advantage counterplans
1nc oversight cp
The United States federal government should:
-support and increase encryption efforts in US companies;
-move the NSA Information Assurance Directorate to the Department of Homeland Security;
-establish executive and public oversight over the disclosure of zero-day exploits and vulnerabilities.
Counterplan solves the case and avoids the deterrence DA
Nojeim 13 (Greg Nojeim, former Associate Director and Chief Legislative Counsel of the ACLU’s Washington Legislative Office. Greg graduated from the University of Rochester in 1981 with a B.A. in Political Science. He received his J.D. from the University of Virginia in 1985 and sat on the Editorial Board of the Virginia Journal of International Law. He is now the senior counsel and director of the freedom, security, and technology project. “Sweeping Review Group Recommendations Will Fuel NSA Reform Effort”, https://cdt.org/blog/sweeping-review-group-recommendations-will-fuel-nsa-reform-effort, December 18, 2013 )//CLi
The Review Group’s report rightly recognizes the importance of strong encryption to the proper functioning of the Internet. It indicates that it found no systematic effort by the NSA to undermine the security of communications by coercing companies to build in backdoors to the Internet-based services they offer or by inserting backdoors surreptitiously. Documents released by Edward Snowden and interviews with industry officials reportedly showed the opposite, including that the NSA “began collaborating with technology companies in the United States and abroad to build entry points into their products,” as the New York Timesreported on September 5. My colleague, Joseph Lorenzo Hall, blogged about concerns from the cryptographic community that the NSA may have attempted to undermine the NIST cryptographic standard, SHA-3. These concerns came on the heels of allegations that the NSA deliberately inserted a backdoor into a particular random number generator. The Review Group did not address these reports. It did, however, make three important statements and recommendations about cybersecurity and encryption: Support Strong Encryption and Secure Software. The Review group said in no uncertain terms in Recommendation 29 that the U.S. should “fully support and not undermine efforts to create encryption standards; not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and, increase the use of encryption and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.” These are exceedingly strong statements that recognize that global online commerce, infrastructure, and increasingly social activity are mediated by products that must be secure so people can trust them when they are used. Much of the uncertainty in recent months about the surveillance disclosures has centered around how secure or insecure are the products and services we use every day at work and at home. The Review Group’s ringing support for secure communications, software, and interoperable standards go some way towards reducing this uncertainty. Its recommendation that the government not subvert the security of commercial software is particularly welcome. Move NSA’s Cybersecurity Activities To a Different DOD Element. NSA has two conflicting missions: breaking into the computers and networks of foreign adversaries and securing the computer networks of elements of the U.S. intelligence community and certain government contractors. The NSA’s Information Assurance Directorate does the cybersecurity work and the Review Group recommended (Recommendation 25) this function be removed from NSA to the Department of Defense (DOD). Cisco, for example, recently reported that its overseas business was being hurt by a perception that NSA was requiring it and other companies to build in backdoors so the NSA could listen in. Removing the Information Assurance Directorate from the NSA could enhance trust in its mission and in the products the Directorate helps make more secure. However, the Directorate would stay within the Department of Defense, which could diminish the desired effect of this move. Putting the cybersecurity function where it belongs, at the Department of Homeland Security or at the Department of Commerce would have been a more effective reform and refute inferences that the separation of these functions was not sufficient. Disclose Zero Day Vulnerabilities. Like other intelligence agencies, and like commercial and other hackers, the NSA uses software vulnerabilities to gain access to computers and steal information from adversaries. The most useful vulnerabilities are the “zero day” vulnerabilities – those that have never been exploited before, and which the software maker therefore has not yet developed and distributed to users a patch for the vulnerability. When the NSA discovers a zero day vulnerability, it has a decision to make: does it sit on it and use the vulnerability to gain access to an adversary’s computer, or does it reveal the vulnerability to the software maker so it can be patched? Or, to put it another way, does NSA’s intelligence collection mission trump its cybersecurity mission when it comes to zero days? The Review Group’s recommendation is that cybersecurity should almost always win out and that such vulnerabilities should be immediately disclosed to the software manufacturer, except in very narrow cases with very tight oversight from the White House. The presumption is that NSA will inform the software so a patch can be fashioned, but that in rare instances, the intelligence community could briefly exploit a zero day for a high priority target before informing the software manufacturer.
