1AC – LEXINGTON

1AC

1AC – PlanThe United States federal government should eliminate its domestic surveillance programs using computer software vulnerabilities or exploits unknown to relevant vendors.

1AC – Cyberattacks AdvantageCONTENTION 1: CYBERATTACKSLoopholes still allow the executive to purchase “zero-day” software vulnerabilities from third parties.Zetter, 2014 [Kim, award-winning journalist who covers cybercrime, civil liberties, privacy, and security for Wired, “Obama: NSA must reveal bugs like Heartbleed, unless they help the NSA,” Wired, http://www.wired.com/2014/04/obama-zero-day/] //khirn

Healey notes that the public statements on the new policy leave a lot of questions unanswered and raise the possibility that the government has additional loopholes that go beyond the national security exception. The statement by the Office of the Director of National Intelligence about the new

bias toward disclosure, for example, specifically refers to vulnerabilities discovered by federal agencies,

but doesn’t mention vulnerabilities discovered and sold to the government by contractors, zero-day brokers or individual researchers , some of whom may insist in

their sale agreements that the vulnerability not be disclosed. If purchased zero days vulnerabilities don’t have to be disclosed, this potentially leaves a loophole for the secret use of these vulnerabilities and also raises the possibility that the government may decide to get out of the business of finding zero days, preferring to purchase them instead. “It would be a natural bureaucratic response for the NSA to say ‘why should we spend our money discovering vulnerabilities eanymore if we’re going to have to disclose them?'” Healey says. “You can imagine a natural reaction would be for them to stop spending money on finding vulnerabilities and use that money to buy them off the grey-market where they don’t have to worry about that bias.” The government’s new statement about zero days also doesn’t address whether it applies only to vulnerabilities discovered in the future or to the arsenal of zero-day vulnerabilities the government already possesses.

That drives the global zero-day market – an overly active US makes vulnerability proliferation and cyberattacks inevitable.Pierluigi Paganini 13, Chief Information Security Officer at Bit4Id, firm leader in identity management, member of the ENISA (European Union Agency for Network and Information Security) Treat Landscape Stakeholder Group. He is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", “Zero-day Market, the Government are the Main Buyers”, http://securityaffairs.co/wordpress/14561/malware/zero-day-market-governments-main-buyers.html

Governments, and in particular US one, are principal buyers of zero-day vulnerabilities according a

report published by Reuters. Zero-days exploits are considered a primary ingredient for success of a cyber attack, the knowledge of zero-day flaw gives to the attacker guarantee of success, state-sponsored hackers and cyber criminals consider zero-day exploits a precious resources around which is grown a booming market. Zero-day exploits could be used to as an essential component for the design of a cyber weapon or could be exploited for cyber espionage purposes, in both cases governments appear the most interested entities for the use of these malicious code. Recent cyber attacks conducted by Chinese hackers might lead us to think Chinese Government is primary

buyer/developer for zero-day vulnerabilities, but a report recently published by Reuters claimed the US government is the “biggest buyer in a burgeoning gray marke t where hackers and security firms sell

tools for breaking into computers.” Reuters revealed that the US Government, in particular its intelligence agency and the DoD are “spending so heavily for information on holes in commercial computer systems, and on

exploits taking advantage of them, that they are turning the world of security research on its head .” , it’s a news way to compete with adversary in cyberspace. Recent tension between China and US gave security experts the opportunity to discuss about the development of the two countries of efficient cyber strategy that improve both offensive and defensive cyber capabilities. Both countries are largely invested in the creation of new cyber units, but according intelligence sources, offensive approach seems to be most stimulated by the need to preserve the security in the cyberspace. NSA chief General Keith Alexander told Congress that the US Government is spending billions of dollars every year on “cyberdefense and constructing increasingly sophisticated cyberweapons” this led to the birth of “more than a dozen offensive

