Earlier this week, I heard an awesome speech at Columbus BSides about the economics of Exploit Kits and E-Crime. As a follow-up, I thought it would be worthwhile to ask my fellow MSI co-workers if they felt there was a way to devalue 0day vulnerabilities.
Jim Klun responded with…
I don’t think you can ever really – given how Internet/computer usage has been universally adopted for all human activity – devalue the worth of a 0-day. The only thing I can imagine is making the chance of a 0-day being discovered in an area of computing that really matters as small as possible. So that means forcing – through law – all sensitive infrastructure (public or private) and comm channels to subscribe to tight controls on what can be used and how things can work. With ongoing inspection and fines/jail time for slackers. Really.. don’t maintain your part of the Wall properly, let the Mongols in and get some villages sacked, and its your head.
I would have techs who are allowed to touch such infrastructure (or develop for it) uniformly trained and licensed at the federal level. Formal process would exist for them doing doing 0-day research and reporting. Outsiders can do same…. but if they announce without chance for defensive response, jail. And for all those who do play the game properly and find 0-days within the reduced space of critical infrastructure/software – money and honor.
Brent Huston added his view…
Thats a tough question. Because you are asking to both devalue something, yet make it valuable for a different party. This is called market transference.
So for example, we need to somehow change the “incentive” to a “currency” that is non-redeemable by bad guys. The problem with that is – no matter how you transfer the currency mechanism, it is likely that it simply creates a different variant of the underground market.
For example, let’s say we make 0-days for good guys redeemable for a tax credit, so they can turn them into the IRS and get a tax credit in $ for the work… Seems pretty sound…Bad guys can’t redeem the tax credits without giving up anonymity. However – it reenforces the underground market and turns potential good guys into buyers.
Plus, 0days still have intrinsic value – IE other bad guys will still buy them for crime as long as the output of that crime has a value. Thus, you actually might increase the number of people working on 0day research. This is a great example of where market transference might well raise the value of 0days on the underground market (more bidders) and the population attackers looking for them (to sell or leverage for crime).
Lisa Wallace also provided her prospective…
Create financial incentives for the corporations to catch them before release. You get X if your product has no discovered 0-days in Y time.
Last but not least, Adam Hostetler weighed in when asked if incentives for the good guys would help devalue 0days…
That’s the current plan of a lot of big corporations, at least in web apps. I don’t think that really devalues them though. I don’t see any reasonable way to control that without strict control of network traffic, eavesdropping etc, or “setting the information free”.