2nc oversight solves Public oversight is crucial to solve
Bellovin et al. 14 [Steven M., professor of computer science at Columbia University, Matt Blaze, associate professor of computer science at the University of Pennsylvania, Sandy Clark, Ph.D. student in computer science at the University of Pennsylvania, Susan Landau, 2012 Guggenheim Fellow; she is now at Google, Inc., April, 2014, “Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet,” Northwestern Journal of Technology and Intellectual Property, 12 Nw. J. Tech. & Intell. Prop. 1] //khirn
C. Providing Oversight P187 There is potential danger that an operationalized exploit may proliferate past its intended target. Stuxnet n267 provides an interesting case in point. Although aimed at Iran, the malware spread to computers in other countries, including India and Indonesia. n268 It is unclear from the public record how this happened. It may have been due to a flaw in the code, as Sanger contends; n269 alternatively, it may have been foreseeable but unavoidable collateral damage from the means chosen to launch the attack against Iran. Either possibility, though, represents a process that may be acceptable for a military or intelligence operation but is unacceptable for law enforcement. Only the legally authorized target should be put at risk from the malware used. P188 Given the public policy issues raised by the use of vulnerabilities, it would be appropriate to have public accountability on the use of this technique. For example, annual reports on vulnerability use similar to the AO's Wiretap Reports, presenting such data as: How many vulnerabilities were used by law enforcement in a given year? Were they used by federal or state and local? Was the vulnerability subsequently patched by the vendor, and how quickly after being reported? Was the vulnerability used by anyone outside of law enforcement? Was the vulnerability exploited outside law enforcement during the period that law enforcement was aware of the problem but had not yet told the vendor? Did the operationalized vulnerability spread past its intended target? What damages occurred from its exploitation? Making such information open to public analysis should aid in decisions about the right balance between efficacy and public safety. n270
Cp solves the entirety of case—oversight and transparency key to trust
Fidler 14 (Mailyn Fidler, graduate student at the Center for International Security and Cooperation Freeman Spogli Institute for International Studies, Stanford University. “ANARCHY OR REGULATION: CONTROLLING THE GLOBAL TRADE IN ZERO-DAY VULNERABILITIES”, May 2014, https://stacks.stanford.edu/file/druid:zs241cm7504/Zero-Day%20Vulnerability%20Thesis%20by%20Fidler.pdf)//CLi
3.4.3 Analysis of the Potential Application of Oversight Mechanisms to U.S. Government Zero Day Vulnerability Purchase and Use Existing zero-day oversight stems from the executive branch. No evidence publicly exists that legislative or judicial mechanisms have yet dealt with zero-day vulnerabilities. The Obama administration has set standards to encourage greater disclosure of vulnerabilities to companies, and could continue to augment that policy. An executive order or presidential policy directive could establish common definitions and policies across agencies. 423 Executive branch oversight has a significant amount of flexibility in placing effective procedural limits on zero-day vulnerability use. In terms of expanding existing executive oversight for zero-day vulnerabilities, an executive order could, for instance, require the approval of the president or an executive branch department head on certain kinds of purchase, use, or disclosure of vulnerabilities. It could also facilitate cooperation between agencies to facilitate greater price transparency between competing government purchasers, an idea I will address further in the next section. Scott Charney of Microsoft suggests additional possibilities: “you can do things like an Inspector General’s report, an outside review, and independent audit by cleared people.”424 Charney emphasizes that what you really want is “rigor over the equities process...for there to be a real bias toward defense,” but that the real challenge is “how do you convince outside people that the process has rigor?”425 In sum, executive oversight is a relatively available path to increased oversight and is more easily adapted to changing circumstances than legislative and judicial oversight. Executive oversight may lack public transparency, but a congressional or judicial approach would also be 423 It is possible that classified executive mechanisms such as executive orders or presidential policy directives already exist pertaining to the zero-day field. 424 Charney. 425 Charney. 109 considerably shrouded from public view in light of the involvement of intelligence and military equities. The judicial review mechanisms addressed here, primarily FISA/FISC, deal with the authorization of foreign intelligence activities. As such, they are tool-neutral: foreign intelligence surveillance enabled by a zero-day vulnerability or via wiretapping would likely be treated the same by this statute and court. Given this aspect, there is not an obvious role for judicial oversight of use or purchase of zero-day vulnerabilities. Establishing FISC oversight over purchase, use, or disclosure of zero-days is not in keeping with the judiciary’s role in this context and would likely be opposed by the intelligence community as heavy-handed and unnecessary. The intelligence community would likely, and perhaps rightly, question whether an operation carried out using a purchased zero-day vulnerability deserves greater judicial scrutiny than other operations. Congressional action could also implement controls on when and how zero-days can be bought and used. Congressional action could be used to impose the limits discussed in the executive oversight section: limits on purchase, use, and disclosure of zero-day vulnerabilities. It could also require reporting to relevant Congressional committees when a zero-day is not disclosed. Congressional oversight provides an avenue for longer-lasting oversight regimes, in contrast with more easily alterable executive orders, and also could be accompanied by additional funding for oversight or the threat of cutting off appropriations if the executive branch fails to follow oversight rules. However, congressional