Zero Days, One Obligation: Cyberspace Computer Software Vulnerability Disclosure Policy by the U.S. Government, Cyberethics and the Roles of Morality, Utilitarianism, Strategic and National Interests

This informative report from March 2019 has been professionally converted for accurate flowing-text e-book format reproduction. This study set out to apply the moral principle of utilitarianism to the policy problem associated with zero-day vulnerabilities. These vulnerabilities can be understood as errors in coding that are potentially exploitable and unknown to either the creators or users of the software. If attack vectors related to zero-day vulnerabilities are completely dependent upon correctable coding errors, what should policy require when the U.S. government detects a zero-day vulnerability? Should it be disclosed publicly so it can be patched or restrict knowledge of it so it can be weaponized? This study applied revisionist John Stuart Mill's unique and nuanced description of utilitarianism to the Vulnerabilities and Equities Policy and Process (VEP) to evaluate what aspects of the policy fulfilled Mill's moral code and what areas could be improved. The improvement recommendation is made on strictly moral terms. This study acknowledges while moral policy has undeniable benefits, there are times where the moral can come at the expense of the strategic, and national interests can be compromised. Ultimately, much like the VEP, this study recommends balance.

This compilation includes a reproduction of the 2019 Worldwide Threat Assessment of the U.S. Intelligence Community.

There is a debate surrounding zero-day vulnerabilities and the exploits associated with them. A variety of attack vectors exist in cyberspace: spearfishing exploits human gullibility through email, brute force techniques like Distributed Denial of Service (DDoS) can overwhelm servers, and some less technical approaches simply take advantage of predictable or lackadaisical security practices. The attack vector, ominously referred to as a zero-day weapon, is something different. Zero-days weapons are not inherently violent, rather they represent the exploitation of an error in a program's coding. The error in coding is the vulnerability. Research scientists at RAND in their The Defender's Dilemma defined zero-days as, "those vulnerabilities for which no patch or fix has been publicly released" An attack utilizing a zero-day weapon exploits the coding vulnerability. If a patch does not exist, no protection is available, and the zero-day weapon effectively becomes a cyber-silver bullet.

If a nation has numerous zero-day weapons in its arsenal, it also essentially has a long list of exploitable vulnerabilities. After all, the nation would not choose to weaponize the vulnerability if it could not produce a worthwhile effect, an effect that although advantageous for the user, is detrimental and dangerous for the victim. The problem is that nothing stops other nations from detecting and weaponizing the same vulnerability, which means one's own nation may also be the potential victim. Instead of exploiting and weaponizing the vulnerability, the nation could opt to notify the software manufacturer and recommend they patch the vulnerability. The threat would then be eliminated, but so would any usefulness from the zero-day.