cyber units, designed to mount attacks, when necessary, at foreign computer networks.” Popular hacker Charlie Miller, security researcher at Twitter, with a past collaboration with NSA confirmed the offensive approach to cyber security: “The only people paying are on the offensive side,” The emerging

zero-day market is fueled by intense activities of talented hackers who sell information on flaws in large use products. According Reuters defense contractors and intelligence agencies “spend at least tens of millions of dollars a year just on exploits”. The zero-day market is very complex due high “perishability” of the goods, following some key figures of a so complex business Difficulty finding buyers and sellers – It’s a closed market not openly accessible. Find a buyer or identify a possible seller is a critical phase. Checking the buyer reliability – The reduced number of reliable brokers able to locate a buyer pushes the researcher to try to tell many individuals about the discovery in an attempt to find a buyer with obvious risks. Value cannot be demonstrated without loss – One of the most fascinating problems a researcher attempting to sell vulnerability information or a 0-day exploit may face is proving the validity of the information without disclosing the information itself. The only way to prove the validity of the information is to either reveal it or demonstrate it in some fashion. Obviously, revealing the information before the sale is undesirable as it leaves the researcher exposed to losing the intellectual property of the information without compensation. Exclusivity of rights – The final hurdle involves the idea of the exclusive rights of the information. In order to receive the largest payoffs,

the researcher must be willing to sell all rights to the information to the buyer. However, the buyer has no way to protect themselves from the researcher selling the information to numerous parties , or even disclosing the information publicly, after the sale. Current approaches to zero-day vulnerabilities are to be bought up exploits avoiding that they could be acquired by government’s opponents such as dictators or organized criminals , many security firms sell subscriptions for exploits, guaranteeing a certain number per year. The trend to exploit zero-day for offensive purposes has been followed by intelligence agencies and also private companies, both actors have started to code their own zero-day exploits. “Private companies have also sprung up that hire programmers to do the grunt work of identifying vulnerabilities and then writing exploit code. The starting rate for a zero-day is around $50,000, some buyers said, with the price depending on such factors as how widely installed the targeted software is and how long the zero-day is expected to remain exclusive.” The Reuters report also revealed the participation of government representatives to the Secret Snoop Conference for Government and law enforcement spying, clearly with the intent to acquire new technologies to conduct cyber espionage through malware based attacks able to compromise target

networks. The choice of a government to acquire a zero-day exploit to use it against a foreign governments hide serious risks for its country, cyber terrorist, cyber criminals or state-sponsored hackers could reverse engineer the source code to compose new malicious agent to use against the same authors .

Current US zero day policy will incentivize a cyber arms race – the plan is key.Steve Ranger 14, UK editor of TechRepublic, and has been writing about the impact of technology on people, business and culture for more than a decade. 'Inside The Secret Digital Arms Race: Facing The Threat Of A Global Cyberwar - Feature'. 4/24/14. Techrepublic. http://www.techrepublic.com/article/inside-the-secret-digital-arms-race, VL

As such, the last decade has seen rapid investment in what governments and the military have dubbed "cyberwar" — sometimes shortened to just "cyber." Yes, it sounds like a cheaply sensational term borrowed from an airport thriller, (and to some the use of such an outmoded term reflects the limited level of understanding of the issues involved by those in charge) but the intent behind the investment is deadly serious. The UK's defence secretary Philip Hammond has made no secret of the country's interest in the field, telling a newspaper late last year, "We will build in Britain a cyber strike capability so we can strike back in cyberspace against enemies who attack us, putting cyber alongside land, sea, air and space as a mainstream military activity." The UK is thought to be spending as much as

£500m on the project over the next few years. On an even larger scale, last year General Alexander revealed the NSA was building 13 teams to strike back in the event of an attack on the US. "I would like to be clear that this team, this defend-the-nation team, is not a defensive team," he said told the Senate Armed Services Committee last year. And of course,

it's not just the UK and US that are building up a digital army. In a time of declining budgets, it's a way for defence ministries and defence companies to see growth, leading some to warn of the emergence of a twenty-first century cyber-

industrial complex. And the shift from investment in cyber-defence initiatives to cyber-offensives is a recent and, for some, worrying trend. Peter W. Singer, director of the Center for 21st