oversight is likely politically difficult to achieve. Snowden has made most cyber topics politically fraught, and Congress is currently generally perceived as dysfunctional. Beyond these political considerations, congressional oversight has traditionally 110 been reserved for oversight programs with a broader purview, such as establishing principles that apply to all foreign intelligence activities or covert operations, not principles that apply just a specific tool. 3.4.4 Select Possibilities for Expanded Executive Branch Oversight of Zero-Day Vulnerabilities Taking into account the three major forms for oversight and the NSA Review Panel’s recommendations, this section presents several specific examples of the broader categories of oversight examined above. These models have been developed through conversations and interviews with experts. They are not intended to serve as policy recommendations, but rather, they demonstrate the range and flexibility the mechanisms could possess and specifically target the holes in the current policy that this research has demonstrated. Particularly, these sketches attempt to synthesize an oversight approach that could address both use and purchase of zero-day vulnerabilities, whereas current oversight seems to focus exclusively on appropriate disclosure. This section previously analyzed oversight of executive branch actions through executive branch oversight, judicial review, and legislative action. Based on the emerging culture of executive oversight of zero-days and its advantages of relatively easy implementation and alteration, oversight established by the executive branch appears to have the most promise as a zero-day oversight mechanism. The first potential way to expand executive oversight would be to encourage increased transparency of government practices. Transparency is a typical first-stage oversight approach and could take a variety of forms. Currently, U.S. government agencies seem to make zero-day purchases separately, without coordination, potentially bidding prices up.426 To address this issue, one possible transparency mechanism might be to have government agencies that purchase 111 zero-days participate in a registry available to other agencies, where prices for purchases are listed.427 Economists have demonstrated that price transparency generally leads to lower and more uniform prices, although effects vary depending on the product.428,429,430 To address bidding wars that drive prices extremely high or low, Jonathan Mayer suggested mitigating competition by also instituting “a priority list, so if DEA [Drug Enforcement Agency] and NSA bid on a vulnerability, NSA could get it.”431 This shared-list mechanism would be a form of buyer coordination, which has been demonstrated as one way of achieving lower prices.432,433 Intelligence agencies have so far resisted public disclosure of prices paid for zero-day vulnerabilities, redacting this information from documents released through the Freedom of Information Act, but buyer coordination could represent a middle path, hopefully resulting in lower prices for purchasing agencies while not requiring public sharing of price lists.434 Transparency mechanisms can be criticized for weakness. Mayer suggests several mechanisms that could help ensure transparency mechanisms are more than gestures. As one example, he could envision a policy that states “after three years, zero-days will be banned, but at two years a report is due, which leaves a year to decide whether to keep the ban or not” on the I credit Chris Soghoian for the original inspiration for this idea. 428 Austin, D. Andrew, and Gravelle, Jane G. “Does Price Transparency Improve Market Efficiency? Implications of Empirical Evidence in Other Markets for the Health Sector.” Congressional Research Service. 29 April 2008, 2. 429 Bloomfield, Robert, and O’Hara, Maureen. “Market Transparency: Who Wins and Who Loses?” Review of Financial Studies 12.1 (1999): 5-35. 430 In financial and online markets, especially price comparison sites for insurance and airline tickets, transparency has been demonstrated to generally decrease prices (see Austin & Gravelle, 2). In some market structures, particularly those involving intermediate goods or middlemen, price transparency can make strategic bargaining and collusion easier for the sellers, raising prices (See Austin & Gravelle, 7). 431 Mayer. 432 Phillips, Owen R., Menkhaus, Dale J., and Coatney, Kalyn T. “Collusive Practices in Repeated English Auctions: Experimental Evidence on Bidding Rings.” The American Economic Review 93.3 (2003): 965-979, 965. 433 United States Department of Agriculture. “Assessment of the Cattle and Hog Industries Calendar Year 2000.” Grain Inspection, Packers, and Stockyards Administration. June 2001, 30. 434 NSA-Vupen Contract. 112 basis of how well the players are responding to the transparency mechanisms.435 However, Mayer concedes, “politically speaking, you’re probably not going to be able to get the sword of Damocles to hang over industry right now,” and transparency mechanisms would likely have only baby teeth, if that.436 Transparency mechanisms for the seller-side of the trade are also worth exploring. I will only briefly address these here, because industry oversight would require Congressional action, and this section primarily focuses on potential paths to executive oversight. Possible public private transparency measures might include requiring a vendor to report to the government if a vulnerability they sold or discovered is used in an illegal attack.437 Alternatively, a vendor could be required to inform the government if a vulnerability they sold or discovered is subsequently found by a second party.438 Other potential public-private transparency building mechanisms are conceivable; these represent a few possibilities. This topic would be fruitful to explore in further research. Beyond transparency, executive oversight could be used to strengthen the equities process for disclosure of vulnerabilities, extending what was recently announced. Particularly, instituting a post-use or post-stockpiling review process could ensure frequent reevaluation of vulnerabilities that were exempted from disclosure during first-round review. This review process could make sure that the original national security need exempting the vulnerability from disclosure continues to validate keeping the vulnerability undisclosed.
