Media: ‘Zero-day’ hacking reform raises hackles with US tech groups - Financial Times

Chris Bryant, Financial Times, 14.01.2014 Not so long ago it was common for hackers to report a newly discovered software security flaw to the vendor so it could be patched. In exchange the hacker would be rewarded with a T-shirt, or perhaps just the bragging rights. But today hackers are able to sell previously unknown software vulnerabilities, known as “zero days” due to the time between discovery and the first attack, for six-figure sums on a booming grey market. The buyers tend not to want to fix the software vulnerability but rather to exploit it. As well as criminals, they include western governments that need an arsenal of zero days in order to spy and build cyber weapons. The US National Security Agency is thought to be a large customer, spending more than $25m last year on “covert purchases of software vulnerabilities”, according to documents obtained by Edward Snowden, the contractor turned whistleblower, and seen by The Washington Post. As President Barack Obama prepares this week to announce reforms of spying practices in the wake of Mr Snowden’s disclosures, the issue of zero days has come sharply into focus. Amid an outcry from US technology companies, which say the government’s activities are undermining security and their overseas businesses, the panel appointed by Mr Obama to review the NSA’s activities has controversially recommended greater oversight of how the US handles such software vulnerabilities. They should be quickly patched to protect US networks and only on rare cases should the US authorise a zero-day attack for “high priority intelligence collection”, the panel wrote in a December report. The appropriate balance between attack and defence has long been a source of debate within the NSA due to its dual mission to tap electronic communications overseas and protect US networks at home. The NSA was not immediately available for comment. Richard Clarke, the former White House cyber tsar and member of the NSA review panel, told the Financial Times in a 2012 interview: “I think what is happening is when NSA is told about a vulnerability, they start exploiting it, and they say we’ll tell American companies about it if we ever see signs [that] China, or Russia have figured it out and are using it. But until then we’re going to use it. “[But] I think the US government’s first responsibility is not to run around getting into other countries’ networks. The US government’s first responsibility is to protect networks in the US – banks, electric power companies and things like that. It’s not clear to me that there is a decision-making process that takes all that into account.” The use of zero-day technologies has its defenders in the intelligence community. Joel Brenner, former NSA inspector-general and senior counsel, now a consultant, says: “To some degree the proposal to forbid the use of zero-day attacks is a proposal to shut down signals intelligence. The idea that we would unilaterally disarm our signals intelligence agencies is cockeyed.” Also, Morten Stengaard, chief technology officer at Secunia, a Copenhagen-based cyber security company, says: “Cyberspace is where the next wars will take place. Saying governments should disclose these vulnerabilities is like saying they shouldn’t be allowed to buy weapons to defend their countries.” Western governments have, however, begun to recognise that in the wrong hands, zero days can be extremely harmful. Millions of Adobe customers were left exposed in August when the company’s source code was stolen. Armed with that code, criminals can much more easily spot zero-day vulnerabilities in its popular Photoshop software and Acrobat document reader and exploit these to hack into users’ machines. Meanwhile, regimes with poor human rights records can use zero days to help them install surveillance software on the computers and mobile phones of opposition activists. Accordingly, western governments – including the US, UK, Russia and most EU states – in December agreed to toughen export controls on “intrusion software” under the so-called Wassenaar Arrangement on dual-use technologies. While praising this first step, Marietje Schaake, a Dutch MEP, says: “However, the EU needs to do more to implement the export controls, to broaden the scope and clarify the definitions used.” Software companies have also raised so-called bug-bounties for hackers willing to disclose a software flaw directly to the vendor; in June, for example, Microsoft said it would pay up to $100,000 for newly identified vulnerabilities, a figure dismissed by some hackers as too small. In the meantime, western governments continue to search for and exploit zero days, fuelling an arms race that critics say makes software and hardware less secure. Mikko Hypponen, chief research officer at F-Secure, a Finland-based computer security company, complains that “one of the main threats to large American software companies right now is the likelihood of their software getting hacked by their own government. “If someone had told me a decade ago that by 2013 it would be absolutely normal for civilised democratic nations to create malware and backdoors and use them against their own citizens and other democratic nations, I wouldn’t have believed it. But here we are today,” he concludes. “I don’t think it’s going to go away.”