Zero Day Exploits are hoarded by various governments so they can be incorporated into various cyber weapons in the future. Take Stuxnet for example, for those who don't already know Stuxnet was an Internet Worm which was engineered to set back the nuclear ambitions of Iran by damaging the centrifuges as the letanz nuclear enrichment site. Experts estimate the worm may have incorporated as many as 20 different zero day exploits. Each undisclosed vulnerability once exploited by the worm would allow for additional capabilities as the exploits ripped through systems granting the necessary privileges and allowing the behaviors needed for the attack to be successful.

In the early days of Information security it was not uncommon for people like myself to have a small collection of zero day exploits which we had discovered on our own or traded amongst our closest colleagues and associates. A collection of zero days could easily secure a lucrative penetration testing contract or provide a silver bullet when one needed it the most. Even in the early 90's zero days had some intrinsic value however most security professionals practiced "full disclosure" a practice of notifying the affected software company about the bug and giving the developers some time to release a patch before publicly releasing sample exploit code or a proof of concept of the vulnerability. In this pre 9/11 era full disclosure was one of the only ways to hold a vendor accountable for their security flaws.

Without publicly disclosing the vulnerabilities software could go unpatched and remain affected with the security flaw for years or even permanently. In this day of age however software vendors regularly update code, release patches, and are held accountable for their security practices and generally write good code using established security best practices (i.e. OWASP). Disclosing zero days was one of the ways a talented security engineer or analyst could establish themselves as being truly gifted. Today it is common practice for companies to offer bug bounties and pay a prize or reward for the discovery and responsible disclosure of a zero day. Depending on the nature of the flaw and how popular the software is that is vulnerable a bug could be worth up to $200,000.00.

When Equation Group and TAO were initially revealed in the revelations made public by Edward Snowden I was of course very interested to see the list of tools, toys, and services offered by the groups to elements within the Intelligence community. As analysis of Stuxnet was performed I became acutely aware of the complexity (depth and breadth) of this new "nation state" level malware and very quickly suspected U.S. and or Israel as the likely suspects for its creation.

The problem with hoarding zero day exploits is that the entire notion of cyber weapons is predicated on the notion that one country collect a vast repository of zero day exploits which can then be paired and incorporated into various custom cyber-weapons. The working assumption is that nobody else has discovered the zero day exploit and as such it remains unpatched. If the vulnerabilities once discovered were instead reported to the vendors, patched, and defanged so to speak then the end result would be a significantly stronger defensive posture. One of the problems with Cyber Weapons is that once they are detected in the wild it generally doesn't take very long before the zero day exploits leveraged are identified and the vendors are able to begin working on a patch. This equates to something similar to a gun with a single bullet. Once your weapon is deployed future deployments are much less likely to be as effective as the weakness's are patched.

Recently there was a new Ransomware attack that hit the web infecting over 99 countries and causing mass chaos and havoc across the globe as hospitals, banks, Dr offices, and more were finding that their data was being held hostage demanding payment in BitCoin before the files could be unencrypted. What happens or what are we to do when a large cache of super secretive cyber weapons are stolen from the NSA/CIA and widely distributed to the public or sold off at auction to the highest bidder? What if some of the more effective zero days exploits were to have their code incorporated into the latest and greatest in self propagating malware. You take ordinary widely available ransomware and turbo charge it by enabling it to more efficiently self replicate via embedded stolen NSA Zero Day Code. With no known fix and the need to reverse engineer new malware as its discovered security professionals across the globe are left scrambling to implement counter measures and fixes.

This is precisely what we see happening in the latest round of ransomware attacks. To assume that its safe to collect Zero Days with the intent of weaponizing them in the future rather then to ensure the holes are patched by working with the software vendors is not only narcissistic but simply foolish. So you may have heard of a group or organization known as Shadow Brokers. The Shadow Brokers are known for having published significant amounts of data said to have bee stolen from NSA/CIA. The challenges and landscape we face and must navigate today was clearly laid out before me as I considered the extent of our cyber operations years ago. When I heard that the WannaCry Ransomware Worm had worked so well that elements within the NSA found it necessary to power off their critical servers because the malware infiltrated NSA networks and come under attack I couldn't help but recognize the irony. I can only liken this to a bully being beaten with his own bat or he who finds themselves victim of their own firearm.

The last 2 years alone have given way to several large collections of cyberweapon having been made available in some manner or degree to the public. If we consider the number of Zero Days as well as the tools and documents made available via the Hacking Team Dump with what has been made publicly available of the other large hacks and dumps we have a very large number of computers that are unprotected and easy pray for the whomever should wield the knowledge and have the motivation to use these tools for fun, profit, chaos, or whatever nefarious purpose they have established. So far this has included attacks against the very families and people our intelligence agencies and defense department are supposedly in existence to protect and serve.

Why do I fear that just like the "War on Drugs" we will likely carry forth with failed policies and practices in the persuit of an ideal or crusade which was fundamentally flawed while being so deeply vested that we allow decades of unnecessary persecution, rampant spending, and "ideals" trump common sense, harm reduction, and sensibility leading us as a country and a people into giving up the very things that we once agreed made America great and set us apart from the rest of the world. We are trading in our individual liberties, freedom from fear of persecution, our privacy to ones own self and thoughts for 24/7 surveillance and virtually our every thought or action being recorded and analyzed to assess our potential dissidence.

It has been said that the stated goal of Terrorism can be defined as the desire or attempt to affect political change by means or an expression of fear. Watch any hollywood movie and you'll see a theme in which we dont negotiate or give into terrorists or the various forms of Terrorism. I'd submit to you that if you consider life and the roll of government in our daily lives prior to 9/11 and post 9/11 that if the goal of the Terrorists was to strip away the virtues and values that make Americans.... American.... Then consider the current protections on our privacy, our right to assemble and protest, the militarization of our police force and the ever increasing incidents of international terrorism in our post 9/11 world. You might just find yourself arriving at the conclusion that when it comes to fighting a war on Terror... we have already lost.