Cp solves net better—aff’s all or nothing approach leaves us vulnerable to terrorists
Erwin 15 (Marshall was the intelligence specialist at the Congressional Research Service, focusing upon National Security Agency surveillance leaks and legislative changes to the FISA statute, non-residential fellow at Stanford University. “An Intelligence Committee Agenda Part III: Zero-day Vulnerability Disclosure” http://www.overtaction.org/2015/01/an-intelligence-committee-agenda-part-iii-zero-day-vulnerability-disclosure/, January 2015)
If those committees want to make a singular, genuine impact on this emerging threat, they should focus on oversight of the Administration’s zero-day vulnerability disclosure process. Zero-day vulnerabilities are flaws in software and hardware that aren’t known to the companies or developers that make the technology. Those vulnerabilities can provide a useful tool to intelligence services, as well as to criminal groups and other nefarious actors. The Stuxnet computer worm that attacked Iranian centrifuges in 2010 utilized several zero-day vulnerabilities. It has often been suggested that the National Security Agency (NSA) has a huge ‘stockpile’ of such vulnerabilities that it uses to conduct surveillance operations. As valuable as these vulnerabilities might be to intelligence services, they can also become a threat to millions of computer and Internet users in the United States and around the globe if they are present in widely used software and hardware. This is why many have suggested that organizations like NSA should disclose the vulnerabilities they discover and allow the broader public to reap the security benefits of disclosures. In April, in response to apparently unfounded concerns that NSA had known about theHeartbleed vulnerability, the White House Cybersecurity Policy Coordinator Michael Daniel commented publicly about the Administration’s zero-day disclosure process. Here is how he characterized the issues: [T]here are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks. Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run. Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area. Daniel went on to describe a “re-invigorated” interagency process put in place in 2014 dedicated to weighing the pros and cons and determining whether a zero-day known to the U.S. government should be disclosed. He also listed nine questions that need to be answered whenever an agency proposes withholding knowledge of a vulnerability. This new processapparently improved upon a process originally established in 2010 and run by NSA. Zero-day vulnerability disclosure decisions require a careful balancing that will be difficult to achieve under the best of circumstances. This is made all the more difficult by the fact that, regardless of whatever process is put in place, incentives will still favor non-disclosure. The benefits of disclosure are broad and global while any cost will be felt acutely by intelligence services that will lose capabilities. The current process in essence depends on the benign hegemony of the executive branch in cyberspace.
1nc regulations cp
The United States federal government should:
-
require firms that transact in software security vulnerabilities permit the federal government to participate in any offerings or service they provide the sale of zero-day exploits and vulnerabilities that are unreported to the National Security Agency;
-
require confidential reporting for transactions zero-day exploits and vulnerabilities; and
-
establish a reward system for researchers who share zero-day vulnerabilities and exploits with the government.
Counterplan solves zero-day use and boosts cyberdefense --- prevents every 1ac impact
Bambauer 14 [Derek E., Professor of Law, James E. Rogers College of Law, University of Arizona, “Ghost in the Network,” April, 2014, University of Pennsylvania Law Review, 162 U. Pa. L. Rev. 1011, lexis] //khirn
B. Partial Defenses While a complete defense to zero-day attacks is impossible, policymakers can improve cybersecurity with three regulatory moves: (1) mandatory access to public zero-day markets for the federal government, (2) required confidential reporting on transactions by firms in those markets, and (3) a reward system for researchers who share vulnerabilities with the government. [*1085] Congress should pass legislation to implement these measures, and the United States should move to convert unknown unknowns to known unknowns. First, firms that transact in software security vulnerabilities should be required to permit the federal government to participate in any offerings or services they provide, on nondiscriminatory terms. If Vupen, for example, sought to sell zero-day exploits to France's security services, but not to the United States' NSA, that would be problematic. Software security firms should be legally bound to provide paid access to the U.S. government as a necessary condition of continued operation. This would enable the government to develop and deploy countermeasures to at least some zero-day attacks. Congress has taken analogous measures for other potential risks to national security. For example, one cannot obtain a patent for inventions in nuclear materials or weapons, n492 but such inventions are eligible for a governmental reward scheme. n493 And, the statute transfers rights to the invention from the inventor to the federal government. n494 Similarly, export controls restrict private firms' ability to engage in transactions with foreign countries. One may not transfer software utilizing encryption to countries such as Iran or North Korea, n495 and one may not sell certain supercomputers to countries such as China or Russia. n496 These rules apply to all firms within U.S. jurisdiction. Thus, Congress has either mandated or forbidden certain transactions based on national security concerns and could mount a similar effort for zero-day sales. Not all zero-day merchants