Tuesday, July 16, 2013
Cyber Arms Race leaves Enterprises without a fix
Governments are spending up to half a million US dollars to stock up cyber arsenals with zero day vulnerabilities. Zero day vulnerabilities are not found by specialist firms, but by individual or small groups of security researchers.
Security researchers currently report vulnerabilities to product firms under responsible disclosure norms who fix such flaws before they are published. Product companies do not monetarily incentivize security researchers to report vulnerabilities; instead they offer a mention or appreciation on their web site. Bug bounty programs to motivate third party researchers to find and report bugs have payouts ranging between five to twenty thousand US dollars.
Hawking zero days to governments requires that these flaws are kept alive and not reported to product companies. Such flaws remain discoverable to others, including cyber criminals who use them to target enterprises for financial and ideological gains.
Exorbitant payouts and an opportunity to sell a single zero days to multiple governments will increase the number of security researchers who specialize in this trade. Product companies are forced to be vigilant, and safeguard against employees who deliberately introduce software backdoors, in collusion with grey market operators.