Wayland Debate
2015-2016
Zero Days Affirmative
1
Wayland Debate
2015-2016
1AC*
2
Wayland Debate
2015-2016
Inherency
Obama announced that the US would disclose zero-day vulnerabilities, or unknown
software flaws, to their vendors --- but loopholes allow the NSA to stockpile zero-days
and jeopardize widespread cybersecurity
Soghoian and Roubini 2015 (Chris Soghoian, Principal Technologist and Senior Policy Analyst,
American Civil Liberties Union Speech, Privacy, and Technology Project & Sonia Roubini, ACLU Speech,
Privacy, and Technology Project, “Feds Refuse to Release Documents on “Zero-Day” Security Exploits”,
March 3, 2015, https://www.aclu.org/blog/feds-refuse-release-documents-zero-day-securityexploits)//CLi
Federal agencies served with a Freedom of Information Act request are refusing to release documents related to their purchase, use and
disclosure of zero-day exploits, keeping the American public in the dark about a practice that leaves the Internet and its users less secure. Zeroday exploits are special software programs that take advantage of security vulnerabilities in software that are unknown to the software’s
manufacturer. These exploits are frequently used by intelligence agencies and the military as well as, we suspect, by federal law enforcement
agencies. But they can be used by any hackers, whether they work for the U.S. government, a foreign government, a criminal group, or anyone
else. Zero-day
vulnerabilities and the tools that exploit them are extremely powerful, because there is
very little that potential targets can do to protect themselves. But the effectiveness of such exploits depends on their
secrecy—if the companies that make the affected software are told about the flaws, they will issue
software updates to fix them. Governments thus have a strong incentive to keep information about the exploits they have
developed or purchased secret from both the public and the companies who create the software we all use. On February 5, we received a
response from the Office of the Director of National Intelligence (ODNI) to a Freedom of Information Act request we filed for the disclosure of
guidance or directives related to the government’s policies for the purchase, discovery, disclosure and exploitation of zero-days. The ODNI
claimed that these records are classified under Executive Order 13526, Section 1.4(c), which states that information can be considered for
classification if its disclosure could reasonably be expected to cause damage to national security issues pertaining to “intelligence activities
(including covert action), intelligence sources or methods, or cryptology.” This response is consistent with the Obama administration’s refusal
to make public most information related to its surveillance and cybersecurity policies. The
formal United States policy regarding
federal agencies should reveal any major flaws in Internet
security to companies in order to ensure that they are promptly resolved. However, this policy also
carves out a broad exception for flaws that are being exploited for national security or law enforcement purposes—a loophole
that effectively ensures that the government can and will continue to quietly exploit zero-days
without warning companies or individuals of their existence. It is also unclear whether this policy only applies to zero days that
zero-day exploits, published in April 2014, states that
government employees discover, or whether it also applies to vulnerabilities and exploits purchased from defense contractors, boutique
security firms and exploit brokers. While zero-day
exploits are no doubt useful to U.S. law enforcement and intelligence agencies, their
use raises serious public policy concerns. Zero-days are also regularly used by foreign, hostile governments, criminals and hackers
engaging in cyberattacks. That means our government’s choice to purchase, stockpile and use zero-day
exploits instead of promptly notifying manufacturers is effectively a choice to leave both the Internet
and its users less secure. This policy of prioritizing cyber offense over defense is highly problematic, particularly given Congress and
the White House’s recent focus on cybersecurity. On February 2, Obama pledged $14 billion towards improving cybersecurity defenses, and
proposed new legislation intended to help prevent cyberattacks, some form of which is expected to pass through Congress this legislative
session. If, as we are told, cybersecurity
is such a top priority for the government, federal agencies should be
doing everything in their power to ensure that vulnerabilities are fixed as soon as they are discovered,
not months or years later after they have been fully exploited by law enforcement and intelligence
3
Wayland Debate
2015-2016
agencies. At a time when cybersecurity legislation that would weaken existing privacy laws is being pushed through Congress, the
American public deserves to know more about the government’s policies regarding the purchase, use
and disclosure of zero days. There is an important public debate that must be had about the government’s role in cybersecurity, but
without documents like the ones we have requested, this debate cannot take place.
Additionally, loopholes let the NSA stockpile zero-days purchased from the grey
market
Zetter 14 [Kim, award-winning journalist who covers cybercrime, civil liberties, privacy, and security for
Wired, “Obama: NSA must reveal bugs like Heartbleed, unless they help the NSA,” Wired,
http://www.wired.com/2014/04/obama-zero-day/] //khirn
Healey notes that the public
statements on the new policy leave a lot of questions unanswered and raise the
possibility that the government has additional loopholes that go beyond the national security
exception. The statement by the Office of the Director of National Intelligence about the new bias toward disclosure, for example,
specifically refers to vulnerabilities discovered by federal agencies, but doesn’t mention vulnerabilities
discovered and sold to the government by contractors, zero-day brokers or individual researchers, some
of whom may insist in their sale agreements that the vulnerability not be disclosed. If purchased zero days
vulnerabilities don’t have to be disclosed, this potentially leaves a loophole for the secret use of these
vulnerabilities and also raises the possibility that the government may decide to get out of the business
of finding zero days, preferring to purchase them instead. “It would be a natural bureaucratic response
for the NSA to say ‘why should we spend our money discovering vulnerabilities anymore if we’re going
to have to disclose them?'” Healey says. “You can imagine a natural reaction would be for them to stop
spending money on finding vulnerabilities and use that money to buy them off the grey-market where
they don’t have to worry about that bias.” The government’s new statement about zero days also doesn’t
address whether it applies only to vulnerabilities discovered in the future or to the arsenal of zero-day
vulnerabilities the government already possesses.
4
Wayland Debate
2015-2016
Plan
The United States federal government should substantially curtail its domestic
surveillance of computer software vulnerabilities or exploits unknown to relevant
vendors.
5
Wayland Debate
2015-2016
IP Theft Advantage
Advantage: IP theft
Intellectual property theft is expanding on a massive scale --- disclosing zero-days
builds trust with companies --- info-sharing legislation is key
Jaffer 15 [Jamil N., Adjunct Professor of Law and Director, Security Law Program, George Mason
University Law School, Occasional Papers Series, published by the Dean Rusk Center for International
Law and Policy, 4-1-2015, “Cybersecurity and National Defense: Building a Public-Private Partnership,”
http://digitalcommons.law.uga.edu/cgi/viewcontent.cgi?article=1008&context=rusk_oc] //khirn
JAMIL N. JAFFER: Thank you Dr. Johnson. Well, I’ll actually pick up right where Quentin left off, and I think this
is the important thing
to talk about when you’re talking about the national security threat that faces our nation in cyberspace.
And that is a sort of notion of a Pearl Harbor-style attack and these day-to-day cybersecurity risks that our nation, both the government and the
private sector, faces. And a lot of people spend a lot of time talking about the Pearl Harbor scenario — what happens when the power grid goes
down, what happens when the banking system goes down. As Quentin points out, that’s a possibility, but it’s one that we focus on to our
detriment. And it’s one that we have to account for, one we have to prepare for and be ready to deal with. But there’s
a larger
problem going on day-to-day, a nation-state-driven problem that is much more present and much more
threatening to our economic viability. And that is the constant day-in and day-out, walking out the back
door of every major U.S. company of core intellectual property. And so, we know today . . . it has now been sort of
publicly discussed: the very fact that there are major nation-states, including China, that are targeting not only the U.S. government. That’s sort
of standard that we expect that we, like a nation-state, go to collect intelligence from our opponents around the world, and they collect
intelligence on us. That’s an understood sort of concept, whether it’s surveillance . . . putting aside all the controversy that Edward Snowden
has created with his disclosures, other
nation-states know that we collect intelligence on them, and they collect
intelligence on us — that’s just part of the game. What’s different today though in cyberspace is the fact that at least one
nation that’s been publicly discussed and others that haven’t been — China in the case of the one that has been publicly discussed — is not
only targeting the government for collection, but it is, at a corporate national level, targeting American private sector
corporations, stealing our core intellectual property — the very thing that drives the American economy
and makes us the most innovative, most diverse, most successful economy in the world today — and
taking it and transferring it to Chinese corporations in the private sector, both the public and private
space. In China that distinction is blended, where the government provides a tremendous amount of
support to their industry, both in the form of stolen IP and in the form of low-interest or no-interest
loans to help them fund these efforts. And so, what we see is a very odd situation where a nation-state is engaged in
an effort to take private sector intellectual property, convert it to both public and private use there,
thereby undermining our ability to compete in the global marketplace. And what makes it a particularly hard
challenge is: What is the U.S. government going to do about it? How does the U.S. government respond to
that threat? For years we knew this was a fact and had a hard time to even talk about it publicly because the
way we knew was through intelligence accesses and the like. Dare I say, by the way, that all of my remarks are my own
thoughts and not those of my current or former bosses, so I don’t get any of them in any trouble, and I don’t get myself fired. But we’ve known
this for a long time. We’ve known
about this threat that both China and other nation-states pose to the U.S. private sector as well as
the U.S. 12 government, but it’s been hard for us to talk about it. And we’ve finally now realized 1) the threat is such that we
need to talk about it and 2) the government can’t do the protection of the private sector itself. The vast majority of the Internet
and the connected networks out there are owned and operated by the private sector. The U.S.
