Could a US Government monopsony on zero days tackle grey exploit market?

A researcher has proposed the US Government buy the world’s supply of zero day exploits to bring the grey market for software weapons under control.

Internet policy expert and Syracuse University professor, Dr Milton Mueller, has taken to task the idea that Internet security threats caused by the trade in zero-day exploits can be resolved by controlling their supply.

The challenge posed by the evolution of the exploit market is that it puts a premium on dangerous vulnerabilities and shifts incentives away from public disclosure toward “competitive efforts to gain private, exclusive knowledge of them so they can be held in reserve for possible use,” Mueller argues.

Grey market exploit vendors such as Vupen and Hacking Team have attracted attention from civil rights campaigners for allegedly selling high-priced zero-day exploits to repressive governments.

But while proposals for supply-side controls might be noble in cause, Mueller outlines several challenges to implementing these at this end, including gaining consensus between nations balancing regulations with national security; enforcing digital trading restrictions; scope creep; and market participants simply going underground.

Instead, he suggests, a single, responsible buyer of zero-day exploits may be better placed to disrupt an exploit’s journey from researcher to middle-man and on to the end buyer, such as a government agency -- whether that’s an Egyptian spy agency or the US military or intelligence agency, Mueller stressed to CSO Australia.

“One idea that should be explored is a new federal program to purchase zero-day exploits at remunerative prices and then publicly disclose the vulnerabilities (using ‘responsible disclosure’ procedures that permit directly affected parties to patch them first)," writes Mueller.

“The program could systematically assess the nature and danger of the vulnerability and pay commensurate prices. It would need to be coupled with strong laws barring all government agencies – including military and intelligence agencies – from failing to disclose exploits with the potential to undermine the security of public infrastructure. If other, friendly governments joined the program, the costs could be shared along with the information.”

Mueller proposes the US Government could tackle the demand-side through a “near-monopsony” agency that outbids rivals and buys up all zero day exploits that hackers produce and steers that information toward “beneficial ends”.

The Department of Homeland Security -- which runs the existing CERT program -- could compile information about the scope and scale of exploits it buys.

Mueller admits terrorists, criminals and hostile states could still get around this system, but argues that suppliers -- if paid well enough -- would in the long run discover more threats than “the dark side”.

“In other words, instead of engaging in a futile effort to suppress the market, the US would attempt to create a near-monopsony that would pre-empt it and steer it toward beneficial ends. Funds for this purchase-to-disclose program could replace current funding for exploit purchases.”

But could his proposal be used to prevent an organisation internally creating something along the lines of a cyberweapon like Stuxnet?

"That would require a different law or policy initiative," Mueller told CSO Australia.

"Getting the US Government to buy and disclose [an exploit] is a different matter than stopping them from developing cyber-weapons."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about CERT AustraliaCSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place