Century Security and Intelligence at the Brookings Institution, said 100 nations are building cyber military commands of that there are about 20 that are serious players , and a smaller number could carry out a whole cyberwar campaign. And the fear is that by emphasising their offensive capabilities , governments will up the ante for everyone else. "We are seeing some of the same manifestations of a classic arms race that we saw in the Cold War or prior to World War One. The essence of an arms race is where the sides spend more and more on building up and advancing military capabilities but feel less and less secure — and that definitely characterises this space today," he said. It's taken less than a decade for digital warfare to go from theoretical to the worryingly possible. Politicians may argue that building up these skills is a deterrent to others, and emphasise such weapons would only be used to counter an attack, never to launch one. But for some, far from scaring off any would-be threats, these investments in offensive cyber capabilities risk creating more instability. "In international stability terms, arms races are never a positive thing: the problem is it's incredibly hard to get out of them because they are both illogical [and] make perfect sense," Singer said. Similarly Richard Clarke, a former presidential advisor on cybersecurity told a conference in 2012, "We turn an awful lot of people off in this country and around the world

when we have generals and admirals running around talking about 'dominating the cyber domain'. We need cooperation from a lot of people around the world and in this country to achieve cybersecurity and militarising the issue and talking about how the US military have to dominate the cyber domain is not helpful." Thomas Rid, a reader in War Studies at King's College London said that many countries now feel

that to be taken seriously they need to have a cyber command too. " What you see is an escalation of preparation. All sorts of countries are preparing and because these targets are intelligence intensive you need that intel to develop attack tools you see a lot of probing, scanning systems for vulnerabilities, having a look inside if you can without doing anything, just seeing

what's possible," Rid said. As a result, in the shadows, various nations building up their digital military presence are mapping out what could be future digital battlegrounds and seeking out potential targets, even leaving behind code to be activated later in any conflict that might arise. As nations race to

build their digital armies they also need to arm them. And that means developing new types of weapons. While state-sponsored cyberwarfare may use some of the same tools as criminal hacker s, and even some of the same

targets, its wants to go further . So while a state-sponsored cyber attack could use the old hacker standby of the denial of service attack (indeed the UK's GCHQ has already used such attacks itself, according to leaks from Edward Snowden), something like Stuxnet — built with the aim of destroying the centrifuges used in the Iranian nuclear project — is another thing entirely. "Stuxnet was almost a Manhattan Project style in terms of the wide variety of expertise that was brought in: everything from intelligence analysts to some of the top cyber talent in the world to nuclear physicists to engineers, to build working models to test it out on, and another entire espionage effort to put it in to the systems in Iran that Iran thought

were air-gapped. This was not a couple of kids," said Singer. The big difference between military-grade cyber weapons and hacker tools is that the most sophisticated digital weapons want to break ing things . To create real, physical damage. And these weapons are bespoke, expensive to build, and have a very short shelf life. To have a real impact, these attacks are likely to be levelled at the industrial software that runs production lines, power stations or energy grids, otherwise known as SCADA (supervisory control and data acquisition) systems. Increasingly, SCADA systems are being internet-enabled to make them easier to manage, which of course, also makes them easier to attack. Easier doesn't mean easy though. These complex systems, often build to last for decades, are often built for a very narrow, specific purpose — sometimes for a single building. According to Rid, this makes them much harder to undermine. A bespoke, highly specific system requires a bespoke, highly specific attack, and a significant amount of

intelligence, too. "The essence of an arms race is where the sides spend more and more on building up and advancing military capabilities but feel less and less secure — and that definitely characterises this space today." Peter W. Singer, Center for 21st Century Security and Intelligence "The only piece of target intelligence you need to attack somebody's email or a website is an email address or a URL. In the case of a control system, you need much more information about the target, about the entire logic that controls the process, and legacy systems that are part of the process you are attacking," Rid said. That also means that delivering any more than a few of these attacks at a time would be almost impossible, making a long cyberwar