6
Wayland Debate
2015-2016
government simply has no insight into those networks. No matter what you hear about the U.S.
government’s capabilities in signals intelligence and in cyberspace, the reality is that we can’t, nor do we
want to be, nor do our laws permit us to, be on every network at all times to know what’s going on. It’s not
something that the American people want. It’s not something the government wants to do, nor is it
something we have the capability to do. Hence, the question becomes: How can the government work with the
private sector to enable the private sector to better defend itself? And how do private sector companies
work with each other internally to defend themselves from this very threat? A lot of people think that one of the
best ways to achieve that goal is to have the government intervene in the market and say, “Look — the private sector is not doing what it needs
to do to protect itself. We need to tell them how to do it, right? Here are some regulations. Here are some laws. Here’s how you need to
accommodate yourself to this new reality of nation-states threatening you and your core intellectual property and your systems, either to avoid
a Pearl Harbor-style attack or to avoid this walking out the back door of your intellectual property.” That, I think, is the discussion that was had
over the last couple of years, and it has faded into the background in large part because industry has shown a huge resistance to having
government-imposed regulations and laws and for good reason. Industry and the U.S. private sector are very innovative and oftentimes the
government regulation in places where there is not a market failure can stifle innovation rather than embolden it. The question becomes: How
do you determine whether there’s a market failure here, or not, in this industry? There can be no doubt that industry could, and perhaps
should, be better protected against cyber threats, particularly in the nation-state space. But the question is: Why is it not? And I would posit
that the
reason that industry is not as well positioned today to defend itself is because industry
fundamentally doesn’t understand the threat it faces. It’s only recently, in the last year or two, that we’ve
begun, as a government, talking about the very real threat that industry faces from nation-states which
have very high-end capabilities and both the capability and the desire to go into these companies. So, it’s
only recently that companies have begun coming around to the realization that the IP is walking out the
back door, and there is potential for a Pearl Harbor or lesser attack on their networks. And even today I think everyone would
admit — whether you’re in industry or the government — that the government doesn’t tell industry enough
about what it knows. So, the government knows a lot about the zero-days that might come up against
them. They know a lot about what the threat looks like. And they have a very hard time talking about it to
companies, either at an unclassified or even at a highly-classified level. It’s only when things get to a
really hot boil that the government will be willing 13 to part with its deepest, darkest sort of most
sensitive intelligence collection and even then it will only tell industries absolutely what they need to
know in order to deal with that immediate threat. And that’s something that fundamentally has to
change. And I think the government’s on its way there. I think that General [Keith B.] Alexander has made changes while he was at NSA, and
I’m hoping that Admiral [Michael] Rogers will continue those changes, too, to think through how best to work with industry. But it’s not simply
government working with industry, because it
will be a great thing if we can get to a place where we can pass some
sort of information-sharing legislation that allows the government to share with industry what it
knows is a threat. But the reality is that today — without the government having a sense for what industry is seeing on the 98 percent,
or 95 or 96 percent, of networks that it owns and operates — it’s hard for the government to know where to focus its
collection activities. For instance, today we know about the Chinese cyber actors coming up against our
networks. So, it’s easy for us to target that person and try to go after his system and figure out what he or
she is doing. We know for a fact that sitting right next to that person, very likely, is another hacker — government-funded
— going after the U.S. private sector, but we don’t see that person, because we’re not on the private
sector networks looking for that. Until industry has the ability and the desire and the willingness to share with
the government what they’re seeing, it’s hard for the government to turn around and say, “We’re going
to go try to target that person to see if we can figure out what they’re doing, too, in order to provide back
to industry the best capabilities the U.S. government has at its disposal.” And so, that’s one thing . . . it’s sort of
7
Wayland Debate
2015-2016
freeing up that information sharing gap between public and private and creating that trust between
the government and private sector to share that kind of information.
IP theft destroys military operations --- the impact is primacy
Warikoo 13 professor of Himalayan and Central Asian Studies at the University of Colorado (Arun,
“CYBER WARFARE: CHINA'S ROLE AND CHALLENGE TO THE UNITED STATES” p. 67-8, Jul-Dec 2013,
ProQuest) | js
4.1 Intellectual Property (IP) Protection and Enforcement Intellectual Property or IP
is a significant driver of the American
economy. The President's 2006 Economic Report to the Congress states that 70% of the value of publicly traded
corporations is Intellectual Property.22 Industries based on IP accounted for 34.8 percent of U.S. gross domestic
product (GDP) in 2010.23 Theft of IP has a huge impact on the economy. IP theft not only means loss of
revenue but also has a demoralizing effect on the inventor. Innovation is the heart of the US economy and IP theft
has a crippling effect on those start-ups that are involved in innovation. The IP Commission Report estimates that
hundreds of billions of dollars are lost per year to IP Theft.24 Gen. Keith Alexander, director of the National Security
Agency and commander of US Cyber Command stated in a lecture at the American Enterprise Institute: "The loss of industrial information
and intellectual property through cyber espionage constitutes the greatest transfer of wealth in history. U.S.
companies lose about $250 billion per year through intellectual property theft, with another $114 billion lost due
to cyber crime, a number that rises to $338 billion when the costs of down time due to crime are taken into
account."25 According to the IP Commission Report, China accounts for roughly 70% of international IP theft.26 The report
further states that the Chinese encourage IP theft and that both business and government entities engage in this practice.27 According to the
U.S. National Counterintelligence Executive, "Chinese actors
are the world's most active and persistent perpetrators of
economic espionage" obtaining trade secrets and continuing infringement of trademarks, copyrights, and
patents.28 IP are stolen from American universities, national laboratories, private think tanks, and start-up
companies, as well as from the major R&D centers of multinational companies.29 4.2 Threat to U.S. National Security China's
cyber espionage against the U.S. government and defense industrial base poses a major threat to U.S. military
operations. Larry M Woetzel in his report before the House of Representatives has said that China's aim is to fill gaps in its own research
programs, shorten R&D timeline for military technologies, gather intelligence on U.S. strategies and plans, and identify vulnerabilities in U.S.
systems.30 The Department of Defense's DODs 2013 annual report to the Congress indicates the grave threat posed by the Chinese in
collecting intelligence against US industries that support US defense programs.31 In one instance, a news report in 2011 revealed that
malware had penetrated networks used to control U.S. military drones.32 In another report, it is alleged that
the Chinese are hacking into US electricity networks and inserting malware that could be activated later to
shut down the electric grid.33 Richard Clarke, White House Cyber Security Advisor (October 2001 - March 2003), in an interview on
PBS Frontline stated as follows: "We, as a country, have put all of our eggs in one basket. The reason that we're successfully
dominating the world economically and militarily is because of systems that we have designed, and rely upon,
which are cyberbased. It's our Achilles heel. It's an overused phrase, but it's absolutely true. It could be that, in the
future, people will look back on the American empire, the economic empire and the military empire, and
say, "They didn't realize that they were building their whole empire on a fragile base. They had changed
that base from brick and mortar to bits and bytes, and they never fortified it. Therefore, some enemy some day was
able to come around and knock the whole empire over. That's the fear."34 4.3 Threat to US Industry China's cyber espionage
against U.S. commercial firms poses a significant threat to U.S. business interests and competiveness in key
8
Wayland Debate
2015-2016
industries. A classic example is that of the American Superconductor Corporation that had its wind-energy software code stolen by a major
customer in China resulting is not only loosing that customer but also 90% of its stock value.35 In another instance, a U.S. metallurgical
company lost technology to China's hackers that cost $1 billion and 20 years to develop.36
That solves great power conflict
Kagan, 2/19/2015 (Robert, Senior fellow with the Project on International Order and Strategy in the
Foreign Policy program at Brookings, Ph.D. in American history from American University, “The United
States must resist a return to spheres of interest in the international system”, Brookings,
http://www.brookings.edu/blogs/order-from-chaos/posts/2015/02/19-united-states-must-resistreturn-to-spheres-of-interest-international-system-kagan)//JBS
Great power competition has returned. Or rather, it has reminded us that it was always lurking in the background. This is not a
minor development in international affairs, but it need not mean the end of the world order as we know it. The real impact of the
return of great power competition will depend on how the United States responds to these changes.
America needs to recognize its central role in maintaining the present liberal international order and
muster the will to use its still formidable power and influence to support that order against its inevitable
challengers. Competition in international affairs is natural. Great powers by their very nature seek regional
dominance and spheres of influence. They do so in the first instance because influence over others is what defines a great power.
They are, as a rule, countries imbued with national pride and imperial ambition. But, living in a Hobbesian world of other great
powers, they are also nervous about their security and seek defense-in-depth through the establishment of buffer
states on their periphery. Historically, great power wars often begin as arguments over buffer states where
spheres of influence intersect—the Balkans before World War I, for instance, where the ambitions of Russia and Austria-Hungary
clashed. But today’s great powers are rising in a very different international environment, largely because of the unique role the United States
has played since the end of the Second World War. The
United States has been not simply a regional power, but rather a
regional power in every strategic region. It has served as the maintainer of regional balances in Europe,
Asia, and the Middle East. The result has been that, in marked contrast to past eras, today’s great powers do not
face fundamental threats to their physical security. So, for example, Russia objectively has never enjoyed
greater security in its history than it has since 1989. In the 20th century, Russia was invaded twice by Germany,
and in the aftermath of the second war could plausibly claim to fear another invasion unless adequately protected. (France, after all, had the
same fear.) In the 19th century, Russia
was invaded by Napoleon, and before that Catherine the Great is supposed to have uttered
is not true. Russia
that quintessentially Russian observation, “I have no way to defend my borders but to extend them.” Today that
faces no threat of invasion from the West. Who would launch such an invasion? Germany, Estonia, Ukraine? If Russia faces threats,
they are from the south, in the form of militant Islamists, or from the east, in the form of a billion Chinese standing across the border from an
empty Siberia. But for the first time in Russia’s long history, it does not face a strategic threat on its western flank. Much
the same can
be said of China, which enjoys far greater security than it has at any time in the last three centuries. The
American role in East Asia protects it from invasion by its historic adversary, Japan, while none of the other great powers around China’s
periphery have the strength or desire now or in the foreseeable future to launch an attack on Chinese territory. Therefore, neither
Chinese nor Russians can claim that a sphere of influence is necessary for their defense. They may feel it
necessary for their sense of pride. They may feel it is necessary as a way of restoring their wounded honor. They may seek an expanded sphere
of influence to fulfill their ambition to become more formidable powers on the international stage. And they may have concerns that free,
nations on their periphery may pass the liberal infection onto their own populaces and thus undermine their autocratic power. The
question for the United States, and its allies in Asia and Europe, is whether we should tolerate a return to sphere
of influence behavior among regional powers that are not seeking security but are in search of status, powers that are
9
Wayland Debate
2015-2016
acting less out of fear than out of ambition. This question, in the end, is not about idealism, our commitment to a “rules-based” international
order, or our principled opposition to territorial aggression. Yes, there are important principles at stake: neighbors shouldn’t invade their
neighbors to seize their territory. But before we get to issues of principle, we
need to understand how such behavior
affects the world in terms of basic stability On that score, the historical record is very clear. To return to
a world of spheres of influence—the world that existed prior to the era of American predominance—is to return
to the great power conflicts of past centuries. Revisionist great powers are never satisfied. Their sphere
of influence is never quite large enough to satisfy their pride or their expanding need for security. The
“satiated” power that Bismarck spoke of is rare—even his Germany, in the end, could not be satiated. Of course, rising great powers always
express some historical grievance. Every people, except perhaps for the fortunate Americans, have reason for resentment at ancient injustices,
nurse grudges against old adversaries, seek to return to a glorious past that was stolen from them by military or political defeat. The world’s
supply of grievances is inexhaustible. These grievances, however, are rarely
solved by minor border changes. Japan, the
aggrieved “have-not” nation of the 1930s, did not satisfy itself by swallowing Manchuria in 1931. Germany, the aggrieved victim of
Versailles, did
not satisfy itself by bringing the Germans of the Sudetenland back into the fold. And, of course,
Russia’s historical sphere of influence does not end in Ukraine. It begins in Ukraine. It extends to the Balts, to the
Balkans, and to heart of Central Europe. The tragic irony is that, in the process of carving out these spheres of influence,
the ambitious rising powers invariably create the very threats they use to justify their actions. Japan did
exactly that in the 30s. In the 1920s, following the Washington Naval Treaty, Japan was a relatively secure country that through a combination
of ambition and paranoia launched itself on a quest for an expanded sphere of influence, thus inspiring the great power enmity that the
Japanese had originally feared. One sees a similar dynamic in Russia’s behavior today. No one in the West was thinking about containing Russia
until Russia made itself into a power that needed to be contained. If history is any lesson, such
behavior only ends when other
great powers decide they have had enough. We know those moments as major power wars. The best
and easiest time to stop such a dynamic is at the beginning. If the United States wants to maintain a
benevolent world order, it must not permit spheres of influence to serve as a pretext for aggression. The
United States needs to make clear now—before things get out of hand—that this is not a world order that it will accept. And we need to be
clear what that response entails. Great
powers of course compete across multiple spheres—economic,
ideological, and political, as well as military. Competition in most spheres is necessary and even healthy. Within the liberal
order, China can compete economically and successfully with the United States; Russia can thrive in the
international economic order uphold by the liberal powers, even if it is not itself liberal. But security
competition is different. It is specifically because Russia could not compete with the West ideologically or
economically that Putin resorted to military means. In so doing, he attacked the underlying security and
stability at the core of the liberal order. The security situation undergirds everything—without it nothing else functions.
Democracy and prosperity cannot flourish without security. It remains true today as it has since the Second World War
that only the United States has the capacity and the unique geographical advantages to provide this
security. There is no stable balance of power in Europe or Asia without the United States. And while we
can talk about soft power and smart power, they have been and always will be of limited value when
confronting raw military power. Despite all of the loose talk of American decline, it is in the military
realm where U.S. advantages remain clearest. Even in other great power’s backyards, the United States
retains the capacity, along with its powerful allies, to deter challenges to the security order. But without a
U.S. willingness to use military power to establish balance in far-flung regions of the world, the system
will buckle under the unrestrained military competition of regional powers.
10
Wayland Debate
2015-2016
Russian IP theft now --- they can’t be deterred --- bolstering cyberdefense is key
Bennett 4/12/15 cybersecurity reporter for The Hill (Cory, “Russia’s cyberattacks grow more brazen”
4/12/15, http://thehill.com/policy/cybersecurity/238518-russias-cyberattacks-grow-more-brazen) | js
Russia has ramped up cyber attacks against the United States to an unprecedented level since President
Obama imposed sanctions last year on President Putin's government over its intervention in Ukraine. The emboldened
attacks are hitting the highest levels of the U.S. government, according to reports, in what former officials call a
“dramatic” shift in strategy. The efforts are also targeting a wide array of U.S. businesses, pilfering intellectual property in an
attempt to level the playing field for Russian industries hurt by sanctions. “They're coming under a lot of pressure from
the sanctions — their financial industry, their energy industry” said Dmitri Alperovitch, co-founder of cybersecurity firm CrowdStrike, which
monitors critical infrastructure attacks. “And they're
obviously trying to leverage cyber intrusion and cyber
espionage to compensate for that.” Crowdstrike has recorded over 10,000 Russian intrusions at companies
worldwide in 2015 alone. That’s a meteoric rise from the “dozens per month” that Alperovitch said the firm noted
this time last year, just as the U.S. was imposing its sanctions. Many see the recent reports that Moscow infiltrated the State Department
and White House networks — giving them access to President Obama’s full schedule — as a turning point in Russian government hacking.
Moscow doesn’t care as much about being caught, perhaps in an attempt to prove its cyber prowess, some speculate. “I think
that the calculus for them has changed,” said Will Ackerly, an eight-year National Security Agency vet who co-founded encryption firm Virtru in
2012. “It seems that they’re definitely behaving dramatically different in that regard.”The
attitude, Ackerly said, is “much more
brazen” than previous Russian efforts to lift intelligence information. For years, Russian hacking has operated on two tracks. On one
track, Moscow has orchestrated quiet, targeted digital hits on the U.S. government to collect scraps of intelligence data. On the other, a large
community of Russian cyber criminals, not necessarily affiliated with the government, has peppered the American banking industry for
commercial gain. “Experienced Russian hackers often tend to target financial data,” said Tom Brown, who served until 2014 as chief of the
Cyber Crime Unit at the U.S. Attorney’s Office for the Southern District of New York. Last year, Russians were charged with hacking into Nasdaq,
America’s second largest stock exchange. Going further back, a notorious Russian Internet gang made off with tens of millions of dollars from
Citibank in 2009. These were just two of the Russian incidents Brown helped investigate. Russian cyber crooks, he said, uniformly launch
“relatively sophisticated attacks.” On the government-sponsored side, researchers at security firm FireEye discovered evidence of Russian
intelligence-gathering cyber campaigns stretching back to at least 2007. Moscow was searching for communications, emails, memos, phone
calls and schedules that could smear adversaries’ reputations or simply shed light on their plans. Laura Galante, threat intelligence manager at
FireEye, said she has seen a “resurgence” in these types of Russian government-backed cyberattacks since late February. “They
really see
this as much more broadly than just a tool, a piece of malware or a distinct type of activity,” said Galante. “They see this
as a broader quest to get the information they need to portray themselves and their efforts in the best light in the
world.”And as Russia’s economy sags under the weight of U.S. sanctions imposed in March 2014, the mercenary, criminal track has started to
blur with the government-directed track, analysts said. “What they’re basically doing is in effect saying internally, ‘That’s fine, you’re
going to sanction us, so we’re going to use cyber to steal your intellectual property and give it to our
industry,’” Alperovitch said. The digital barrage has caught the attention of top U.S. officials. President Obama repeatedly asked his advisors
whether a massive data breach at JPMorgan last fall was Russian retaliation for the sanctions, according to reports. The aides couldn’t give the
president a definitive answer. Indeed, the security community is not united in its belief Russia was behind the attack. Former intelligence
officials have also speculated that information discreetly passed to the media laying blame on the Russians for the State Department and White
House hacks is a White House attempt to send a message to Russian authorities: “We’re on to you.” Director of National Intelligence James
Clapper acknowledges the U.S. was caught off guard by this Russian hacking surge. “The Russian
cyber threat is more severe
than we have previously assessed,” he told a Senate committee in February. During an October speech, Clapper even said
Russia has replaced cyber powerhouse China as his top concern. Ackerly said the State Department and White House intrusions
are a striking example of the new Russian mentality.The attack was “much larger in breadth” than historic Russian cyber espionage efforts.
“They’re much more willing to do things which there’s a high probably of detection,” Ackerly said. “They are willing to know that going in and
say, ‘We’re going to do that anyway.’” Moscow’s intelligence agencies can still collect their information, while making a public point, said
Christopher Cummiskey, a former acting under secretary for management at the Department of Homeland Security in 2014 who oversaw a
11
Wayland Debate
2015-2016
number of the agency’s cyber efforts. “I think from their perspective it’s like, ‘Well guess what, we’ve shown the world that we’re able to
actually penetrate the very sensitive systems in the U.S. government,’” he said.
Until the government improves its detection
capabilities, the Russians will not be deterred, Cummiskey said. “It’s not as easy to pick up on these things today with the way
we’re configured as hopefully it will be in the future,” he said. “So we’ve got some work to do.”