fall under U.S. jurisdiction or enforcement. Even those operating abroad, however, likely have contacts with the United States. Vupen's employees, for example, visit the United States. n497 Many, if not all, such firms use financial or payment processing companies that are [*1086] subject to U.S. regulation. Some software companies, such as Microsoft, are eager to access U.S. government data on vulnerabilities and threats and have demonstrated a willingness to provide the NSA with exploit information before making it public. n498 These links provide potential leverage. Congress could attach provisions to this legislation that would allow the executive branch to designate firms that do not provide access to the government and to require banks and payment processors to forgo transactions with them. n499 Analogous measures have been implemented to interdict financing for terrorist groups n500 and have been proposed to deal with websites illegally offering prescription drugs or copyrighted works. n501
2nc regulations cp Mandated transaction reporting allows effective countermeasures
Bambauer 14 [Derek E., Professor of Law, James E. Rogers College of Law, University of Arizona, “Ghost in the Network,” April, 2014, University of Pennsylvania Law Review, 162 U. Pa. L. Rev. 1011, lexis] //khirn
Second, Congress should mandate a transaction-reporting system for firms trading in vulnerabilities. These companies should have to report, on a confidential basis, the purchaser's identity in all transactions of zero-day exploits to the NSA. This data would remain confidential and should be designated as statutorily immune from discovery or other use unless the NSA expressly chooses to share it. n502 The statute should enable auditing of firms' records by the NSA if the Agency is able to demonstrate an objectively reasonable basis to suspect inaccuracies or falsification. To make this provision less objectionable for the vulnerability merchants, Congress should include payments to the reporting firms. While additional spending [*1087] is politically difficult, this expenditure would be a small but worthwhile investment in security. Similar reporting systems are widely used to mitigate risk. NASA, for example, encourages confidential reporting of "near-miss incidents" - those that nearly resulted in aviation mishaps - to improve safety procedures and detect product defects. n503 Similarly, insurers offering policies for medical malpractice liability must report judgments and settlements to the National Health Practitioner Data Bank. n504 This malpractice information is available for use by state medical licensing boards and federal agencies, but is otherwise confidential. n505 In addition, the Federal Railroad Administration is testing a Confidential Close Call Reporting System to identify risks in rail operations via confidential reporting of near-miss incidents. n506 The Department of Veterans Affairs has a similar reporting system for patient safety. n507 And finally, the Federal Communications Commission has one for network outages. n508 Thus, the federal government already has well-established confidential reporting systems to help manage risk. A zero-day reporting system has several benefits. It would enable the government to detect problematic sales, particularly to unfriendly states and insecure parties. It would increase the effectiveness of countermeasures that mitigate zero-day exploits by providing a rough guide to how widely distributed a particular attack tool is. It would allow the government to identify whether firms follow their stated criteria for sales (such as Vupen's self-imposed limit to NATO countries and clients) and to scrutinize suspect firms more closely. Lastly, it would provide a crude estimate of the ebb and flow of zero-day threats and of the platforms and applications viewed by the merchant as worthy of attention (and payment).
Bug bounty programs solve cyberdefense while boosting effective offensive capacity
Bambauer 14 [Derek E., Professor of Law, James E. Rogers College of Law, University of Arizona, “Ghost in the Network,” April, 2014, University of Pennsylvania Law Review, 162 U. Pa. L. Rev. 1011, lexis] //khirn
Finally, Congress should authorize a "bug bounty" program. n509 Its goal would be to collect zero-day exploits and encourage researchers to sell their [*1088] findings to the U.S. government rather than to private firms or other nation-states. A government agency, such as the NSA or the U.S. Computer Emergency Readiness Team (CERT), should be provided funds to buy zero-day vulnerability information. n510 The entity selling the exploit, such as a security research firm, would have to certify under penalty of perjury that it had not previously shared the vulnerability information with others and would have to agree contractually not to do so in the future. n511 Congress should consider backing these requirements with substantial criminal penalties as it has done in other contexts. n512 Arms dealers who sell to both sides are held in low esteem. Similar private bounty programs implemented by Google and Mozilla have had considerable success in identifying and remediating bugs. n513 The funding and amount paid per bug should be generous: removing zero-days from the Internet ecosystem is highly beneficial. Moreover, generous payments will have further positive effects. First, these payments will spur researchers to search for additional bugs. These bugs are like latent defects in a product - they lurk, creating risk, until they are discovered. Second, paying above-market rates makes it more difficult for others to purchase zero-days. Pushing others out of the zero-day market is useful both offensively and defensively. Offensively, accumulating zero-days provides the United States with the building blocks for future Stuxnets. Defensively, it reduces the likelihood that U.S. firms or government entities will fall victim to attack.
Developing zero-day regulatory frameworks allows for the creation of multilateral frameworks
Castelli 14 (Christopher J. Castelli, Senior Correspondent at Inside Cybersecurity, “Report urges policymakers to curb booming cyber-arms sales”, http://insidecybersecurity.com/Cyber-Daily-News/Daily-News/report-urges-policymakers-to-curb-booming-cyber-arms-sales/menu-id-1075.html, January 13, 2014)//CLi
Reining in booming sales of cyber weapons that could threaten critical infrastructure will require policymakers to shield software developers from liability, create export controls and enable prosecutions of digital-arms dealers, a former defense official argues in a new essay. There is a significant risk that hackers could discover and exploit previously unknown weaknesses -- so-called "zero day" vulnerabilities -- in the applications layer of the industrial control systems that underpin the U.S. electric grid and other critical infrastructure sectors, former Pentagon homeland-defense chief Paul Stockton and a co-author write in an essay for the Yale Law and Policy Review. Such exploits could be used to gather sensitive commercial or intelligence information, incapacitate computer systems, or inflict widespread physical damage -- by targeting the air traffic control system to cause collisions, for example, the essay states. A three-step approach is needed to mitigate the risk, according to Stockton and his co-author, Yale Law School student Michele Golabek-Goldman. First, Congress must address the threat's root cause by incentivizing developers of critical software to enhance their products' security, state the authors, who call for amending the Support Anti-Terrorism by Fostering Effective Technologies Act of 2002 to extend liability coverage to these developers. Second, U.S. officials and international partners must develop criteria for "illegitimate" sales of zero-day exploits and establish uniform export controls through the Wassenaar Arrangement, the essay states. It credits the Senate Armed Services Committee for raising the visibility of this proliferating threat and for seeking measures to address it. House and Senate authorizers, in their fiscal year 2014 defense authorization bill, included a provision directing the White House to work with industry to develop a policy that would control the proliferation of cyber weapons through various means. How such controls should be structured is unclear, but only a multilateral approach can succeed, the essay argues. The authors say the United States should implement the Wassenaar Arrangement's recommended exploit controls through its Commerce Control List. A significant limitation is that China is not a member of the arrangement, but on the other hand China has made progress in adhering to international norms, the essay states. Finally, the authors contend, Congress should strengthen the capacity to prosecute individuals who sell zero-day exploits targeting critical infrastructure to U.S. adversaries. They urge Congress to amend the Computer Fraud and Abuse Act, the United States' most significant federal computer-crime statute. The amended law should require sellers of zero-day exploits to show that they "reasonably investigated" buyers' backgrounds and had "reasonable grounds to believe" that buyers would not attack industrial control systems -- and it should enable prosecutions of U.S. and foreign vendors who sell zero-day exploits to U.S. persons who deploy them to attack critical infrastructure, the authors write. In some cases, they argue, the United States should be able to extradite researchers abroad who have violated the law.
1nc wassenaar regulations cp The United States federal government should require vendors of zero-day exploits and vulnerabilities to obtain licenses from the Department of Commerce. The United States federal government should propose the creation of new rules controlling exports of zero day vulnerabilities to other members of the Wassenaar Agreement. Control of øDay sales would deter researchers from exploitation
Golabek-Goldman 14 [Michele, A New Strategy for Reducing the Threat of Dangerous Øday Sales to Global Security and the Economy," Available at SSRN 2438164, ] /eugchen
This multilateral effort would help foster international norms among many nations on illegitimate Øday purchases and build international consensus on states’ responsibility to halt dangerous sales from within their borders. Most importantly, multilateral export controls would increase the costs associated with selling dangerous Ødays to those seeking to deploy them for malicious purposes. Many of the leading gray market firms that sell Ødays are located in Wassenaar member nations, including the United States, Malta, and France.193 These firms would now have to apply for licenses to sell dangerous Ødays, move their operations elsewhere, or risk significant criminal penalties for contravening export controls and operating on the black market. For example, intentional violation of the Export Administration Regulations (“EAR”) would result in criminal penalties of up to $1 million and prison sentences of up to 20 years. 194 Such high penalties—especially if accompanied by stronger enforcement 195—would likely deter many researchers from engaging in illicit transactions. Therefore, as part of a broader effort to stem dangerous Øday sales, creating uniform export controls through the Wassenaar Arrangement would constitute a critical step forward in safeguarding nations from malicious cyber activities.