campaign hard to sustain. Similarly, these weapons need to exploit a unique weakness to be effective: so-called zero day flaws . These are vulnerabilities in software that have not been patched and therefore cannot be defended against. This is what makes them potentially so devastating, but also limits their longevity. Zero-day flaws are relatively rare and expensive and hard to come by. They're sold for hundreds of thousands of dollars by their finders. A couple of years ago a Windows flaw might have earned its finder $100,000 on the black market, an iOS vulnerability twice that. Zero-day flaws have an in-built weakness, though: they're a one-use only weapon. Once an attack has been launched, the zero-day used is known to everyone. Take Stuxnet. Even though it seems to have had one specific target — an Iranian power plant — once it was launched, Stuxnet spread very widely, meaning security companies around the world could examine the code, and making it much harder for anyone to use that exact same attack again. "It's like dropping the bomb, but also [saying] here's the blueprint of how to build the bomb," explains

Singer, author of the recent book Cybersecurity and Cyberwar. But this leads to another, unseen problem. As governments

stockpile zero-day flaws for use in their cyber-weapons, it means they aren't being reported to the software vendors to be fixed — leaving unpatched systems around the world at risk when they could easily be fixed.

Scenario 1 is Grids – they’re exposed and vulnerable.Andrew Krepinevich 12, PhD & MPA at Harvard, West Point graduate, served 25 years in the Army, worked in the DOD Office of Net Assessment for 3 defense secretaries, president of the Center for Strategic and Budgetary Assessments, p. 53-8, http://www.csbaonline.org/publications/2012/08/cyber-warfare-a-nuclear-option/ A VULNERABLE GRID Could a cyber attack take the United States, or major parts of it, off the electric grid for significant periods of time? While it is

not possible to provide a definitive answer, there is sufficient evidence to justify concern that such an event could occur. Initially U.S. power grid control systems (i.e., SCADA systems) were on closed networks that were not connected to the Internet. Over time, however, the electric industry began relying on SCADA systems to improve the efficiency and performance of their systems. As it is cheaper to maintain an open network than a closed one, firms opted to move to open networks. Access to the Internet , with its attendant benefits and vulnerabilities, became essential for operations .190 In addition to penetrating power companies via the Internet, hackers can compromise SCADA systems by exploiting outdated modems used for maintenance purposes, or by exploiting wireless access points—jumping the “air gap.” Again, irrespective of being on an open or closed network, the problems of supply chain security and insider threats remain. Finally,

power companies may buy and trade power among one another , creating the prospect that hackers breaching the defenses of one firm will have effectively penetrate d all its partners as well. 191 The U.S. power grid’s vulnerability is heightened by two additional factors. First, most grid asset owners and operators have been historically resistant to report cyber attacks against their networks or to make the necessary investments to upgrade and secure their networks.192 Second, the U.S. power grid is highly centralized ; the power grid serving the contiguous forty-eight states is composed of three distinct power grids , or “interconnections ” —the Eastern Interconnection, the Western Interconnection, and the Electric Reliability Council of Texas Interconnection.193 These interconnections

provide power to the continental United States, Canada, and a small part of Mexico. The combination of centralized grids and a lack of emphasis on defensive measures could make the power grid more vulnerable to cascading failures, as have been triggered by other events in the past. As roughly 90 percent of the Defense Department’s most critical assets are entirely dependent on the bulk power grid, there is the potential for a “Cyber Pearl Harbor” to result from a successful attack on the grid.194 A recent case points out just how vulnerable the grid may be. In 2008 a power company hired a cyber security firm to test the security of the network it employs to oversee its power grid. The cyber security team took only a day to organize its cyber tools before launching its attack. The penetration team monitored SCADA user groups, harvesting the email addresses of people working at the targeted power company. It then sent the workers an email describing the company’s intention to reduce their benefits along with a link to an Internet site where they could obtain more information. When the employees clicked on the link, they were directed to an Internet server set up by the penetration team. The employees’ machines displayed an error message; however, the Internet server down- loaded malware enabling the team to take

command of the machines in less than one day.195 The situation may become worse before it gets better.