That’s crucial to Russian modernization efforts
Booz Allen Hamilton 13 [Leading provider of management and technology consulting services to the
U.S. government, Economist Intelligence Unit, The Economist, “Cyber Theft of Corporate Intellectual
Property: The Nature of the Threat,” July 2013, http://www.boozallen.com/insights/2013/07/CyberTheft-of-Corporate-Intellectual-Property] //khirn
Russia’s own espionage effort is also driven by a desire to diversify its economy and reduce its
dependence on natural resources, according to the NCIX report. Russia too has a sense of grievance; it believes the global
economic system is tilted in the favor of Western countries at its expense. Though Russia has denied hacking, it has enlisted its
intelligence services to help carry out its economic policy goals. The director of Russia’s Foreign Intelligence
Service, Mikhail Fradkov, said in December 2010 that it “aims at supporting the process of modernization of our
country and creating the optimal conditions for the development of its science and technology.” IP theft
threatens some companies more than others. Companies that are less dependent on IP for competitive advantage may be able to recover fairly
quickly. Indeed, the EIU’s survey shows that many executives are optimistic about their companies’ abilities to respond to IP attacks, with 48%
of respondents saying that while the theft of IP would cause damage in the short-term, they would be able to recover. Companies that innovate
quickly–and develop new IP–may find that they continue to outpace also-ran competitors who have tried to steal their older ideas. In the most
alarmist scenarios, however, IP theft by low-cost competitors manifests itself only years later in reduced industry competitiveness, slower
economic growth, lost jobs, and even lower living standards. By the same token, defense technologies
and secrets stolen
from US industry and government networks could give China and Russia military advantages worth
billions.
That causes Russian aggression
Isachenov 15 [Vladimir Isachenkov, Associated Press, Business Insider, Feb. 4, 2015, “Russia continues
massive military modernization despite economic woes,” http://www.businessinsider.com/russiacontinues-massive-military-modernization-despite-economic-woes-2015-2#ixzz3eVw3maaO] //khirn
MOSCOW (AP) — Hundreds of
new Russian aircraft, tanks and missiles are rolling off assembly lines. Russian
jets roar through European skies under NATO's wary eye. Tens of thousands of troops take part in war
games showing off the military's readiness for all-out war. The muscle flexing suggests that Russia's economic woes
so far are having no impact on the Kremlin's ambitious military modernization program. Most Russian
economic sectors face a 10 percent cut this year as Russia heads into recession. The military budget, meanwhile, rose by 33 percent to about
3.3 trillion rubles (some $50 billion). The buildup reflects President Vladimir Putin's apparent readiness to raise the ante in a showdown with
the West over Ukraine — but it is unclear whether Russia can afford the modernization drive amid slumping oil prices and Western sanctions.
The new Russian military doctrine, endorsed by Putin in December, names NATO as a top threat to Russia and
lays out a response to what the Kremlin sees as the alliance's expansion into Russia's sphere of interests.
In the Ukraine crisis, Moscow for the first time demonstrated its new capacity for what experts call "hybrid" warfare, a combination of military
12
Wayland Debate
2015-2016
force with a degree of deniability, sleek propaganda and political and economic pressure. It
is not only in Crimea — the strategic
that the nation's 1-million strong military is beefing up its presence.
Russia is also reviving Soviet-era airfields and opening new military bases in the Arctic. Last fall the
military rattled sabers by briefly deploying state-of-the art missiles to Russia's westernmost Baltic
exclave — Kaliningrad — and it is planning to send strategic bombers on regular patrols as far as the
Caribbean and the Gulf of Mexico. The West first got a sense of Russia's revived military might during last February's Crimea
peninsula that Russia annexed from Ukraine —
invasion. The U.S. and its NATO allies were caught off guard when waves of Russian heavy-lift military transport planes landed on the Black Sea
peninsula days after the ouster of Ukraine's former Moscow-friendly president, unloading special forces which swiftly took over key facilities in
the region and blocked Ukrainian troops at their bases. Dressed in unmarked uniforms and equipped with state-of-the art weapons, the Russian
troops were a far cry from a ragtag demoralized force the military was just a few years ago. The Kremlin first claimed they were local
volunteers, but Putin recognized after the annexation that they were Russian soldiers. Another surprise for the West came a few weeks later,
when well-organized groups of gunmen took over local government offices and police stations in several cities across Ukraine's mostly Russianspeaking eastern industrial heartland, triggering a rebellion that evolved into a full-scale war that killed more than 5,300 since April. As fighting
escalated in the east, the Russian military showed its agility by quickly deploying tens of thousands troops near the border with Ukraine.
Ukraine and the West said that thousands of them crossed into Ukraine, helping turn the tide in rebels' favor. The Kremlin denies that, although
it has acknowledged that Russian volunteers have joined the insurgency. Unlike the past, when the Russian military was filled through
unpopular conscription, the force has grown more professional and motivated. Relatively high salaries have attracted an
increasing number of contract soldiers, whose number is set to exceed 350,000 this year from 295,000 in 2014. Russian Defense Minister Sergei
Shoigu said that by the end of this year all battalion tactical groups — the core units in the Army, the Airborne Forces and the Marines — will be
manned entirely by professional soldiers. And in sharp contrast to the early post-Soviet years, when combat jets were grounded and navy
vessels rusted dockside for lack of fuel, the military has dramatically increased both the scope and frequency of its drills. Ground forces
conducted massive maneuvers near the Ukrainian border involving tens of thousands of troops, while navy ships sailed on regular missions and
combat jets flew regular patrols near European borders to probe NATO's defenses. The alliance said it intercepted Russian aircraft more than
400 times last year and complained they posed a danger to civilian flights. In Crimea, Russia had leased a major naval base even before the
annexation. Now it has deployed dozens of combat jets, including nuclear-capable long-range bombers, along with air defense missiles, modern
drones and other weapons. It is also preparing to dispatch more troops there. Another key priority for the military is the Arctic, where global
rivalry for major untapped oil and gas reserves is intensifying as polar ice melts. The military has restored long-abandoned Soviet-era airfields
and other bases in the region after two decades of neglect. It formed a separate Arctic command to oversee its troops in the region. Russia's
weapons modernization plan envisages spending 20 trillion rubles on new weapons in 2011-2020. It produced
some highly visible results last year, with the military receiving the highest numbers of new planes, missiles and armor since the 1991 Soviet
collapse: —Last year, the Russian armed forces obtained a record number of 38 nuclear-tipped intercontinental ballistic missiles. This year they
are to get another 50, allowing the military to fulfill its ambitious goal of replacing Soviet-built nuclear missiles, which are approaching the end
of their lifespan. Officials say the new ICBMs have the capacity to penetrate any prospective missile defenses. —In a major breakthrough, the
Russian navy finally conducted a series of successful test launches of the Bulava, a new submarine-based intercontinental ballistic missile,
proving its reliability after a long and troublesome development. The
navy already has two submarines equipped with the
Bulava, and is to commission a third one next year. Five more are to follow. —The ground forces are receiving
large batches of Iskander missiles, which are capable of hitting enemy targets up to 500 kilometers (310 miles away) with high
precision. Russian officials said the missiles, which can be equipped with a nuclear or conventional warhead, could be used to target NATO's
U.S.-led missile defense sites. In a show of force, Iskanders were briefly deployed in December to the Kaliningrad exclave bordering NATO
members Poland and Lithuania. —The Russian air force received more than 250 new planes and helicopters last year and is set to receive more
than 200 this year — numbers unseen since Soviet times. They include new models such as Su-34 bombers, Su-35 fighter jets and Mi-28
helicopter gunships equipped with sophisticated electronics and high-precision missiles. —The Russian army this year is set to receive a new
tank, which also will be used as the basis for a lineup of other armored vehicles. The model called Armata will be shown to the public during a
Red Square parade in May. It surpasses all Western versions in having a remotely controlled cannon and a superior level of crew protection. Its
security enhanced by a new-look military, the Kremlin can be expected to pursue a defiant course in
Ukraine and may raise the stakes further if the peace process fails. The threat for Putin — who has insisted
that Russia will not be drawn into a costly arms race with the West — is whether the massive military buildup will stretch
the nation's economic potential beyond the limit.
13
Wayland Debate
2015-2016
That escalates—we’re already on the brink of nuclear war
Reid 15 Professor of Law at University of St. Thomas School of Law (Charles J., University of St. Thomas
Journal of Law and Public Policy, “VLADIMIR PUTIN’S CULTURE OF TERROR: WHAT IS TO BE DONE?” p.
