Las Vegas — The U.S. government should pay 10 times the going rate for zero-day software flaws in order to corner the market and then make those vulnerabilities public to render them less potent for attackers, Black hat 2014 attendees were told yesterday.
That would reduce the overall threats against Internet traffic in general and cost less than the damage that actual exploits cause, says Dan Geer, who is the chief information security officer at In-Q-Tel, the venture capital arm of the Central Intelligence Agency.
This was one of several proposals he floated during his keynote address at the best attended hacker conference. He said several times that the ideas were his own and did not express anyone else's opinions.
His idea for the government to buy up all the zero-day vulnerabilities could have a significant impact on overall security assuming that most software isn't riddled with security holes. If the occurrence of flaws is dense, however, the scheme wouldn't work because software vendors would wind up spending all their time patching their products.
But if it turns out software vulnerabilities are relatively sparse, the flaws could be readily patched. "I believe they are sparse enough so if we corner the market, we can make a difference," Geer says.
At one time finding vulnerabilities was a pastime with the reward being bragging rights. Now finding flaws is a full-time job that guarantees that finders don't share their discoveries, hence a rise in the rate of zero-day attacks. The vulnerabilities can be sold for huge sums, drawing in researchers who find them and sell them for profit.
Offering 10 times the going rate would eventually attract most people with vulnerabilities to sell, regardless of their personal feelings about selling to the U.S., he says.
Another of Geer's proposals would have Windows XP open-sourced as a way to protect customers from being abandoned by Microsoft.
While Microsoft is not the only company that would be affected, he cited Microsoft as being among those companies that end support for their software despite the fact that they are still widely used. Though he didn't mention it by name, one example is Windows XP, which is still the operating system for about a quarter of PCs used on the Internet.
He says that abandoning updates for products used by vast numbers of customers should mean creators of the products should turn that function over to the public. It's unfair for vendors to officially end support for certain platforms for everyone but at the same time continue support for those customers who can afford to pay significantly extra for it, he says.
He acknowledged that the solution isn't perfect given the uncertainty of how well the open source community would support the software. "It's the worst option," Geer said, "except for all the others."
Sign up for CIO Asia eNewsletters.