In particular, the recent move by the U nited States to develop a “smart grid” could increase the U nited S tates’ vulnerability to cyber attacks on its electric power

infrastructure.196 The U.S. Department of Energy (DoE) is working to build security into the smart grid, but the challenge is very complex.197

Specifically, US zero day policy ensures leaks and exposes unforeseen weaknesses in grids.Clay Wilson 14, Program Director for Cybersecurity graduate studies at the American Public University, past Program Director for Cybersecurity Policy at the University of Maryland University College (UMUC), former analyst for national defense policy at the Congressional Research Service, member of the Landau Network Centro Volta, International Working Group, an organization that studies issues for non-proliferation of CBRN and Cyber Weapons. Cyber Threats to Critical Information Infrastructure, Cyberterrorism 2014, p. 123-36, VL

Both Flame and Stuxnet reportedly contain multiple zero-day exploits (ZDEs) which enabled them to bypass the cybersecurity controls for the top-secret computer systems in Iran’s nuclear facility. A ZDE is special code that takes advantage of a previously unknown vulnerability in computer software. There is no technical defense against a ZDE until after it has been discovered and its stealthy methods have been analyzed by researchers. Traditional antivirus and intrusion detection security products have difficulty in detecting or blocking the actions of a ZDE. If ZDE stealth is added onto malicious code, it can enable that code to be secretly inserted and installed on a targeted computer system. Because of increasingly

sophisticated stealth features, sometimes months or years can pass until a systems administrator notices something suspicious is going on inside their computer system. Stealth capability and international tensions

linked to cyber espionage have together created a growing demand for ZDEs. Highly-skilled cyber experts who design and develop ZDEs have discovered that governments and industries will pay them

handsomely (Miller 2007 ), and they can also offer ZDEs for sale to other organizations for use with cyberattacks (Greenberg 2012a ). Sales of zero-day exploits are reportedly made to government customers in the U.S., Russia and China, plus European agencies and their supporting contractors, including for example, Northrop Grumman and Raytheon (Timm 2012 ). The Western governments and customers are the ones who pay the highest prices for ZDEs. Reportedly, markets in the Middle East cannot yet match the higher prices offered by Western governments (Greenberg 2012b ). Cyber experts involved in the design and sale of ZDEs include scientists, researchers, national military warfi ghters, students, and individual criminals. Individuals with sophisticated programming skills are actively recruited as workers by a variety of organizations, including law enforcement agencies, criminal organizations, and also possibly some extremist groups (Paganini 2012 ).

Government agencies may explain to the sellers that the malware is intended for use to monitor communications of criminal suspects, or temporarily disable the

computers and phones of suspects and targets as part of intelligence gathering

programs. However, the growing body of ZDEs and malicious code are contributing to a cyber arms race , along with the familiar questions and concerns about containment and nonproliferation normally associated with CBRN

weapons. ZDEs that are designed and purchased for use by the military and law enforcement may eventually come to threaten civilian critical infrastructure systems if

they should fi nd their way into the hands of terrorists and extremist groups. Reports have started to emerge that this gradual leakage of malicious ZDE code originally intended for use by law enforcement is already starting to take place .