53–5) | js
In waging such a limited war, furthermore, Putin would rely not on ICBMs but on “the first use of tactical nuclear
weapons in war.” 447 And that is where we stand, in mid-March, 2015, as I write this Article. We are witnessing, on the part of
NATO, an awakening to exactly the gravity of this threat. Sir Adrian Bradshaw, NATO’s deputy commander of forces in
Europe, has quite rightly stated that this crisis is an existential moment for the western alliance.448 And, it is a
relief to note, the alliance is finally responding to the urgency of the moment. NATO has decided to expand its rapid reaction from 13,000
troops to 30,000.449 It has also chosen to create an elite “spearhead” unit of 5,000 troops for immediate deployment in a crisis.450 JeanClaude Juncker, the head of the European Commission has raised the subject of a European Army.451 It is imperative for many reasons that
Europe achieve a greater level of political integration452 and a European Army may serve that long-term goal as well as the more immediate
matter of addressing Russian aggression. The
United States is also rising to the military challenge posed by Russian
expansionism in Eastern Europe. A military convoy has been sent on a “show-the-flag tour” of six East European countries.453
Large numbers of soldiers and large quantities of supplies have now landed in Latvia to “participate in multinational
training exercises with Latvia, Estonia, and Lithuania.”454 American military hardware and personnel are now stationed just yards from Russian
territory in the Baltics.455 A Patriot anti-missile battery, together with the crew to man it, has been moved to Poland.456 Ashton Carter,
President Obama’s
nominee to serve as Secretary of Defense, has declared his support for providing arms to
the Ukrainian military.457 Victoria Nuland has called for the creation of NATO command-and-control centers in Bulgaria, Romania, and
other nations of Eastern Europe.458 And how has Putin responded? He destroyed the city of Debaltseve in Ukraine with a
savagery and barbarity unknown in Europe since the days of World War II. Virtually every building in the city has been damaged or
destroyed.459 Some 40,000 people (out of a population of 45,000) have been forced to flee.460 Dogs, it is said, have begun to eat the bodies of
the unburied dead.461 Whole classes of persons -- Tatar Muslims who might threaten the regime, and others who fall under suspicion of State
Security -- are being abducted, tortured, and being made to disappear at alarming rates.462 And Putin has renewed, once again, his
threats against world order. He has dispatched nuclear-capable strategic bombers to Crimea.463 He has sent nuclearcapable cruise missiles to the Polish border.464 Dozens of aerial provocations have been occurring along the European, British,
and North American coasts.465 Putin is conducting military exercises on a scale and with a sophistication “not seen
since the end of the Cold War.”466 He has proclaimed his readiness to use nuclear weapons openly, on
Russian television.467 When Denmark indicated a desire to be protected behind a future missile shield, Mikhail Vanin,
Russian Ambassador to Denmark, threatened Danish shipping with tactical nuclear weapons.468 In a
deliberate provocation that may open to the door to further aggression, Putin’s forces abducted an Estonian military officer from Estonian
territory.469 Will
there be a war between the superpowers, a large war, one with devastating consequences?470
Some sober-minded and experienced minds are beginning to contemplate that horrific thought. Michael Fallon,
British Defence Minister has said that Vladimir Putin, with his reckless words and deeds, has “’lowered the threshold’ for
using nuclear weapons.”471 Retired British commander of NATO forces Sir Richard Shirreff has warned that
Putin’s conduct risks the “threat of total war.”472 And that great and wise man Mikhail Gorbachev, when asked whether “there could
be another major war in Europe” responded: “Such a scenario shouldn’t even be considered. Such a war today would inevitably lead to a
nuclear war. But the statements from both sides and the propaganda lead me to fear the worst.
If one side loses its nerves in this
inflamed atmosphere, then we won’t survive the coming years.”473 Thus has Putin’s culture of terror
brought us to the brink of the unthinkable, a nuclear standoff where the risk of miscalculation is large.
International law, over the last two decades, has moved decisively in the direction of delegitimizing even the threat of the offensive use of
nuclear weapons. Vladimir Putin’s loose talk and his aggressive
14
military posturing are returning us to the dark days of an
Wayland Debate
2015-2016
older generation, when nuclear
leader.
15
threats hung heavy over the planet. We must make sure such threats do not emanate again from a world
Wayland Debate
2015-2016
Water Security Advantage
Zero-days are key --- inadequate cooperation risks multiple critical sectors --- like
water
Stockton and Golabek-Goldman 13 [Paul and Michele, " Curbing the market for cyber
weapons," Yale Law & Policy Review, Forthcoming, pg. 108-109
<http://ssrn.com/abstract=2364658>] /eugchen
Øday exploits are dual-use.24 They can be deployed by good-willed researchers to test computer
systems for vulnerabilities and therefore safeguard systems against attacks.25 However, they can also be
deployed to gather sensitive commercial or intelligence information, incapacitate computer systems, or
inflict widespread physical damage. For example, a weaponized Øday exploit targeting the air traffic
control system could send false signals to planes in the air, causing them to crash or collide.26 Department of
Transportation audits have confirmed that the U.S. air traffic control system remains highly vulnerable to cyberattacks.27 An attack on
the electric grid could leave entire regions of the country in the dark for weeks, incapacitating the
economy and resulting in numerous casualties.28 As the threats to the air traffic control system and electric grid make clear,
the most potent and dangerous Øday-exploit attacks are those that target the nation’s “critical
infrastructure” sectors. The 2013 Presidential Policy Directive on Critical Infrastructure Security and Resilience defines critical
infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such
systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any
combination of those matters.”29 The
air-traffic control system and other transportation systems are considered
critical infrastructure, along with the chemical, communications, emergency services, financial, water,
power, and nuclear reactor sectors.30 A high percentage of America’s critical infrastructure is owned and operated by private
civilian companies.31 These companies generally operate and monitor critical infrastructure by relying on
industrial-control systems , including Supervisory Control and Data Analysis (“SCADA”) systems, distributed-control systems, and
programmable-logic controllers.32 These systems enable companies to open and shut water pump valves, react to pressure, and change
volume levels automatically and remotely.33 As technology has evolved, companies have sought to improve operational efficiency by designing
ICS systems that are Internet compatible.34 Internet
connectivity has rendered these systems and their applications
layer much more susceptible to Øday-exploit attacks since perpetrators can access and penetrate them
more easily.35 Today’s Øday-exploit attacks are especially targeted at the vulnerable applications
layer.36 In spite of this increased threat, private companies have failed to adequately invest in cyber
measures to secure critical infrastructure from attack. The government has also failed to provide
sufficient support to private companies to safeguard the nation’s critical infrastructure. According to the
Department of Homeland Security’s recent Inspector General Report, the United States Computer Emergency Readiness Team (US-CERT) is
“understaffed” and lacks the legal authority to require private companies to implement stronger protections against cyber intrusions.37
Water supplies are uniquely vulnerable to cyber-attacks
Ginter 15 (Andrew Ginter is the vice president of industrial security at Waterfall Security Solutions, a
provider of Unidirectional Security Gateways for industrial control networks and critical infrastructures.
WaterWorld.com: “High-Tech Threats: Top Cybersecurity Issues Facing Water Utility Control Systems.”
Copyright date is 2015. Accessed June 25th, 2015. http://www.waterworld.com/articles/print/volume16
Wayland Debate
2015-2016
29/issue-10/editorial-features/high-tech-threats-top-cybersecurity-issues-facing-water-utility-controlsystems.html) KalM
Recent Department of Homeland Security reports have highlighted poor security among the nation's
water utilities, where operations networks and control systems are inadequately protected. The security
situation in critical infrastructure is raising ratepayer concerns and prompting utilities to ask hard questions about which actions can truly
improve their cybersecurity situations. Are firewalls - the most common form of security in the market - capable of combatting modern threats?
Would water system utilities be better protected if they completely isolated their control-system networks from public networks? Or is there a
third option that would retain the efficiencies and cost savings that come from access to real-time operations information, while also protecting
plants from cyber attacks? Technology that routinely protects industrial control networks in power plants and other critical infrastructures can
help water utilities answer these questions. Firewalls and Modern Security Threats Firewalls
are a staple of industrial
cybersecurity programs, but they have many inherent flaws that water facilities must identify, consider and address.
Firewalls are complex software systems because they are difficult to configure, and their configurations are difficult to
understand and verify. The smallest error in these configurations can introduce vulnerabilities. Defects are
frequently discovered in firewall software and in the complex operating systems underlying that
software, some of which can be exploited as security vulnerabilities. In order to prevent exploitation of known
defects and vulnerabilities, firewall vendors issue a steady stream of security updates, which must be applied promptly. Even worse, because
the firewalls provide not only real-time data but also online access to mission-critical systems and networks, the firewalls fundamentally expose
these environments to numerous types of attacks. For example, phishing attacks send email through a firewall to persuade recipients to either
reveal passwords or to download and run malware. Meanwhile, vulnerabilities as simple as hard-coded passwords and hard-coded encryption
keys have been reported in industrial firewalls. In addition, cross-site scripting vulnerabilities in HTTP-based "VPN" proxy servers are difficult or
impossible to fix because they are essential to the design of the firewall's features. Waterfall Security Solutions. Defects are frequently
discovered in firewall software and in the complex operating systems underlying that software, some of which can be exploited as security
vulnerabilities. Photo courtesy of Waterfall Security Solutions. Even if connections through firewalls are initiated from the control network side,
once the connections are established, they permit bi-directional data to flow through the firewalls. Any
of those flows can be used to launch attacks back to systems on the protected network. This means that
utilities cannot deliver any confidence that their operational assets are adequately protected by
firewalls. The level of risk is unacceptably high, and water utilities must compensate for it.
US water security on the brink now
Dimick 14 (Dennis Dimick is National Geographic's Executive Editor for the Environment. National
Geographic: “If You Think the Water Crisis Can't Get Worse, Wait Until the Aquifers Are Drained”
published August 21st, 2014. Accessed June 25th, 2015.
http://news.nationalgeographic.com/news/2014/08/140819-groundwater-california-drought-aquifershidden-crisis/#) KalM
This coincides with a
nationwide trend of groundwater declines. A 2013 study of 40 aquifers across the United States
rate of groundwater depletion has increased dramatically since 2000,
with almost 25 cubic kilometers (six cubic miles) of water per year being pumped from the ground. This
compares to about 9.2 cubic kilometers (1.48 cubic miles) average withdrawal per year from 1900 to 2008. Scarce groundwater
supplies also are being used for energy. A recent study from CERES, an organization that advocates sustainable business
practices, indicated that competition for water by hydraulic fracturing—a water-intensive drilling process for oil and gas known as
by the U.S. Geological Survey reports that the
17
Wayland Debate
2015-2016
"fracking"—already
occurs in dry regions of the United States. The February report said that more than half of all
fracking wells in the U.S. are being drilled in regions experiencing drought, and that more than one-third of the
wells are in regions suffering groundwater depletion. Satellites have allowed us to more accurately understand groundwater supplies and
depletion rates. Until these satellites, called GRACE (Gravity Recovery and Climate Experiment), were launched by NASA, we couldn't see or
measure this developing invisible crisis. GRACE has given us an improved picture of groundwater worldwide, revealing how supplies are
shrinking in several regions vulnerable to drought: northern India, the North China Plain, and the Middle East among them. As
drought
worsens groundwater depletion, water supplies for people and farming shrink, and this scarcity can
set the table for social unrest. Saudi Arabia, which a few decades ago began pumping deep underground aquifers to grow wheat in
the desert, has since abandoned the plan, in order to conserve what groundwater supplies remain, relying instead on imported wheat to feed
the people of this arid land.