Collaboration with the international community through the Wassenaar Arrangement key to controlling zero day sales
Golabek-Goldman 14 [Michele, A New Strategy for Reducing the Threat of Dangerous Øday Sales to Global Security and the Economy," Available at SSRN 2438164, < http://ssrn.com/abstract=2438164>] /eugchen
The United States should therefore consider collaborating with the international community to develop export control criteria through the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (“Wassenaar Arrangement”). 148 The Wassenaar Arrangement, which was established in 1996, is a superior alternative to the other three existing multilateral export regimes—the Nuclear Suppliers Group, the Missile Technology Control Regime, and the Australia Group—for implementing export controls of Øday sales. Since the Nuclear Suppliers Group’s overarching objective is to “prevent nuclear exports for commercial and peaceful purposes from being used to make nuclear weapons,” incorporating controls of Ødays into this arrangement would fall outside the purview of the regime. 149 Likewise, the Missile Technology Control Regime seeks to curb “proliferation of missiles and missile technology,” which is irrelevant for addressing Øday sales. 150 The Australia Group, whose mission is to “ensure that exports do not contribute to the development of chemical or biological weapons,”151 is also ill-suited for curbing indiscriminate sales of Ødays. Unlike these other multilateral export regimes, the Wassenaar Arrangement has a broad mission that could aptly encompass Øday sales: to “contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations.”152 The arrangement, which currently includes 41 member nations, strives to achieve this objective by establishing uniform “control lists” of dual-use technologies, sharing information on dual-use transfers, and consulting with members on national export policies and denials of export license applications.153 Wassenaar members could incorporate Øday sales into the Arrangement’s dual-use lists, which already cover certain types of code and software, including encryption software. 154 Furthermore, the Wassenaar Arrangement already provides for controls of “intangible technology,” which members have agreed are “critical to the credibility and effectiveness of [a Participating State’s] domestic export control regime.”155 The Arrangement defines “intangible technology” as “specific information necessary for the ‘development,’ ‘production’ or ‘use’ of a product,” including “technical data or technical assistance.”156 Selling technical knowledge on how to exploit vulnerabilities in computer software appropriately falls under this definition.157
2nc solvency
Collaboration with the international community through the Wassenaar Arrangement key to controlling zero day sales
Golabek-Goldman 14 [Michele, A New Strategy for Reducing the Threat of Dangerous Øday Sales to Global Security and the Economy," Available at SSRN 2438164, < http://ssrn.com/abstract=2438164>] /eugchen
The United States should therefore consider collaborating with the international community to develop export control criteria through the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (“Wassenaar Arrangement”). 148 The Wassenaar Arrangement, which was established in 1996, is a superior alternative to the other three existing multilateral export regimes—the Nuclear Suppliers Group, the Missile Technology Control Regime, and the Australia Group—for implementing export controls of Øday sales. Since the Nuclear Suppliers Group’s overarching objective is to “prevent nuclear exports for commercial and peaceful purposes from being used to make nuclear weapons,” incorporating controls of Ødays into this arrangement would fall outside the purview of the regime. 149 Likewise, the Missile Technology Control Regime seeks to curb “proliferation of missiles and missile technology,” which is irrelevant for addressing Øday sales. 150 The Australia Group, whose mission is to “ensure that exports do not contribute to the development of chemical or biological weapons,”151 is also ill-suited for curbing indiscriminate sales of Ødays. Unlike these other multilateral export regimes, the Wassenaar Arrangement has a broad mission that could aptly encompass Øday sales: to “contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations.”152 The arrangement, which currently includes 41 member nations, strives to achieve this objective by establishing uniform “control lists” of dual-use technologies, sharing information on dual-use transfers, and consulting with members on national export policies and denials of export license applications.153 Wassenaar members could incorporate Øday sales into the Arrangement’s dual-use lists, which already cover certain types of code and software, including encryption software. 154 Furthermore, the Wassenaar Arrangement already provides for controls of “intangible technology,” which members have agreed are “critical to the credibility and effectiveness of [a Participating State’s] domestic export control regime.”155 The Arrangement defines “intangible technology” as “specific information necessary for the ‘development,’ ‘production’ or ‘use’ of a product,” including “technical data or technical assistance.”156 Selling technical knowledge on how to exploit vulnerabilities in computer software appropriately falls under this definition.157
CP effectively regulates øDay sales – deters researchers from engaging in illicit deals
Golabek-Goldman 14 [Michele, A New Strategy for Reducing the Threat of Dangerous Øday Sales to Global Security and the Economy," Available at SSRN 2438164, < http://ssrn.com/abstract=2438164>] /eugchen
Since the recent changes were instituted, there has been significant confusion among experts regarding the “intended scope of these clauses.” 164 Some gray market vulnerability research firms, including the French-based VUPEN, broadly interpreted the Wassenaar Arrangement’s new “intrusion software” controls to apply to Øday sales. 165 They therefore immediately took extra precautions by altering their sales policies to comply with the Arrangement’s end-user restrictions. 166 Nevertheless, in recent months, delegates to the Arrangement have clarified that the new inclusion of “intrusion software” is only meant to apply to software deployed to “disseminate and implement intrusion software,” rather than the “malware, rootkits, or exploits” themselves.167 While Øday sales have yet to be regulated under the Arrangement, these recent changes and growing acknowledgement among Wassenaar members that dual use cyber technologies can be deployed to endanger international security should pave the way for future incorporation of Øday sales into the Arrangement’s dual-use lists. Furthermore, it is very revealing that firms such as VUPEN that interpreted the Wassenaar Arrangement’s new controls to govern Øday sales—even if their interpretation was ultimately incorrect—rapidly altered their sales policies. This demonstrates that, unlike regulatory skeptics contend, increasing the risks and penalties associated with indiscriminately selling Ødays can deter researchers from entering into illicit transactions.