Zero-days are unique – causes long-term vulnerabilities and cascading failures that shut down grid supply.Amelia Smith 14, Newsweek, 11/21/14. 'China Could Shut Down U.S. Power Grid With Cyber Attack, Says NSA Chief'. http://europe.newsweek.com/china-could-shut-down-us-power-grid-cyber-attack-says-nsa-chief-286119, VL

China and "one or two" other countries have the ability to launch a cyber attack that could shut down the entire U.S. power grid and other critical infrastructure ,

the head of the National Security Agency (NSA) and U.S. Cyber Command told a congressional panel on Thursday. Admiral Michael Rogers told the hearing that software had been detected in China that could significantly damage the nation's economic future by interfering with power company networks and other critical systems. Describing the malware, he told the House Intelligence

Committee that: "It enables you to shut down very segmented, very tailored parts of our infrastructure that forestall the ability to provide that service to us as citizens." "It is only a matter of the when, not the if, that we are going to see something traumatic," he added. When asked by Republican representative for Michigan Mike Rogers, who chairs the intelligence committee, what other countries have this capability, the NSA director responded "one or two others," but declined to name them for security reasons. "We're

watching multiple nation states invest in this capability," he said. According to cyber expert Caroline Baylon of thinktank Chatham House, the interconnectedness of power grids means that they are liable to " cascading failures ". As nearby grids take up the slack for the failed system, they become overloaded and they too fail in a chain reaction. Rogers said that such attacks are part of "coming trends" in which so-called zero-day vulnerabilitie s in U.S. cyber systems are exploited. A zero-day vulnerability refers to a hole in software that is unknown to the vendor, which can be exploited by hackers before the vendor becomes aware and hurries to patch it up. They are becoming an increasingly powerful weapon of cyber espionage as countries become more

connected to the internet. As well as espionage, there are also fears of cyber warfare. "Once an attacker finds an open vulnerability, he or she can get into the system," Baylon told Newsweek. "This allows the adversary to place a 'backdoor' in that system, as China are doing in the U.S., which they can use to access that system again at a later date." "Whilst at present it is not in any country's interest to attack the power grid of another country, now is the time for countries to look for these vulnerabilities because this is when they

are open," she added. "It is a dangerous situation because a number of countries are looking for vulnerabilities in the power grids of other countries." A so-called 'grey-market' - a black market that isn't strictly illegal yet - for zero-day vulnerabilities now exists, with companies like Vupen in France selling them to governments for use in espionage.

According to Baylon, the U.K and the U.S. are particularly at risk because they have a huge amount of critical infrastructure connected to the internet. Some countries however, like Russia, have clear government policy about being connected to the internet. "There is a huge asymmetry going on," she said. Russia is also regarded as having an aggressive cyber programme. Rogers's testimony comes shortly after the release of a report from the Pew Internet and American Life Project that says that it is likely that a catastrophic cyber-attack would have occurred by 2025, causing significant losses in life and financial damage. "Intelligence

agencies and governments are very concerned about it," says Baylon. She predicts that the most likely scenario would be a coordinated attack. "In the event of major attack, we might see a series of simultaneous attacks on a number of areas, for example attacking a power grid and paralyzing communications

networks at the same time." This, she says, is something we could see in the next five to 10 years. However she stresses that whilst "it is very hard to find solutions", governments and experts are working very hard on the issue. In his testimony to the

intelligence committee, Rogers said: "The Chinese intelligence services that conduct these attacks have little to fear because we have no practical deterrents to that theft. This problem is not going away until that changes."

A zero-day attack collapses critical infrastructure – key to a litany of services.Fred Guterl ’12, Executive Editor of Scientific American, ‘Armageddon 2.0’, Bulletin of the Atomic Scientists, 11/28/12, http://thebulletin.org/bio/fred-guterl, VL

