CIA Insider: U.S. Should Buy All Security Exploits, Then Disclose Them

LAS VEGAS — To increase the security of the internet and computers, the government should corner the market on zero-day vulnerabilities and exploits, offering top-dollar to force out all other buyers. At least, that’s what Dan Geer thinks, and his opinion matters. Geer is chief information security officer at the CIA’s venture capital arm In-Q-Tel, which invests in technologies that help the intelligence community.
Geer, an icon in the world of computer security, delivered his controversial stance during a keynote at the Black Hat security conference in Las Vegas today. His talk, entitled “Cybersecurity as Realpolitik” was provocative throughout, including advocating that software companies make their unsupported products open source to keep them secure. He even quoted the Code of Hammurabi (circa 1700 B.C.) while suggesting that product liability be applied to source code. “If a builder builds a house for someone, and does not construct it properly, and the house which he built falls in and kills its owner, then the builder shall be put to death,” he said. While the death penalty may be a little severe for software makers who fail to adequately secure their products, criminal and civil liability isn’t, he suggests.

Dan Geer. Mark Bristow via The Open Web Application Security Project

But the highlight of Geer’s talk was definitely his suggestion that the U.S. government own the zero-day market. Zero-day vulnerabilities are security holes in software that are yet unknown to software makers or to antivirus firms. They’re unpatched and unprotected, leaving them open to exploit by spy agencies, criminal hackers, and others. Once the government purchases zero-days, he said, it should burn them by disclosing them. Showing all of these zero-days to the software makers so that they can be fixed would produce a dual benefit: Not only would it improve security, but it would burn our enemies’ stockpiles of exploits and vulnerabilities, making the U.S. far less susceptible to cyberattacks. He said that paying big for zero days would improve security because it would allow hunting for vulnerabilities to be profitable without being destructive. “Once vulnerability finding became a job and not a hobby, those finding vulnerabilities stopped sharing,” he said. “When bug hunters find bugs just for fun and fame, they share the information immediately because they don’t want someone else to find it and take credit for it.” But those doing it for profit don’t share and don’t care. He proposes that the U.S. government openly corner the world market on vulnerabilities. Under such a program, the government would say, “show us a competing bid, and we’ll give you 10 times.”
These comments are not likely to win Geer friends at the NSA or CIA; both agencies rely on the U.S. government’s own massive stockpile of secret zero-days to exploit and attack the systems of enemies and surveillance targets. That shouldn’t bother Geer, who is used to making his bosses angry. In 2003, he co-authored a provocative and groundbreaking paper titled “CyberInsecurity: The Cost of Monopoly,” which argued that the dominance and ubiquity of Microsoft’s operating systems was a threat to national security. He was subsequently fired by his employer @Stake over the paper. His firm was a supplier to Microsoft.
Geer acknowledges that there will be some who refuse to sell to the U.S. government on principle, no matter the price. But under his plan, anyone who refuses to sell to the U.S. has to live with the reality that the vulnerability will likely be discovered by someone else who will be willing. This plan should encourage the holdouts to eventually become vendors to the U.S. as well.
And when that happens, the U.S. can drastically lower the impact of international cyberwarfare. “We don’t need intelligence on what weapons our adversaries have if we have something close to a complete inventory of the world’s vulns and have shared that with all the affected software suppliers.”