Water insecurity risks global war
Aleem 3/6/15 ---Zeeshan Aleem is a reporter and editor at the The Huffington Post, Politico, The
Atlantic Wire, and BBC News. He was educated at the Sidwell Friends School, Oxford University, George
Washington, and the University of Chicago. (“Zeeshan Aleem”; Why Water Shortages Are the Greatest
Threat to Global Security; http://mic.com/articles/111644/why-water-shortages-are-the-greatestthreat-to-global-security)\\pranav/KalM
According to a United Nations report presented at U.N. headquarters in New York last week, about 2.9 billion people in 48 countries will be
facing
water shortages within 10 years that could destabilize
2030, there will be a global supply shortfall of 40%. And it
and jeopardize the "very existence" of some
countries. By
could pose a major threat to global security.
have the luxury of living without water and when faced with a life or death decision,
"People do not
people tend to do whatever they must to
survive," the report said. "In this manner, changes in fundamental hydrology are likely to cause new kinds of conflict ,
and it can be expected that both
water scarcity and flooding will become major transboundary water issues ." Global
warming is causing extreme weather events that are nudging water supply issues from bad to desperate. On their own, vanishing rivers or
droughts could devastate a year's worth of crops but combined and over time, they pose a civilizational threat. At
this point, U.S.
intelligence agencies consider the prospect of water shortage a threat to be considered alongside
terrorism and weapons of mass destruction. Understanding the water shortage: To be clear, the world isn't exactly running out
of usable water. Freshwater is a very small portion of the planet's entire water supply: It accounts for only about 2.5% of all water, and just 1%
of freshwater is readily accessible. But it is all over the world, and it's renewable. The main problem with water isn't about total volume — it's
about distribution. Water isn't always where people need it when they need it, and all societies need it for everything: health, sanitation,
agricultural production, energy and industry. The ability to handle distribution to meet these demands is largely a function of wealth. While
affluent countries are generally able to manage the resources to meet demand, poorer countries frequently lack the infrastructure to deliver
clean, safe water. Their economies also tend to rely disproportionately on deregulated and dirty extractive industries like coal mining that
contaminate already-scarce water supplies. Impoverished nations are already suffering from serious water woes. Three-quarters of a billion
people lack access to clean water, and water-related disease takes the lives of about 840,000 a year, according to Water.org. Women and
children spend 140 million hours a day collecting usable water, often from unclean sources. A growing problem: As the world's population
grows and endures increasingly volatile weather patterns, water management problems are on the brink of becoming far worse for much larger
swathes of the global population. "The ways we need water and the way the environment provides water are increasingly not matching up,
because things like climate change make it less and less predictable," Janet Redman, the climate policy director at the Institute for Policy
Studies in Washington D.C., told Mic. "We built our society around when we can get water, when we can grow food, how we have to house
ourselves, because we understand the environment around us after living in it for hundreds and hundreds and hundreds of generations. "The
problem now, partly due to climate change, we can't predict the patterns, of rainfall, where water is going to be when, when things melt, how
floods and droughts work — we're out of sync with the environment because we've changed the environment in a pretty significant way." How
shortages breed conflict: The decline in our ability to predict the flow of the world's water based on historical patterns, called "relative
18
Wayland Debate
2015-2016
hydrological stationarity" in the scientific community, is a game changer. "The loss of stationarity is playing poker with a deck in which new
cards you have never seen before keep appearing more and more often, ultimately disrupting your hand to such an extent that the game no
longer has coherence or meaning," the report said. That trickling in of new cards is dangerous. Lack of water has played a role in countless
conflicts on a sub-national level. The Pacific Institute has documented hundreds of instances of water-related conflict in the past half-century
which range from Kenyan tribes clashing over water amidst droughts to riots in South Africa over lack of access to clean water. As water supply
experts Shira Yoffe and Aaron Wolf have noted, scarcity of clean freshwater has contributed to many episodes of acute violence on a small
geographic scale across the world, such as bloody conflict between states within India over access to the Kaveri River. Adel Darwish, co-author
access to water has played a significant role in the
Arab-Israeli conflict, including the 1967 war. More recent conflicts include a hidden element of water scarcity
to them. Inter-ethnic conflict in Sudan in the 2000s was also driven by warring over access to clean water. Today, the
of Water Wars: Coming Conflicts in the Middle East, has argued that
militant Islamist State group is reportedly using control of water in Iraq and Syria as a tool of war. It affects everyone: It's increasingly clear that
even rich countries cannot keep their water supplies safe from the consequences of climate change and extreme weather events — or from the
instability that follows. In recent years California has experienced its worst drought in recorded history, which has rippled through both the
local and national economy. Floods in the Canadian province of Manitoba in 2011 and 2014 caused the government's budget deficit to swell
and ultimately led to political leaders resigning, according to the U.N. report. Insecurity can bubble up in even the places that are taken for
granted as stable. The world's water supply crisis is a serious one: By 2050, sustaining the planet will require at least 50% more water than it
does today, according to the New Yorker
19
Wayland Debate
2015-2016
Solvency
The plan solves effective information sharing between the government and private
sector --- a signal of clear commitment and a steady flow of actionable disclosure is
key to cooperative cyberdefense --- overcomes legal barriers
Rosenzweig 12 [Paul, leading cybersecurity expert, founder of Red Branch Consulting PLLC, a homeland
security consulting company, and a Senior Advisor to The Chertoff Group, “Cybersecurity and Public
Goods: The Public/Private “Partnership,” An Emerging Threats Essay, Hoover Institution, Stanford]
//khirn
Information Sharing, Public Goods, and the Law This economic understanding of cybersecurity suggests why a
significant fraction of
the policy debate about cybersecurity and public/private partnerships revolves around the challenge of
effectively sharing security information. Some people insist that existing legal restrictions prevent the private sector from
creating cybersecurity. They say some restrictions weaken the government’s ability to adequately share threat information with the private
sector, while others limit how the private sector shares information with the government or amongst itself. In other words, the “received
wisdom” is that our collective response to new threats is limited by law— the government can’t share some threat information about new
malicious software with the private sector because of classification rules, and privacy rules prevent private sector actors from sharing the same
information with the government or their peers. The focus on information sharing makes sense when seen through the prism of our theoretical
model: because threat and vulnerability information may have characteristics of a public good, it is in society’s interest to foster their creation
and distribution. If existing laws did, in fact, restrain and restrict those aims—if classification and privacy laws limited information sharing—that
would be a policy dissonance. However, on closer examination, many
of these legal limitations may be less constricting
than they are perceived to be. In the end, what really restricts cooperation are the inherent caution of
lawyers who do not wish to push the envelope of legal authority and/or policy and economic factors such as proprietary
self-interest that limit the desire to cooperate. The information in question will relate, broadly speaking, either to specific threats from external
actors (for example, knowledge from an insider that an intrusion is planned) or to specific vulnerabilities (for example, the identification of a
security gap in a particular piece of software). In both situations, the evidence of the threat or vulnerability can come in one of two forms:
either non-personalized information related to changes in types of activity on the network, or personalized information about the actions of a
specific individual or group of individuals.48 Needless to say, the sharing of the latter category of Personally Identifiable Information (PII) is of
greater concern to civil libertarians than the sharing of network traffic information.49 Information Sharing from the Government to the Private
Sector Some suggest that the principal barriers to an effective public/private partnership in combating cyber threats are limitations on the
government’s ability to share threat and vulnerability information with the private sector.
Sometimes the government has
collected this information using sources and methods that are classified, and disclosure of the
information risks compromising those sources and methods. Less frequently, the existence of the threat or vulnerability
is itself classified information, since disclosure of its existence or scope might adversely affect security. In general, classification rules
serve a salutary purpose—they protect information whose disclosure “reasonably could be expected to cause exceptionally grave
damage to the national security.”50 That instinct against disclosure, however, conflicts with a newer post-9/11
standard of enhanced information sharing. In the realm of cybersecurity, these conflicting impulses are a constant source of
tension. For example, the Government Accountability Office reported last year that a survey of private sector actors showed that what
they want most is for their federal partners to provide “timely and actionable cyber threat and alert
information—[that is,] providing the right information to the right persons or groups as early as possible to
give them time to take appropriate action.” However, “only 27 percent of private sector survey respondents
reported that they were receiving timely and actionable cyber threat information and alerts to a great or
moderate extent.”51 Likewise, private sector actors report that they do not routinely receive the security
clearances required to adequately receive and act upon classified threat information.52 For the most part,
20
Wayland Debate
2015-2016
these problems are ones of policy, rather than law. No legal barrier prevents provision of the requisite security clearances—
it is simply a matter of inadequate resources. Likewise, the untimeliness of US-CERT’s alert process is more the product of the need for internal
review and the government’s insistence on accuracy over timeliness than it is of any legal barrier to sharing. And, indeed, this policy choice may
be the right one, since inaccuracy will erode the government’s credibility—but the cautious impulse still makes government information sharing
less effective. Still, there may be some legal restrictions beyond classification that do interfere with information sharing. According to the GAO,
DHS officials report that “US-CERT’s ability to provide information is impacted by restrictions that do not allow individualized treatment of one
private sector entity over another private sector entity—making it difficult to formally share specific information with entities that are being
directly impacted by a cyber threat.”53 The apparent need to avoid the appearance of favoritism amongst private sector actors may be a
barrier that needs re-consideration (though this reference is the only time the author has seen this problem identified, raising a question about
its general applicability).54 Even this limited legal prohibition seems to have had little practical effect. As Google’s request for assistance to the
NSA demonstrates, there
are plainly situations in which company-specific assistance can be rendered by the
government. Indeed, the Google experience is in the midst of being generalized. Recently the Department of
Defense announced the continuation of a pilot project wherein it would share threat signature
information with Internet Service Providers (ISPs) which, in turn, would use that information to protect the
systems of private corporations that are part of the Defense Industrial Base (DIB).55 This pilot program is
voluntary and involves only the one-way transfer of information from the government to the private
sector—a structure that alleviates most, if not all, of the legal concerns about government surveillance
activities.56 More broadly, the Obama administration’s draft cybersecurity proposal would codify authority for
DHS to provide assistance to the private sector upon request.57 Thus, these problems are not likely to be
ones of law, but of commitment.