If Stuxnet-like malware were to insinuate itself into a few hundred power generators in the United States and attack them all at once, the damage would be enough to cause blackouts on the East and West Coasts. With such widespread destruction, it could take many months to restore power to the grid. It seems incredible that this should be so, but the worldwide capacity to manufacture generator parts is limited. Generators generally last 30 years, sometimes 50, so normally there's little need for replacements. The main demand for generators is in China, India, and other parts of rapidly developing Asia. That's where the manufacturers

are -- not in the United States. Even if the U nited S tates , in crisis mode, put full diplomatic pressure on supplier nations -- or launched a military invasion to take over manufacturing facilities -- the capacity to ramp up

production would be severely limited. Worldwide production currently amounts to only a few hundred generators per year. The consequences of going without power for months, across a large swath of the United States, would be devastating. Backup electrical generators in hospitals and other vulnerable facilities would have to rely on fuel that would be in high demand. Diabetics would go without their insulin; heart attack victims would not have their defibrillators; and sick people would have no place to go. Businesses would run out of inventory and extra capacity. Grocery stores would run out of food , and deliveries of all sorts would virtually cease (no gasoline for trucks and

airplanes, trains would be down). As we saw with the blackouts caused by Hurricane Sandy, gas stations couldn't pump gas from their tanks, and fuel-carrying trucks wouldn't be able to fill up at refueling stations. Without power, the economy would virtually cease, and if power failed over a large enough portion of the country, simply trucking in supplies from elsewhere would not be adequate to cover the needs of hundreds of millions of people. People would start to die by the thousands, then by the tens of thousands, and eventually the millions. The loss of the power grid would put nuclear plants on backup, but how many of those systems would fail, causing meltdowns, as we saw at Fukushima ? The loss in human life would quickly reach, and perhaps exceed, the worst of the Cold War nuclear-exchange scenarios. After eight to 10 days, about 72 percent of all economic activity, as measured by GDP, would shut down, according to an analysis by Scott Borg, a cybersecurity expert.

Current Pentagon policy mandates retaliation against cyberattack.Richard Clarke and Steven Andreasen ’13, * former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism for the United States, **national security consultant to the Nuclear Threat Initiative, teaches courses on National Security Policy and Crisis Management in Foreign Affairs at the University of Minnesota, director for defence policy and arms control on the National Security Council staff at the White House from 1993 to 2001, ‘Cyberwar’s threat does not justify a new policy of nuclear deterrence’, Washington Post 6/14/13, https://www.washingtonpost.com/opinions/cyberwars-threat-does-not-justify-a-new-policy-of-nuclear-deterrence/2013/06/14/91c01bb6-d50e-11e2-a73e-826d299ff459_story.html, VL

The Pentagon’s Defense Science Board concluded this year that China and Russia could develop capabilities to launch an “existential cyber attack” against the United States — that is,

an attack causing sufficient damage that our government would lose control of the country. “While the manifestation of a nuclear and cyber attack are very different,” the board concluded, “in the end, the existential impact to the

United States is the same.” Because it will be impossible to fully defend our systems against existential cyberthreats, the board argued, the U nited S tates must be prepared to threaten the use of nuclear weapons to deter cyberattacks. In other words: I’ll see your cyberwar and

raise you a nuclear response. Some would argue that Obama made clear in his 2010 Nuclear Posture Reviewthat the United States has adopted the objective of making deterrence of nuclear attacks the “sole purpose” of our nuclear weapons. Well, the board effectively reviewed the fine print and concluded that the Nuclear Posture Review was “essentially silent” on the relationship between U.S. nuclear weapons and cyberthreats, so connecting the two “is not precluded in the stated policy.” As the board noted, cyberattacks can occur very quickly and without warning, requiring rapid decision-making by

those responsible for protecting our country. Integrating the nuclear threat into the equation means making clear to any potential adversary that the U nited S tates is prepared to use nuclear weapons very early in response to a major cyberattack — and is maintaining nuclear forces on “prompt launch” status to do so. Russia and China would certainly take note — and presumably follow suit. Moreover, if the United States, Russia and China adopted policies threatening an early nuclear

response to cyber attacks, more countries would surely take the same approach. It’s hard to see how this cyber-nuclear action-reaction dynamic would improve U.S. or global security. It’s more likely to lead to a new focus by Pentagon planners on generating an expanding list of cyber- related targets and the operational deployment of nuclear forces to strike those targets in minutes.

