The debate around the sale of vulnerabilities and exploits is again playing out within the security community, and this time it comes with a new twist.
It's really an old debate, one which heated up in 2009 when a group of well-known researchers announced their "No More Free Bugs" intention to the crowd at the annual CanSecWest hacker show in Vancouver.
At the time, Dino Dai Zovi, Alex Sotirov and Charlie Miller, annoyed that vulnerability hunters weren't being properly compensated for their discoveries, reacted, in true capitalistic spirit, by telling the world that they just want to get paid.
“Vendors have been getting a freebie for a while,” Dai Zovi said. “[But] why would I want to sit down and volunteer to find a bug in someone's browser when it's a nice, sunny day outside?”
But since then, the conversation has taken on a much different tone. Remember, back in 2009, the scale of the advanced persistent threat and spy viruses weren't yet realized. There was no Stuxnet, no Flame, no Gauss. But as nation-states, prominent among them the United States, began using cyber weaponry and engaging in a modern-day arms race, governments now are paying a pretty penny for zero-day exploits, which are those attacks and threats for which there is no defense. In other words, today's researchers are selling the exploits to people who presumably want to use them, not fix them.
It's necessary to underscore the immensity of this fundamental shift. Researchers seemingly are becoming very incentivized to find vulnerabilities and create exploits that governments can use to launch attacks. As such, they appear to be becoming less incentivized to find these same vulnerabilities – and report them to the affected vendor for patching, even as bug bounty programs become more prominent.
And what it has created is a new breed of researcher who is also part mercenary -- someone who can earn hundreds of thousands of dollars by selling their discoveries to the highest government bidder. Most known of this group is France-based Vupen Security, which won a series of hacking contests at this year's CanSecWest event, but chose not to enter the competitions where they'd have to reveal the details of their exploits, opting instead to save those treasures for a government agency, better known as their deep-pocketed customers.
As Andy Greenberg of Forbes reported about Vupen in March, its business model is a risky endeavor:
In that shady but legal market for security vulnerabilities, a zero-day exploit that might earn a hacker $2,000 or $3,000 from a software firm could earn 10 or even 100 times that sum from the spies and cops who aim to use it in secret . . . [Vupen CEO Chaouki] Bekrar claims that it carefully screens its clients, selling only to NATO governments and “NATO partners.” He says Vupen has further “internal processes” to filter out nondemocratic nations and requires buyers to sign contracts that they won't reveal or resell their exploits. But even so, he admits that the company's digital attack methods could still fall into the wrong hands. “We do the best we can to ensure it won't go outside that agency,” Bekrar says. “But if you sell weapons to someone, there's no way to ensure that they won't sell to another agency.”
It's this mindset that has prompted concern from the Electronic Frontier Foundation (EFF), an internet civil liberties group, which argued in a March blog post that the researchers and government buyers involved in these deals are both responsible for making the internet less safe.
If the U.S. government is serious about securing the internet, any bill, directive, or policy related to cyber security should work toward ensuring that vulnerabilities are fixed, and explicitly disallow any clandestine operations within the government that do not further this goal. Unfortunately, if these exploits are being bought by governments for offensive purposes, then there is pressure to selectively harden sensitive targets while keeping the attack secret from everyone else, leaving technology – and its users – vulnerable to attack.
Believing the group was implying that government regulations were necessary to oversee exploit sales, some coders felt attacked by the EFF (check out the thread here), which regularly advocates on behalf of security researchers.
As a result, the debate over exploit sales has now morphed beyond money and into a conversation around personal freedom and libertarianism.
Some researchers consider any attempt to regulate the exploit trade to be an attack on the free market. They believe they have a right to sell their research to any viable buyer – even if that's another government. And anything that prevents them from doing that is an unfair infringement on their basic rights.
David Maynor, founder and CTO of Errata Security, a vulnerability services company, is the most recent person to run with this argument.
Sure, people like me do things that you may not like, but trying to curtail our freedoms will do more to stop the things you do like ... The EFF describes exploit sales as "security for the 1%" using the ugly class warfare rhetoric of the #Occupy movement. It's a paranoid conspiracy theory that bankers are out to get you, and it's a paranoid conspiracy theory that exploit sellers/buyers are out to get you. Yes, I know it sucks that some people have more money than you and more security than you, but attacking them and curtailing their freedoms won't make you any better off.
Maynor's remarks sound like when Goldman Sachs CEO Lloyd Blankfein famously said that he and his firm were doing "God's work."
Let's continue with the Wall Street theme for a moment and compare it with the exploit market. The 2008 financial collapse -- from which the country hasn't come to close recovering -- underscored an extreme and desperate need for regulations. But these regulations have barely come, and the ones that have are token gestures at best.
Like Wall Street honchos, some exploit developers are wholeheartedly opposed to the government meddling in their business affairs. But just like Wall Street, they're more than happy to accept
government taxpayer money. That strikes me as hypocritical, but it also may create a market imbalance.
The government shouldn't be buying 0day in secret as it upsets the market with public money. It's basically welfare for already rich people.— Jacob Appelbaum (@ioerror) August 15, 2012
Some researchers, even ones who have admitted to selling exploits to governments for a handsome sum, suggest that the pricing signals that Appelbaum speaks of must change.
But what makes the trade of zero-days perhaps even more shadowy is that there is virtually no transparency around the process. At least the American public knew how much moolah it had to cough up to ensure that the banks were, indeed, too big to fail.
The fact researchers sell exploits to the government is bad for everyone, but is predictable given the dynamics of the vulnerability market.— Charlie Miller (@0xcharlie) August 14, 2012
@jcran As an initial matter, I'd like to see mandatory reporting of sales (buyer,seller,$). Obviously, not with details of the actual vuln.
— Christopher Soghoian (@csoghoian) August 15, 2012
The irony of the situation is that regulations around exploit sales would force the government to stay in check too, not just the sellers, as they are among the biggest buyers.
More to come from this saga, and I don't claim to have all the answers. Exploit hunters certainly have a right to profit from their discoveries, but I just hope transparency wins out. Because when we're talking about governments buying high-powered, offensive cyber weaponry that could -- and apparently easily -- fall into the wrong hands or result in collateral damage, we're probably better off knowing about it.