Disclosing zero-days disarms cyberattackers globally
Masnick 14 [Mike, founder and CEO of Floor64 and editor of the Techdirt blog, “Obama Tells NSA To
Reveal, Not Exploit, Flaws... Except All The Times It Wants To Do The Opposite,” Techdirt, April 14, 2014,
https://www.techdirt.com/articles/20140413/07094726892/obama-tells-nsa-to-reveal-not-exploitflaws-except-all-times-it-wants-to-do-opposite.shtml] //khirn
However, the NY Times had a story this weekend about how this move has forced the administration to clarify its position on zero day exploits.
It's already known that the NSA buys lots of zero day exploits and makes the internet weaker as a result of it.
Though, in the past, the NSA has indicated that it only makes use of the kinds of exploits that only it can use (i.e., exploits that need such
immense computing power that anyone outside of the NSA is unlikely to be able to do anything). However, the NY Times article notes that,
following the White House's intelligence review task force recommendation that the NSA stop weakening encryption and other technologies,
President Obama
put in place an official rule that the NSA should have a "bias" towards revealing the flaws
and helping to fix them, but leaves open a massive loophole: But Mr. Obama carved a broad exception for “a clear
national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws
both to crack encryption on the Internet and to design cyberweapons. Amusingly, the NY Times initially had a title on its story saying that
President Obama had decided that the NSA should "reveal, not exploit, internet security flaws," but the title then changed to the much more
accurate: "Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say." Of course, the cold war analogy used by people in the article seems...
wrong: “We don’t eliminate nuclear weapons until the Russians do,” one senior intelligence official said recently. “You
are not going to
see the Chinese give up on ‘zero days’ just because we do.” Except, it's meaningless that no one expects
the Chinese (or the Russians or anyone else) to give up zero days. The simple fact is that if the NSA were
helping to stop zero days that would better protect everyone against anyone else using those zero days.
In fact, closing zero days is just like disarming both sides, because it takes the vulnerability out of service.
21
Wayland Debate
2015-2016
It's not about us giving up our "weapons," it's about building a better defense for the world. And yet the
NSA isn't willing to do that. Because they're not about protecting anyone -- other than themselves.
US is the lynchpin of the zero-days market---that sustains the arms race and global
cyberattacks—the plan reverses that and reduces the market drastically
Perlroth and Sanger 13 (Nicole Perlroth covers cyberattacks, hackers and the cybersecurity industry
for The Times’s business news section. She is a graduate of Princeton University, Stanford University’s
Graduate School of Journalism and is a guest lecturer at Stanford’s graduate schools of business and
communications. David Sanger is the chief Washington correspondent of The New York Times. “Nations
Buying as Hackers Sell Flaws in Computer Code”, July 13, 2013,
http://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computerflaws.html)//CLi
Now,
the market for information about computer vulnerabilities has turned into a gold rush. Disclosures by
United States is among
the buyers of programming flaws. But it is hardly alone. Israel, Britain, Russia, India and Brazil are some of the biggest spenders. North
Edward J. Snowden, the former N.S.A. consultant who leaked classified documents, made it clear that the
Korea is in the market, as are some Middle Eastern intelligence services. Countries in the Asian Pacific, including Malaysia and Singapore, are
buying, too, according to the Center for Strategic and International Studies in Washington. To connect sellers and buyers, dozens of wellconnected brokers now market information on the flaws in exchange for a 15 percent cut. Some hackers get a deal collecting royalty fees for
every month their flaw is not discovered, according to several people involved in the market. Some individual brokers, like one in Bangkok who
goes by “the Grugq” on Twitter, are well known. But after the Grugq spoke to Forbes last year, his business took a hit from the publicity,
according to a person familiar with the impact, primarily because buyers demand confidentiality. A broker’s approach need not be subtle.
“Need code execution exploit urgent,” read the subject line of an e-mail sent from one contractor’s intermediary last year to Billy Rios, a former
security engineer at Microsoft and Google who is now a director at Cylance, a security start-up. “Dear Friend,” the e-mail began. “Do you have
any code execution exploit for Windows 7, Mac, for applications like Browser, Office, Adobe, SWF any.” “If yes,” the e-mail continued,
“payment is not an issue.” For start-ups eager to displace more established military contractors, selling vulnerabilities — and expertise about
how to use them — has become a lucrative opportunity. Firms like Vupen in Montpellier, France; Netragard in Acton, Mass.; Exodus Intelligence
in Austin, Tex.; and ReVuln, Mr. Auriemma’s and Mr. Ferrante’s Maltese firm, freely advertise that they sell knowledge of the flaws for
cyberespionage and in some cases for cyberweapons. Outside Washington, a Virginia start-up named Endgame — in which a former director of
the N.S.A. is playing a major role — is more elusive about its abilities. But it has developed a number of tools that it sells primarily to the United
States government to discover vulnerabilities, which can be used for fighting cyberespionage and for offensive purposes. Like ReVuln, none of
the companies will disclose the names of their customers. But Adriel Desautels, the founder of Netragard, said that his clients were “strictly U.S.
based” and that Netragard’s “exploit acquisition program” had doubled in size in the past three years. The average flaw now sells from around
$35,000 to $160,000. Chaouki Bekrar, the founder of Vupen, said his company did not sell to countries that are “subject to European Union,
United States or United Nations restrictions or embargoes.” He also said revenue was doubling every year as demand surged. Vupen charges
customers an annual $100,000 subscription fee to shop through its catalog, and then charges per sale. Costs depend on the sophistication of
the vulnerability and the pervasiveness of the operating system. ReVuln specializes in finding remote vulnerabilities in industrial control
systems that can be used to access — or disrupt — water treatment facilities, oil and gas pipelines and power plants. “They are engaging in
willful blindness,” said Christopher Soghoian, a senior policy analyst at the American Civil Liberties Union. Many technology companies have
started “bug bounty” programs in which they pay hackers to tell them about bugs in their systems rather than have the hackers keep the flaws
to themselves — or worse, sell them on the black market. Nearly a decade ago the Mozilla Foundation started one of the first bounty programs
to pay for bugs in its Firefox browser. Since then, Google, Facebook and PayPal have all followed suit. In recent months, bounties have soared.
In 2010, Google started paying hackers up to $3,133.70 — the number is hacker code for “elite” — for bugs in its Web browser Chrome. Last
month, Google increased its cash prize to $20,000 for flaws found in some of its widely used products. Facebook began a similar program in
2011 and has since paid out $1 million. (One payout included $2,500 to a 13-year-old. The most it has paid for a single bug is $20,000.) “The
program undermines the incentive to hold on to a bug that might be worth nothing in a day,” said Joe Sullivan, Facebook’s chief security officer.
It had also had the unintended effect of encouraging ethical hackers to turn in others who planned to use its bugs for malicious use. “We’ve
seen people back-stab other hackers by ratting out a bug that another person planned to use maliciously,” he said. Microsoft, which had long
22
Wayland Debate
2015-2016
resisted such a program, did an about-face last month when it announced that it would pay hackers as much as $150,000 for information about
a single flaw, if they also provided a way to defend against it. Apple still has no such program, but its vulnerabilities are some of the most
coveted. In one case, a zero-day exploit in Apple’s iOS operating system sold for $500,000, according to two people briefed on the sale. Still,
said Mr. Soghoian of the A.C.L.U., “The bounties pale in comparison to what the
government pays.” The military establishment, he said,
“created Frankenstein by feeding the market.” In many ways, the United States government created
the market. When the United States and Israel used a series of flaws — including one in a Windows font program —
to unleash what became known as the Stuxnet worm, a sophisticated cyberweapon used to temporarily cripple Iran’s ability to enrich uranium,
it showed the world what was possible. It also became a catalyst for a cyberarms race. When the Stuxnet code leaked out of
the Natanz nuclear enrichment plant in Iran in the summer of 2010, the flaws suddenly took on new value. Subsequent discoveries of
sophisticated state-sponsored computer viruses named Flame and Duqu that used flaws to spy on computers in Iran have only fueled interest.
“I think it is fair to say that no one anticipated where this was going,” said one person who was involved in the early American and Israeli
strategy. “And today, no one is sure where it is going to end up.” In a prescient paper in 2007, Charlie Miller, a former N.S.A. employee,
described the profitable alternatives for hackers who may have otherwise turned their information about flaws over to the vendor free, or sold
it for a few thousand dollars to programs like Tipping Point’s Zero Day Initiative, now run by Hewlett-Packard, which used them to enhance
their security research. He described how one American government agency offered him $10,000 for a Linux bug. He asked another for
$80,000, which agreed “too quickly,” Mr. Miller wrote. “I had probably not asked for enough.” Because the bug did not work with a particular
flavor of Linux, Mr. Miller eventually sold it for $50,000. But the take-away for him and his fellow hackers was clear: There was serious money
to be made selling the flaws. At their conventions, hackers started flashing signs that read, “No more free bugs.” Hackers like Mr. Auriemma,
who once gave away their bugs to software vendors and antivirus makers, now sound like union organizers declaring their rights. “Providing
professional work for free to a vendor is unethical,” Mr. Auriemma said. “Providing professional work almost for free to security companies that
make their business with your research is even more unethical.” Experts say there
is limited incentive to regulate a market in
which government agencies are some of the biggest participants.
