Cyberattacks are inevitable and widespread. Existing scholarship on cyberespionage and cyberwar is undermined by its futile obsession with preventing attacks. This Article draws on research in normal accident theory and complex system design to argue that successful attacks are unavoidable. Cybersecurity must focus on mitigating breaches rather than preventing them.
First, the Article analyzes cybersecurity’s market failures and information asymmetries. It argues that these economic and structural factors necessitate greater regulation, particularly given the abject failures of alternative approaches. Second, the Article divides cyber-threats into two categories: known and unknown. To reduce the impact of known threats with identified fixes, the federal government should combine funding and legal mandates to push firms to redesign their computer systems. Redesign should follow two principles: disaggregation, dispersing data across many locations; and heterogeneity, running those disaggregated components on variegated software and hardware. For unknown threats -- “zero-day” attacks -- regulation should seek to increase the government’s access to markets for these exploits. Regulation cannot exorcise the ghost in the network, but it can contain the damage it causes.Bambauer argues that
While a complete defense to zero-day attacks is impossible, policymakers can improve cybersecurity with three regulatory moves: mandatory access to public zero-day markets for the federal government, required confidential reporting on transactions by firms in those markets, and a reward system for researchers who share vulnerabilities with the government. Congress should pass legislation implementing these measures. America should try to convert unknown unknowns to known unknowns. First, firms that transact in software security vulnerabilities should be required to permit the federal government to participate in any offerings or services they provide, on non-discriminatory terms. If Vupen, for example, sought to sell zero-day exploits to France’s security services, but not to America’s National Security Agency, that would be problematic. American law should make paid access by the U.S. government a condition of legal operation for software security firms. This enables the government to develop and deploy countermeasures to at least some zero-day attacks.
Congress has taken analogous measures for other potential risks to national security. For example, one cannot obtain a patent for inventions in nuclear materials or weapons. Such inventions are eligible for a governmental reward scheme, but not for patents. And, the statute transfers rights to the invention from the inventor to the federal government. Similarly, export controls restrict private firms’ ability to engage in transactions with foreign countries. One may not transfer software utilizing encryption to countries such as Iran or North Korea, and one may not sell certain supercomputers to countries such as China or Russia. These rules apply to all firms within U.S. jurisdiction. Thus, Congress has either mandated or forbidden certain transactions based on national security concerns, and could mount a similar effort for zero-day sales.
Not all zero-day merchants fall under American jurisdiction, or enforcement. However, even those operating abroad likely have contacts with the United States. Vupen’s employees visit the United States. Many, if not all, such firms use financial or payment processing companies that are subject to U.S. regulation. These links provide potential leverage. Congress could attach provisions to this legislation that would allow the executive branch to designate firms that do not provide access to the government, and to require banks and payment processors to forgo transactions with them. Analogous measures have been implemented to interdict financing for terrorist groups489, and have been proposed to deal with sites offering prescription drugs or copyrighted works illegally.
Second, Congress should mandate a transaction-reporting system for firms trading in vulnerabilities. These companies should have to report, on a confidential basis, the purchaser’s identity in all transactions of zero-day exploits to the National Security Agency (NSA). This data would remain confidential, and should be designated as statutorily immune from discovery or other use unless the NSA expressly chooses to share it. The statute should enable auditing of firms’ records by the NSA if the agency is able to demonstrate an objectively reasonable basis to suspect inaccuracies or falsification. To make this provision less objectionable for the vulnerability merchants, Congress should include payments to firms that report. While additional spending is politically difficult, this expenditure would be a small but worthwhile investment in security.
Similar reporting systems are widely used to mitigate risk. The National Aeronautics and Space Administration encourages confidential reporting of “near miss” incidents – those that nearly resulted in aviation mishaps – to improve safety procedures and detect product defects. Insurers offering policies for medical malpractice liability must report judgments and settlements to the National Health Practitioner Data Bank. This malpractice information is available for use by state medical licensing boards and federal agencies, but is otherwise confidential. The Federal Railroad Administration is testing a Close Calls Demonstration Project to identify risks in rail operations via confidential reporting of near-miss incidents. The Department of Veterans Affairs has a similar system for patient safety, as does the Federal Communications Commission for network outages.
