, but surely the assumption is incorrect. The number of zero-days is unknowably huge and will continue to grow as long as people write software. Markets are notoriously difficult to corner. Consequently, one must always assume that there are (1) undiscovered zero-days and (2) zero-days that have been and will continue to be discovered by adversaries but not by us.
The second false assumption is that the Russians, the Chinese, the Iranians, and other cyber-capable actors would adopt the same disarmament policy. Indeed, our unilateral adoption of that policy would make it less likely they would follow.
The sigint vs. security tension has existed at NSA for many years. When I arrived at NSA in 2002, sigint nearly always had the upper hand over defense. As I have observed the agency, the balance since then has shifted significantly in favor of defense. I cannot quantify this observation, however, and I do not know precisely how this tension is now being managed. What I do know is that the tension will not go away, and that pretending otherwise would lead to a very dangerous policy.
Joel F. Brenner specializes in cyber and physical security, data protection and privacy, intelligence law, the administration of classified information and facilities, and the regulation of sensitive cross-border transactions. He was Senior Counsel at the National Security Agency, advising Agency leadership on the public-private effort to create better security for the Internet. From 2006 until mid-2009, he was the head of U.S. counterintelligence under the Director of National Intelligence and was responsible for integrating the counterintelligence activities of the 17 departments and agencies with intelligence authorities, including the FBI and CIA and elements of the Departments of Defense, Energy, and Homeland Security. From 2002 – 2006, Mr. Brenner was NSA’s Inspector General, responsible for that agency’s top-secret internal audits and investigations. He is the author of America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare.