The U.S. government faces a dilemma regarding zero-day vulnerabilities: it can either stockpile or disclose them. In a new article, Marcelo M. Leal and Paul Musgrave show that Americans overwhelmingly support the disclosure of information about zero-day vulnerabilities to vendors.
In 2017, the WannaCry and NotPetya malware exploited a vulnerability in the Windows operating system, causing widespread havoc. Ironically, the U.S. National Security Agency (NSA) had been aware of this vulnerability for about five years. Instead of disclosing the vulnerability to Microsoft, however, NSA held on to the knowledge—until the vulnerability was leaked in public forums.
This case illustrates a dilemma that the United States government faces when it discovers zero-day vulnerabilities. Zero-day vulnerabilites are software and hardware flaws that are unknown to computer vendors. As a result, they are enormously valuable to attackers since there is no defense against them. Intelligence agencies such as the NSA and CIA—as well as other governments and even some private firms—work hard to develop such zero-day exploits because of the advantages they afford the attackers.
Once a vulnerability is discovered, an agency can either disclose information about it to vendors so that it can be patched or withhold it so that it can add the vulnerability to its stockpile of cyber weapons. By withholding information, U.S. national security agencies can exploit zero days to penetrate the computer systems of its adversaries—yet doing so also leaves U.S. and allied entities vulnerable should an adversary independently discover these flaws and use them against the United States. By disclosing information to vendors, the U.S. government allows vendors to fix the vulnerability and secure their systems in a timely manner—but it also denies the use of such attack vectors against adversaries by U.S. national security agencies.
Debates about how and where to draw the line between disclosure and stockpiling are a staple of cyber policy discourse. This is less of a dilemma for the U.S. public. Results from a survey experiment we conducted in late 2021 show that it’s likely that respondents are squarely in favor of disclosing information to vendors, even when informed that withholding this information could save many Americans lives in a future conflict. Our results also demonstrate that the likelier it is that an adversary could use a given zero day, the more Americans favor disclosing the vulnerability to a vendor.
The Vulnerabilities Equities Process
Since 2010, the U.S. government has a policy in place to address this dilemma. The vulnerabilities equities process, or VEP, guides executive branch officials in their decision to disclose or to retain publicly unknown vulnerabilities. Official documents released to the public in recent years show that officials are believed to take several factors into consideration when they discover a zero-day vulnerability, like the consequences of an adversary exploitation and how quickly an exploit could be patched. Nonetheless, analysts have singled out two factors that are critical for decisionmakers: how long a vendor will remain unaware about the flaw (longevity of a zero day) and the likelihood that an adversary will independently discover it (its collision rate).
Those who think that vulnerabilities need to be patched to protect American interests from adversaries think the VEP is too weak. Those who think that a strong cyber offense is more important think that it is (or could become) too strong. Understanding how this debate will resolve requires researching many topics, such as the influence of different agencies and interest groups, but it also requires investigating public opinion. Even though cybersecurity is a technical field, and even though zero-day vulnerabilities are among the U.S. government’s most prized secrets, the public’s views on the issue could shape how politicians and officials craft policy—particularly if there’s another major incident involving zero-day flaws known to the U.S. government.
To explore how the American public thinks, we conducted a survey experiment testing whether different levels of longevity and collision rates influence respondents support for disclosing or withholding zero-day vulnerabilities. Respondents read a scenario that pitted retaining a vulnerability for use in a potential attack against Iran (saving many American servicemembers’ lives) against the possibility that it could be independently discovered by an adversary and used against the United States. We manipulated this collision rate to specify that there could be a high, low, or medium chance that an adversary could acquire the zero day. Separately, we also manipulated whether the vulnerability would be likely to exist for a few months, a year, or several years.
The results were unequivocal. We found that the longevity of a vulnerability does not make respondents more or less likely to support disclosure. On the other hand, collision rates do influence respondents’ evaluations. As the likelihood that an adversary could independently discover a vulnerability goes up, support for informing the vendor about the vulnerability also increases.
There may be a substantial disconnect between the preferences of the public and those of the U.S. government regarding zero-day disclosure policy. Even though U.S. officials hint that disclosure is the default option in the vulnerabilities equities process, recent studies show that this might not be true in practice. Some research also suggests that the interests of the intelligence and law enforcement agencies are more represented in the VEP than those of the public and technology firms, suggesting a bias toward stockpiling zero days.
This public-government disconnect could lead to policy changes. Previous leaks showing that U.S. intelligence agencies failed to disclose zero-day vulnerabilities to vendors have already led the federal government to disclose information about the vulnerabilities equities process several times. Congress has also reacted to these cases. In recent years, lawmakers have introduced two bills that aimed to codify the VEP and could make disclosure the default option by law. None, however, advanced in their legislature. Given our findings, it is possible that agency policies may be subject to correction should policy windows open for a long enough period.
Marcelo M. Leal and Paul Musgrave are the authors of “Backwards from zero: How the U.S. public evaluates the use of zero-day vulnerabilities in cybersecurity”, Contemporary Security Policy, which is available here.