The following blog is general comments and a rebuttal of sorts to the following paper:
“Zero Progress on Zero-Days: How the Last Ten Years Created the Modern Spyware Market” by Mailyn Fidler, Assistant Professor, University of New Hampshire, Franklin Pierce School of Law [Link]
Unfortunately, I can’t easily cut and paste from this PDF which is highly annoying, especially the URLs from the footnotes. Due to a backlog of blogs I intend to write, I am not going to transcribe large amounts of text if I can help it; rather, I will quote small bits and reference pages (which begins at 713) and paragraphs. Any typos in quotes are mine, not the original authors.
In the first paragraph of the introduction, while defining a zero day (which I just blogged about as being problematic), Fidler defines it as “flaws [..] that are unknown to the maker of that code and the general public; they are known only to the discoverer and whomever they choose to tell“. As I previously blogged, this definition means that every single vulnerability is a zero day at some point. More importantly, Fidler goes on to say that these flaws “can be used to build software that enables digital surveillance campaigns [..] making them desirable to governments and private actors alike [..]“. Unfortunately, it is critical to qualify this statement as “some” vulnerabilities are like that. Many simply are not.
The second paragraph begins with “Like components of traditional weapons, attempting to restrict access to or otherwise regulate the use of zero-days might make sense.” I think any attempt to conflate traditional weapons and zero-days, in this context, does not work at all. Further, compare traditional weapons in the United States. Serious attempts have been made in some states to regulate them, with poor results. For zero-days that would be even more pointless. While I could purchase a gun in one state, travel to another state with more restrictions, and use it there, I cannot realistically take that gun to any country in the world and use it. Yet I can use a zero-day against any Internet-facing device in the world without restriction.
Fidler’s third paragraph refers to a 2015 paper she wrote and summarizes her conclusions for regulation of zero-days both domestically and internationally. Based on the abbreviated conclusion, I believe they are not well thought out and have no real merit outside of academia.The first paragraph of page 716 talks about “unilateral and smaller-scale multilateral export controls, particularly to restrict commercial sales of the broader category of ‘spyware’ software, which may be built on zero-days, to certain actors.” Again, I don’t understand why anyone thinks this would have any material effect on the problem. Individuals who write such zero-day exploits with the intent to sell them will not abide by any form of export controls. Most nation state actors write them for their own use and do not sell them either.
The last paragraph of the introduction includes Fidler’s arguments for “leaning into unilateral export controls and broader, non-export control sanctions that restrict or punish those providing a wide range of goods or services to an end ‘bad actor’. This approach differs from the export control and sanctions approaches favored towards zero-days and spyware up to this point, which has usually focused on restricting the export of certain technologies rather than on stymying particular bad actors.” One simple explanation to this lies in the difficulty of attribution of said bad actors, then locating them, and finally gaining the ability to arrest them often through international cooperation. While we occasionally see relatively large-scale cooperative efforts to do this succeed, they are a drop in the bucket when looking at the broader threat actor landscape. Short of an extremely significant change in law enforcement budget and scope, Fidler’s argument is already a non sequitur.
On page 719, speaking to Stuxnet and Pegasus as major zero-day events, Fidler says “The ‘elite’ nature of zero-day exploits was due in part to the fact that governments were one of the few – although not only – entities with the personnel skilled enough to identify and exploit such vulnerabilities or the funds to acquire them“, citing a WaPo article by Craig Timberg. This statement is incorrect in several ways. Per Fidler’s definition of a zero-day, every single vulnerability starts out as one, meaning tens of thousands or more people have the skills. If she specifically meant zero-days similar to those in Stuxnet and Pegasus, it reduces that number greatly, but still means thousands of non-government people are skilled enough.
The next paragraph on page 719 basically summarizes several conclusions from a RAND paper titled “Zero Days, Thousands of Nights; The Life and Times of Zero-Day Vulnerabilities and Their Exploits“. The conclusions put forth in that paper have been challenged by several in the industry, including myself. It always surprises me when people, especially academics, can find and cite that paper but magically not find anyone challenging the findings, or find the work of other scholars that would help them to get a more nuanced grasp of the broader ecosystem.
On page 723, speaking on the topic of bug bounties, the first paragraph outlines several reasons why bug bounties are not a be-all, end-all solution and I largely agree with the summary. However, Fidler does not point out that bug bounties do not speak to the issue of researcher collision which was already prevalent in the late 1990s and early 2000s. To this day it is common to see vulnerabilities disclosed by Microsoft or Apple credit more than one researcher, and not because the researchers worked together.
Continuing on page 723, the second paragraph starts out with an “observation” that Fidler attributes to Katie Moussouris for, but I suspect something may have been lost in translation. “Bug bounties also have – very generally speaking – diverted lower-skilled bug hunters away from the broader market, while high-end hackers still find more lucrative opportunities with high-end clients.” To me this does not make sense, as the low-skilled bug hunters were never going to be able to engage and sell to high-end clients in the first place. So the bounties didn’t divert them per se, it just gave them a way to sell lower-value bugs directly to vendors or bounty platforms.
While I understand Fidler is not a security practitioner, and I am not a lawyer or professor, the continuing paragraph at the top of page 724 gives me pause. The notion of introducing liability for software defects is cited below as being “developed in conversation” with Peter Swire and Bryan Choi. I am honestly a bit shocked this would be the first time a law professor ran across this idea, unless that conversation happened decades ago. To me, it is a simple concept and a quick Google finds plenty of prior art including this paper from 1993. Fortunately, Fidler did find my friend, Andrea Matwyshyn’s, paper on the topic, cited as #56 (and might benefit from also reading her recent Lawfare post on point).
At this point, I will end with a final set of comments in response to the first paragraph of section D, titled “Regulatory Overview“.
Broadly speaking, two avenues to regulate either zero-days or associated software exist: regulating the market or regulating use. Each avenue can exist at the domestic or international level. Regulating the market can involve either seller-side or buyer-side regulations. [..] Regulating use of zero-days and spyware involves placing restrictions on whether or how zero-days can be used; this kind of regulation also can encompass government actors as well.
Broadly speaking, there is a hypothetical legal argument to be made, at best. Quite simply, threat actors and criminals are .. just that. They break laws, and any laws around acquiring or selling exploits will also be broken by them. Further, you can propose “international level” regulation, but that is only done by countries that opt-in. And the United States has historically not always been great about opting into international agreements. Worse, the last statement is just naive as any such regulations would be exempt for some government agencies. If the start of a premise for “solving” zero-days in any capacity is entirely flawed, then we’re going to enjoy ten more years of no progress.