โHOW DO YOU protect what you want to exploit?โ asks Scott Charney, an executive at Microsoft. He highlights a dilemma. Intelligence agencies look for programming mistakes in software so they can use them to spy on terrorists and other targets. But if they leave open these security holes, known in tech jargon as โvulnerabilitiesโ, they run the risk that hostile hackers will also find and exploit them.
Academics, security researchers and teams from software firms unearth hundreds of vulnerabilities each year. One recent discovery was the Heartbleed bug, a flaw in a widely used encryption system. Software-makers encourage anyone who finds a flaw to let them know immediately so they can issue โpatchesโ for their programs before hackers can take advantage of them. That is how most vulnerabilities are dealt with. Some firms even run โbug bountyโ schemes that reward people for pointing out flaws.
But there will always be โzero-daysโ, or brand new vulnerabilities that software makers do not know about and for which no patch yet exists. Hackers who can get their hands on the source code of a program can use various tools to try to find holes in it. Another technique is โfuzzingโ, which involves pushing random data into the inputs of a program. If it crashes or signals an anomaly, that indicates a bug is present which may offer a way in.
Zero-days are rare, and can often be used for some time before someone else spots them. Two researchers at Symantec, a cyber-security firm, studied 18 zero-days found by the firmโs software in 2008-10 and concluded that the flaws remained undetected for an average of ten months.
The use of such vulnerabilities by Western intelligence agencies has sparked a debate about the wisdom of stockpiling digital weapons that weaken the security of cyberspace. But zero-days may occasionally be needed to uncover information crucial to national security, so a few have to be kept to hand. In America, a report by a presidential panel to review cyber-security after Edward Snowdenโs revelations, published last December, urged the government not in any way to โsubvert, undermine, weaken or make vulnerableโ generally available commercial software, and to fix zero-day vulnerabilities quickly, with rare exceptions.
In April Michael Daniel, the White Houseโs adviser on cyber-security, announced that the NSAโs future policy on exploiting zero-days would have a โbiasโ towards disclosing them unless there was a clear need to retain them on national-security or law-enforcement grounds. But what might constitute such a need was left unsaid.