Empirics prove control of intangible data is feasible
Golabek-Goldman 14 [Michele, A New Strategy for Reducing the Threat of Dangerous Øday Sales to Global Security and the Economy," Available at SSRN 2438164, < http://ssrn.com/abstract=2438164>] /eugchen
Some might counter that it is impractical to control “intangible” data transfers like Ødays. However, the government has successfully limited exports of dangerous technical data for years under the Export Administration Regulations (“EAR”), the International Traffic in Arms Regulations (“ITAR”), and the Atomic Energy Act (“AEA”). 181 It is indisputable that it has the statutory authority to regulate information that can be deployed in the “development,” “production,” or “use” of prohibited defense materials.182 For example, pursuant to these statutes, the government prevents individuals and universities from training or sharing information with foreigners on how to develop a nuclear weapon, missiles, and other dangerous technologies.183 The “intangible” electronic or digital transmission of “blueprints, diagrams, manuals, instructions, [and] software” related to controlled items is also forbidden.184 BIS would be able to deploy the same procedures to control information transfers regarding exploiting vulnerabilities in our nation’s computer systems.
***Note BIS= Commerce Department’s Bureau of Industry and Security
at: cp doesn’t solve china
The Wassenaar Arrangement would spillover to China and other non-member nations
Golabek-Goldman 14 [Michele, A New Strategy for Reducing the Threat of Dangerous Øday Sales to Global Security and the Economy," Available at SSRN 2438164, < http://ssrn.com/abstract=2438164>] /eugchen
While this report advocates for designating the PLA and its agents as illegitimate Øday end-users under the Wassenaar Arrangement in order to safeguard U.S. security interests, it acknowledges the significant disadvantages of this approach and recommends that this issue be the subject of highlevel diplomacy, including meetings at the U.S.-China Strategic Security Dialogue’s Cyber Working Group. One strategy would be for diplomats to highlight both nations’ mutual vulnerability to indiscriminate Øday sales, especially in the realm of cybercrime. For example, although China’s own vulnerability to cyber threats is rarely covered in the press, China is also suffering major economic losses from cybercrime.191 In 2012 alone, cybercrimes such as online identity theft and cyber-enabled fraud cost China approximately $46.4 billion. 192 By stressing these mutual concerns, members of the Wassenaar Arrangement might persuade China to join this aspect of the Wassenaar Arrangement and at least adopt part of the regime’s export control list recommendations for Øday sales. The Wassenaar Arrangement should consider using similar engagement strategies with other non-member states including Pakistan, India, and Israel.
at: can’t catch all vulnerabilities
Catch-all provision would be a safety net to new øday vulnerabilities
Golabek-Goldman 14 [Michele, A New Strategy for Reducing the Threat of Dangerous Øday Sales to Global Security and the Economy," Available at SSRN 2438164, < http://ssrn.com/abstract=2438164>] /eugchen
In addition to enumerating specific categories of Ødays on the Wassenaar Arrangement’s and CCL’s controlled items lists, member nations could also curb dangerous sales through export “catch-all” provisions.176 In the context of weapons of mass destruction and missile material controls, “catch-all” provisions are defined as controls that “provide a legal and/or regulatory basis to require government permission to export unlisted items when there is reason to believe such items are intended for a WMD/Missile end-use or end-user.”177 Member nations would need to define “catch-all” provisions in the Øday context and specify under which conditions such a provision would govern. For example, the “catch-all” provision might be invoked when sellers have “reason to know” that their Ødays will be deployed for “malicious cyber activity,”178 which could be defined as including cyberattacks and cyber espionage.179 Due to the rapidly evolving nature of technologies and discoveries of new vulnerabilities, the international community may be unable to immediately incorporate newly discovered Ødays into their control lists. A “catch-all” provision for dangerous Øday sales would therefore provide a critical safety net in this context.180
Dostları ilə paylaş: |