Could a US Government monopsony on zero days tackle grey exploit market?

A researcher has proposed the US Government buy the world’s supply of zero day exploits to bring the grey market for software weapons under control.

Internet policy expert and Syracuse University professor, Dr Milton Mueller, has taken to task the idea that Internet security threats caused by the trade in zero-day exploits can be resolved by controlling their supply.

The challenge posed by the evolution of the exploit market is that it puts a premium on dangerous vulnerabilities and shifts incentives away from public disclosure toward “competitive efforts to gain private, exclusive knowledge of them so they can be held in reserve for possible use,” Mueller argues.

Grey market exploit vendors such as Vupen and Hacking Team have attracted attention from civil rights campaigners for allegedly selling high-priced zero-day exploits to repressive governments.

But while proposals for supply-side controls might be noble in cause, Mueller outlines several challenges to implementing these at this end, including gaining consensus between nations balancing regulations with national security; enforcing digital trading restrictions; scope creep; and market participants simply going underground.

Instead, he suggests, a single, responsible buyer of zero-day exploits may be better placed to disrupt an exploit’s journey from researcher to middle-man and on to the end buyer, such as a government agency -- whether that’s an Egyptian spy agency or the US military or intelligence agency, Mueller stressed to CSO Australia.

“One idea that should be explored is a new federal program to purchase zero-day exploits at remunerative prices and then publicly disclose the vulnerabilities (using ‘responsible disclosure’ procedures that permit directly affected parties to patch them first)," writes Mueller.

“The program could systematically assess the nature and danger of the vulnerability and pay commensurate prices. It would need to be coupled with strong laws barring all government agencies – including military and intelligence agencies – from failing to disclose exploits with the potential to undermine the security of public infrastructure. If other, friendly governments joined the program, the costs could be shared along with the information.”

Mueller proposes the US Government could tackle the demand-side through a “near-monopsony” agency that outbids rivals and buys up all zero day exploits that hackers produce and steers that information toward “beneficial ends”.

The Department of Homeland Security -- which runs the existing CERT program -- could compile information about the scope and scale of exploits it buys.

Mueller admits terrorists, criminals and hostile states could still get around this system, but argues that suppliers -- if paid well enough -- would in the long run discover more threats than “the dark side”.

“In other words, instead of engaging in a futile effort to suppress the market, the US would attempt to create a near-monopsony that would pre-empt it and steer it toward beneficial ends. Funds for this purchase-to-disclose program could replace current funding for exploit purchases.”

But could his proposal be used to prevent an organisation internally creating something along the lines of a cyberweapon like Stuxnet?

"That would require a different law or policy initiative," Mueller told CSO Australia.

"Getting the US Government to buy and disclose [an exploit] is a different matter than stopping them from developing cyber-weapons."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Copyright © 2013 IDG Communications, Inc.

What is security's role in digital transformation?