|The San Francisco Style...|
Adam Segal and Michael Levy held a Council on Foreign Relations workshop on "Confronting the Zero-Day cyber-security challenge" last week in San Francisco while RSA was on. CFR is a pretty big deal, for those of you who don't spin in the Government policy circles.
I was not attending RSA, but I flew in the for the meeting to attend. The meeting also had a lot of the usual faces from Industry and Government that you would see at the NTIA meetings or the Wassenaar meetings. It's a giant traveling information security policy circus - but largely because everyone is afraid of a Wassenaar-level fuckup. The Shadow of that policy mess hung over this meeting like a breath of hot, smoggy DC air.
In any case, I attend the policy meetings so you don't have to!
Let me give you the summary of the conclusions: The conclusion was there is no way to have a stance on 0days from a diplomatic standpoint - that software liability is a hard option - that we don't have any of the numbers or metrics or data that we would need to make informed policy decisions in this area and we are not even sure HOW or WHERE to get these numbers and what those numbers would measure exactly.
That's not my conclusion, that was basically the conclusion of the group as a whole. It is a much more honest opinion than the CFR wanted, as far as I can tell.
There was one question which I wanted to address again though. And it was this:
Q: Some parts of what you did at the NSA were classified, but let's say you worked on a 0day, how do you know what parts of that were classified? Is the bug class classified? What level of abstraction is actually the secret part? What do you have to get pre-publication reviewed? Anything in exploitation? Anything in Windows exploitation? Anything just on that particular service? Anything that is exactly that bug?
A: We all just use our judgement on that.
That's not the answer I gave at the time, but it was a much better question than I realized in the haze of jet-lag. I get this question over and over again - "How do you define 0day?". "Surely there is some clear, industry accepted, clear as day idea of what a "vulnerability" is?", the uber-powerful lawyer asked me just yesterday.
But there ISN'T. The only thing anyone knows about 0days is that like porn, they know it when they don't see it. The question this person asked about classification was quite subtly probing the root of that problem.