Alex Grigsby is the assistant director for the Digital and Cyberspace Policy program at the Council on Foreign Relations.
Yesterday, Kim Zetter of Wired published an interview with Michael Daniel, special assistant to the president and cybersecurity coordinator, in which Daniel provides more information about the U.S. government’s policy on disclosing zero-day vulnerabilities. Zero-days are security flaws in computer software that are unknown to the software’s developer and the public. Zero-days are particularly dangerous, as threat actors can exploit these vulnerabilities without anyone else knowing they exist, giving the developer "zero days" to patch the flaw. This has led to fears that certain countries are stockpiling zero-days to use on their adversaries, not only leaving their adversaries vulnerable but everyone else as well.
While Daniel’s comments were probably directed at a domestic audience, they could also be used to reduce tensions among certain cyber powers, such as the United States, Russia, and China. Policymakers have begun promoting confidence-building measures (CBMs) for cyberspace as a way to reduce misperceptions and ultimately avoid an armed conflict triggered by a cyber event. The United States used CBMs extensively with the Soviet Union during the Cold War to avoid a nuclear crisis, and the same principle is being applied to cyberspace. In 2013 for example, the United States and Russia agreed to three cyber-related CBMs, a United Nations group of government experts endorsed CBMs for cyberspace, and the Organization for Security and Cooperation in Europe adopted to a set of multilateral cyber CBMs. The Atlantic Council and the Swedish National Defence College also recently published a primer on CBMs for cyberspace.
Having countries publicize their policies on zero-day disclosure could act as a CBM. As countries exchange their respective policies, they can clarify their approach and potentially dispel notions of ill intent, such as stockpiling. With right amount of outreach and repackaging, the United States could promote its policy on zero-day disclosure as a CBM and prod other countries to do the same.