The proliferation of hacking tools known as zero-day exploits is raising concerns at the highest levels in Washington, even as U.S. agencies and defense contractors have become the biggest buyers of such products.
White House cybersecurity policy coordinator Michael Daniel said the trend was “very worrisome to us.”
Asked if U.S. government buying in the offensive market was adding to the problem, Daniel said more study was needed. “There is a lot more work to be done in that space to look at the economic questions so we can do a better job on the cost-benefit analysis,” he said.
Some security experts say the government’s purchasing power could help instead of hurt. They argue the U.S. government should bring the market into the open by announcing it will pay top dollar for zero-days and then disclosing all vulnerabilities to the companies concerned and their customers.
“Given that people are now buying vulnerabilities, the U.S. should simply announce that it is cornering the market, that they will pay 10 times anyone else,” said Dan Geer, chief information security officer at In-Q-Tel, the U.S. intelligence community’s venture capital firm. He said he was speaking outside of his official capacity.
Richard Clarke, who served as counter-terrorism chief in the White House before becoming a cybersecurity advisor there a decade ago, said the government should at least review the exploits it has and disclose the vast majority.
“In some rare cases, perhaps the government could briefly withhold that information in order to run a high-priority collection mission,” he said. “Even then, however, the government should closely monitor to see if anyone else has discovered the vulnerability and begun to use it.”
Howard Schmidt, who served as White House cybersecurity czar under Obama, said he agreed with Clarke’s approach. Asked if he had made the same argument during his recent two and a half years in the White House, he said he couldn’t betray confidences by going into detail.
But Schmidt added: “The entire discussion on cascading effects and the sort of unintended consequences of any type of malware was had more than once.That’s the discussion that needs to continue to take place.”