A zero-day reporting system has several benefits. It would enable the government to detect problematic sales, particularly to unfriendly states and to insecure parties. It would increase the effectiveness of countermeasures that mitigate zero-day exploits by providing a rough guide to how widely distributed a particular attack tool is. It would allow the government to identify whether firms follow their stated criteria for sales (such as Vupen’s self-imposed limit to NATO countries and clients), and to scrutinize suspect firms more closely. Lastly, it would provide a crude estimate of the ebb and flow of the zero-day threat, and to the platforms and applications viewed by the merchant as worthy of attention (and payment).
Finally, Congress should authorize a “bug bounty” program. Its goal would be to collect zero-day exploits, and to encourage researchers to sell their findings to the U.S. government rather than to private firms or other nation-states. A government agency, such as the NSA or the U.S. Computer Emergency Readiness Team, should be provided funds to buy zero-day vulnerability information. The entity selling the exploit, such as a security research firm, would have to certify under penalty of perjury that it had not previously shared the vulnerability information with others, and would have to agree contractually not to do so in the future. Congress should consider backing these requirements with substantial criminal penalties. Arms dealers who sell to both sides are held in low esteem.
Similar private bounty programs, such as by Google and Mozilla, have had considerable success in identifying and remediating bugs. The funding, and amount paid per bug, should be generous: removing zero-days from the Internet ecosystem is highly worthwhile. Moreover, generous payments will have two further beneficial effects. First, it will spur researchers to search for additional bugs. These bugs are like latent defects in a product – they lurk, creating risk, until discovered. Second, paying above-market rates makes it more difficult for others to purchase zero-days. Pushing others out of the zero-day market is useful both offensively and defensively. Offensively, accumulating zero-days provides the U.S. with the building blocks for future Stuxnets. Defensively, it reduces the likelihood that American firms or government entities will fall vulnerable to attacks.
The bug bounty program will create several challenges. First, price: more competition for zero-day exploits will drive up their cost. This increase will burden the public fisc slightly, but helpfully generates added incentives for research into bugs. Second, the government will need to decide how to use exploit information. Congress could establish rules for what NSA may do with the data, or it could defer to the agency (and, by extension, the executive branch) to make that decision. If the NSA uses the exploits to build cyberweapons, such as Stuxnet, or to enable others to do so, it is likely to share vulnerability information less widely than it would without a vision of offensive use. If the agency enables other government entities or private firms to take precautions against the zero-days, it risks having those patches shared, including with potential targets. And, there is an ironic feedback effect: the more important the vulnerability, the greater the temptation to weaponize it, and thus to withhold it from other affected parties.
The hardest decision regarding sharing is determining whether to notify the affected vendor. This Article argues that telling the vendor about the vulnerable code should be the default practice, with two caveats. First, the NSA should work with the vendor to ensure the patch for the vulnerability is maximally effective and minimally visible. If the company draws attention to the patch’s criticality, it may signal to anyone who has independently discovered it that the window of vulnerability is closing – which could draw attacks. Second, NSA should work with the vendor to include detection code in patches. This would help the agency estimate how often vulnerabilities are discovered independently, and perhaps to detect double-dealing by researchers participating in the bug bounty system.
This Article’s solutions for the zero-day problem – the unknown unknowns – differ in character from those for vulnerabilities with existing solutions (the known unknowns) in that they have a greater focus on prevention. Mitigation is still invaluable: disaggregation and heterogeneity are just as helpful for zero-days as for known bugs. However, preventive steps are more important for zero-day exploits. With known vulnerabilities, defenses are possible, though logistically constrained by externalities, information costs, and system complexity. With zero-days, defenses are impossible. Defenders must rely solely on mitigation and recovery. And while prevention tends to be overrated in cybersecurity literature, it remains useful. In particular, even if complete prevention is impossible, defenders may be able to reduce an exploit’s effects – for example, by allowing a server to terminate an affected program, rather than having it cause the server to crash. This is similar to a public health approach: even if one cannot prevent people from contracting a virus, we may be able to make it less lethal. Thus, the three-part agenda above seeks to increase America’s access to information about zero-days, thereby enabling precautions and improving mitigation.