Disclosing vulnerabilities amounts to disarming the NSA --- zero-days are key
Kehl et al. 14 [Danielle Kehl is a Policy Analyst at New America’s Open Technology Institute (OTI). Kevin
Bankston is the Policy Director at OTI, Robyn Greene is a Policy Counsel at OTI, and Robert Morgus is a
Research Associate at OTI, New America is a nonprofit, nonpartisan public policy institute that invests in
new thinkers and new ideas to address the next generation of challenges facing the United States, Policy
Paper, “Surveillance Costs: The NSA’s Impact on the Economy, Internet Freedom & Cybersecurity,” July
2014, https://www.newamerica.org/oti/surveillance-costs-the-nsas-impact-on-the-economy-internetfreedom-and-cybersecurity/] //khirn
In April 2014, Bloomberg reported that the NSA had known for at least two years about the Heartbleed bug, a security vulnerability in the
OpenSSL protocol that reportedly affected millions of websites worldwide, “and regularly used it to gather critical intelligence.”282 Although
the allegations—which the Office of the Director of National Intelligence quickly denied—appear to be false,283 the story turned the spotlight
on one of the least reported NSA practices: that the agency
routinely stockpiles knowledge about security holes that
it discovers so that it can later exploit the vulnerabilities to collect information or infect target devices
with malware, rather than disclosing the vulnerabilities to companies so that they can be patched.284 The practice was referred
to indirectly or in passing in a number of the stories about the NSA programs, particularly in the December 2013
Der Spiegel series describing the behavior of the NSA’s Tailored Access Operations Unit.285 But the emphasis at that time was on
the malicious activity the NSA was able to carry out as a result of those vulnerabilities, and not on the
security risk created by the stockpiling itself, which leaves companies and ordinary users open to attack
not just from the NSA but from anyone who discovers or learns about the flaws. In recent years, a substantial
market for information about security vulnerabilities has sprung up, with governments joining
23
Wayland Debate
2015-2016
companies and security researchers in hunting for and trading information about how to exploit holes in
mass-market software and services.286 According to the leaks, the NSA and related branches of the U.S. intelligence
apparatus spend millions of dollars looking for software flaws and other vulnerabilities, targeting
everything from the commercial software sold by American companies to widely used open-source
protocols like OpenSSL.287 The NSA employs more than a thousand researchers and experts using a
variety of sophisticated techniques to look for bugs.288 ‘Zero-day’ exploits, a term that refers to vulnerabilities that
have been discovered but have not yet been disclosed to the public or the vendor,289 are particularly coveted because it is
much harder to protect systems from an attack against an unknown weakness. “Not surprisingly, officials at
the N.S.A. and at its military partner, the United States Cyber Command, warned that giving up the capability to exploit
undisclosed vulnerabilities would amount to ‘unilateral disarmament,’” wrote cybersecurity expert David E.
Sanger.290 According to Sanger, one senior White House official told him, “I can’t imagine the president — any president — entirely giving up a
technology that might enable him some day to take a covert action that could avoid a shooting war.”291 In theory, the NSA’s dual mission of
carrying out signals intelligence (SIGINT) and protecting communications security (COMSEC) for military and diplomatic communications should
be mutually beneficial when it comes to vulnerabilities and exploits, because SIGINT could inform COMSEC about potential weaknesses and vice
versa. However, as Steven Bellovin, Matt Blaze, Sandy Clark, and Susan Landau write, “reality is in fact very different. COMSEC’s awareness of
the need to secure certain communications channels has often been thwarted by SIGINT’s desire that patching be delayed so that it can
continue to exploit traffic using the vulnerability in question.”292 When the
NSA discovers vulnerabilities in communications
has a strong disincentive to promptly disclose those vulnerabilities to the
companies since the companies will patch them, forcing the NSA to look for new ways to access the
information it seeks. Thus—as in the case of encryption standards—the NSA’s signals intelligence mission has
interfered with the NSA’s information assurance mission, and the agency has built a massive catalogue of
software and hardware vulnerabilities that is has stockpiled for its own purposes rather than disclosing
them to vendors so that they can be fixed.293 The Director of National Intelligence recently revealed the existence of an
technologies and other products, it
interagency process—referred to as the “Vulnerabilities Equities Process”—designed to facilitate the responsible disclosure of
vulnerabilities,294 but the extent to which the NSA provides information through the process is unclear.295 NSA Director and Commander of
U.S. Cyber Command Vice Admiral Michael S. Rogers explained to the Senate Armed Services Committee during his confirmation that “within
NSA, there is a…process for handling ‘0-day’ vulnerabilities discovered in any commercial product or system (not just software) utilized by the
U.S. and its allies… [where] all vulnerabilities discovered by NSA… are documented, subject to full analysis, and acted upon promptly.”296
The status quo provides incentives for writing software with vulnerabilities --- the
signal of the plan is crucial to long-term cybersecurity
Schneier 12 [Bruce, security expert with 13 books, fellow at the Berkman Center for Internet & Society
at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute
and the CTO of Resilient Systems, “The Vulnerabilities Market and the Future of Security,” Forbes,
5/30/2012, http://www.forbes.com/sites/bruceschneier/2012/05/30/the-vulnerabilities-market-andthe-future-of-security/] //khirn
Recently, there have been several articles about the new market in zero-day exploits: new and unpatched computer vulnerabilities. It’s not just
software companies, who sometimes pay bounties to researchers who alert them of security vulnerabilities so they can fix them. And it’s not
only criminal organizations, who pay for vulnerabilities they can exploit. Now there are governments, and companies who sell to
governments, who buy
vulnerabilities with the intent of keeping them secret so they can exploit them. This
market is larger than most people realize, and it’s becoming even larger. Forbes recently published a price list for zero-day
exploits, along with the story of a hacker who received $250K from “a U.S. government contractor” (At first I didn’t believe the story or the
24
Wayland Debate
2015-2016
price list, but I have been convinced that they both are true.) Forbes published a profile of a company called Vupen, whose business is selling
zero-day exploits. Other companies doing this range from startups like Netragard and Endgame to large defense contractors like Northrop
Grumman, General Dynamics, and Raytheon. This is very different than in 2007, when researcher Charlie Miller wrote about his attempts to sell
zero-day exploits; and a 2010 survey implied that there wasn’t much money in selling zero days. The market has matured substantially in the
past few years. This new market perturbs the economics of finding security vulnerabilities. And it does so to the detriment of us all. I’ve long
argued that the
process of finding vulnerabilities in software system increases overall security. This is because
the economics of vulnerability hunting favored disclosure. As long as the principal gain from finding a
vulnerability was notoriety, publicly disclosing vulnerabilities was the only obvious path. In fact, it took
years for our industry to move from a norm of full-disclosure — announcing the vulnerability publicly and damn the
consequences — to something called “responsible disclosure”: giving the software vendor a head start in fixing the
vulnerability. Changing economics is what made the change stick: instead of just hacker notoriety, a successful vulnerability finder could land
some lucrative consulting gigs, and being a responsible security researcher helped. But regardless of the motivations, a
disclosed
vulnerability is one that — at least in most cases — is patched. And a patched vulnerability makes us all more
secure. This is why the new market for vulnerabilities is so dangerous; it results in vulnerabilities remaining secret and
unpatched. That it’s even more lucrative than the public vulnerabilities market means that more hackers
will choose this path. And unlike the previous reward of notoriety and consulting gigs, it gives software programmers
within a company the incentive to deliberately create vulnerabilities in the products they’re working
on — and then secretly sell them to some government agency. No commercial vendors perform the
level of code review that would be necessary to detect, and prove mal-intent for, this kind of sabotage. Even more
importantly, the new market for security vulnerabilities results in a variety of government agencies around
the world that have a strong interest in those vulnerabilities remaining unpatched. These range from
law-enforcement agencies (like the FBI and the German police who are trying to build targeted Internet surveillance tools, to
intelligence agencies like the NSA who are trying to build mass Internet surveillance tools , to military
organizations who are trying to build cyber-weapons. All of these agencies have long had to wrestle with the choice of whether to use newly
discovered vulnerabilities to protect or to attack. Inside the NSA, this was traditionally known as the “equities issue,” and the debate was
between the COMSEC (communications security) side of the NSA and the SIGINT (signals intelligence) side. If they found a flaw in a popular
cryptographic algorithm, they could either use that knowledge to fix the algorithm and make everyone’s communications more secure, or they
could exploit the flaw to eavesdrop on others — while at the same time allowing even the people they wanted to protect to remain vulnerable.
This debate raged through the decades inside the NSA. From what I’ve heard, by 2000, the COMSEC side had largely won, but things flipped
completely around after 9/11. The whole point
of disclosing security vulnerabilities is to put pressure on vendors
to release more secure software. It’s not just that they patch the vulnerabilities that are made public —
the fear of bad press makes them implement more secure software development processes. It’s another economic process; the cost of
designing software securely in the first place is less than the cost of the bad press after a vulnerability is announced plus the cost of writing and
deploying the patch. I’d be the first to admit that this isn’t perfect — there’s a lot of very poorly written software still out there — but
it’s
the best incentive we have. We’ve always expected the NSA, and those like them, to keep the
vulnerabilities they discover secret. We have been counting on the public community to find and publicize vulnerabilities, forcing
vendors to fix them. With the rise of these new pressures to keep zero-day exploits secret, and to sell them
for exploitation, there will be even less incentive on software vendors to ensure the security of their
products. As the incentive for hackers to keep their vulnerabilities secret grows, the incentive for vendors to build secure
software shrinks. As a recent EFF essay put it, this is “security for the 1%.” And it makes the rest of us
less safe.
25