Alex Grigsby is the assistant director of the Digital and Cyberspace Policy Program and Lorand Laskai is a research associate in the Asia Program at the Council on Foreign Relations. You can follow Lorand @lorandlaskai.
For those new to Net Politics, our report-watch series of posts distills the most relevant digital and cyber scholarship to bring you the highlights. In this edition: zero-days, the offense-defence balance in cyberspace, and norms.
“Zero Days, Thousands of Nights: The Life of Zero-Day Vulnerabilities and Their Exploits” by Lilian Ablon and Andy Bogart
Ablon and Bogart obtained a dataset of over 200 zero-days--vulnerabilities that a vendor does not know exist--and exploits spanning fourteen years (from 2002-2016). The source of the dataset is a vulnerability research group whose name the authors do not reveal, but call BUSBY throughout the report. Using the dataset, they set out to answer the following questions:
- What is the shelf-life of a zero-day, and do certain zero-days have characteristics that lengthen their shelf-life?
- How many times are zero-days discovered by two separate entities, known as the collision rate?
- What are the factors that influence the cost of a zero-day?
- What factors should policymakers use to decide whether stockpiling zero-days is a good idea?
Ablon and Bogart find that, among other things:
- Zero-days have a life expectancy of 6.9 years after initial discovery, 25 percent of which will last survive longer than 9.5 years and 25 percent of which will die in less than eighteen months;
- The collision rate for zero-days is 5.7 percent, suggesting that the probability that two organizations will find the same zero-day is fairly low; and
- It takes on average twenty-two days for an exploit to be found for a zero-day.
For policymakers, this data provides fuel to the debate whether cyberspace is offense or defense dominant. The long shelf-life and low collision rate suggest offense dominance. Furthermore, the low collision rate also suggests that having a government stockpile vulnerabilities could be a viable policy option, contrary to some who argue that the United States should disclose the majority of the zero-days it discovers or purchases.
In the Winter/Spring edition of International Security, Rebecca Slayton takes an in-depth look at offense-defense theory as applied to cyberspace. Conventional wisdom dictates that cyberspace favors the offense given that attackers only need to exploit a limited number of vulnerabilities to break into a network whereas defenders needs to fix all vulnerabilities, therefore placing them at a disadvantage.
Slayton bucks this wisdom and argues that offense in cyberspace is not as easy as it looks. In fact, the cost of offense is often much higher than that of defense, especially insofar as sophisticated cyber operations that inflict some physical outcome are concerned. Slayton corroborates her point by shifting the focus away from the technology that underpins cyber operations to the organizational costs of undertaking sophisticated cyber operations. Additionally, she points out that cyberweapons are not like tanks--they cannot be reused if a vulnerability has been fixed--creating a need to continuously invest in new cyberweapons.
On the other hand, defense has complete control over the networks they defend. These networks, Slayton explains, are based on social organizations: they can be easily hacked if software is out-of-date or the owner under invests in network defense, but they can also minimize and control vulnerabilities if defended with good cybersecurity practices. This counters the conventional wisdom of cyberspace as an offense-dominant environment. Slayton argues that pulling off a complex cyber operation that produces a physical world outcome (e.g., shutting down an electric grid, overloading a chemical plant, etc.) requires penetrating layers security-perimeter devices, before remotely activating a cyberweapon at a strategic moment. This is not only difficult and expensive, but requires physical world intelligence about how the system works.
In essence, she argues that the relative utility of offensive measures are outweighed by the relative gains from common and routine defensive measures. All of this should dissuade policymakers from the notion that sophisticated cyberattacks can be conducted by “a couple dozen talented programmers wearing flip-flops and drinking Red Bull.”
"Toward a Global Norm Against Manipulating the Integrity of Financial Data" by Tim Maurer, Ariel (Eli) Levite, and George Perkovich
In 2011, the United States, the United Kingdom, and a few like-minded countries launched a global effort to promote a series of norms to guide state activity in cyberspace. Over the course of six years, they have largely been successful in obtaining consensus at the United Nations, the G7, and elsewhere that, among other things, international law applies to state activity in cyberspace and that states "should not conduct or knowingly support ICT activity that intentionally damages critical infrastructure."
Maurer et al. argue that states should seek agreement on an additional norm specifically to protect the financial system. They note that the manipulation of financial data, either by states or by criminals, could pose a systemic risk to the international financial system far worse than the 2007-08 banking crisis. And although states have demonstrated significant restraint against manipulating financial data, Maurer et al. argue that the G20 or similar group should explicitly formalize the norm to make it clear that challenging the integrity of financial data crosses a red line.
According to the authors, there is precedent for states to declare the manipulation of financial data off limits. A 1929 treaty bans states from counterfeiting each other's currency and violations of this treaty have been relatively rare. Additionally, all states have an interest in not having another mess with the integrity of their financial institutions' data--the United States has explicitly warned of the threat in successive assessments to Congress and Russia's draft information security treaty includes language that bars states from manipulating financial system data.
A norm prohibiting cyber operations against the integrity of financial data could gather steam among the policy set but it has already gained detractors with some with experience with offensive cyber operations.