Pentagon threats lack credibility and cyberattacks are interpreted differently by attackers.Vincent Manzo ’11, fellow in the Defense and National Security Group of the CSIS International Security Program, specializes in U.S. defense strategy, nuclear weapons, missile defense, space and cyber policy, with a focus on exploring deterrence, employment strategies and escalation control in the emerging strategic environment, former research analyst at the National Defense University’s Institute for National Strategic Studies, ‘Deterrence and Escalation in Cross-domain Operations: Where Do Space and Cyberspace Fit?’ pgs. 6-7, Institute for National Strategic Studies Strategic Forum at the National Defense University, December 2011, https://www.law.upenn.edu/live/files/1323-manzo-deterrence-and-escalation, VL

*ableist language modified

The balance between offense and defense in these domains will also influence perceptions of effects, escalation and proportionality, and optimal deterrence strategies. For example, if offense continues to dominate in space and cyberspace and potential adversaries want to attack U.S. assets in these domains precisely because they are the U.S. military’s “soft underbelly,” U.S. stakes in any conflict would grow exponentially after such attacks occur because the effects in other domains would be profound. As

a result, U.S. officials might feel pressure to take preemptive action prior to such an attack, or they might take risks to quickly terminate a conflict and punish the adversary in its aftermath. The linkage between vulnerabilities in space and cyberspace and the effectiveness of U.S. capabilities in other domains that makes U.S. satellites and computer networks high-value targets also makes the threat of a strong reprisal more credible: it would be proportionate to the effects of the attack. Conveying this to potential adversaries would be a central component of a deterrence strategy. Emphasizing this link might even enhance the credibility of the U.S. commitment to retaliate.

Alternatively, the United States might become capable of denying adversaries the benefits of attacks in these domains through cyber defenses and substituting terrestrial assets for satellites. In this case, U.S. deterrence strategy would strive to convince potential adversaries that they cannot affect U.S. ground, air, naval, and nuclear forces by attacking satellites and computer networks. Such a message might make U.S. threats to respond offensively appear disproportionate and less credible, but this would be a worthwhile tradeoff if the United States developed a defensive advantage in space and cyberspace.

Decisionmakers will also perceive attacks in space and cyberspace differently depending on the context. Attacks on military satellites and computer networks might be expected and accepted once a conventional war has started. But similar attacks might trigger a conventional conflict if they occur prior to hostilities, when both countries want to prevent a crisis from escalating into a war but are concerned about being left blind, deaf, and dumb [unoperational] by a first strike in space and cyberspace. Proportionality and escalation are relative concepts: actions that are escalatory during crises might be proportionate in limited wars and underwhelming responses as the scope and intensity of a conflict increase.

A related issue is whether U.S. reactions to cyber exploitation during peacetime would affect deterrence in crises. Though the technology and operations of cyber exploitation and cyber attacks are similar,

the goals and effects are different: exploitation extracts information from computers and networks without authorization; attacks destroy, degrade, or alter them to achieve effects in other domains.13 But news outlets frequently describe incidents of cyber exploitation against the U.S. Government as cyber attacks and evidence of an ongoing war in cyberspace.14

Conflating these operations contributes to the impression that U.S. deterrence has already failed. Potential adversaries might conclude that U.S. threats to respond to cyber attacks in other domains lack credibility based on how the United States reacted to previous exploitation operations.

This perception might affect how they calculate risks and benefits of cyber attacks in crises. How can U.S. officials publicly convey that cyber exploitation and attacks pose different threats and require different responses, especially given the overlap between the two? Emphasizing that the real-world effects of attacks and exploitation differ might be a first step toward establishing a threshold between the two. This message would reinforce that deterrence has not failed because the effects of exploitation in cyberspace have not yet warranted U.S. military responses in other domains. It clarifies the types of actions that the United States is attempting to deter.

Some strategists may conclude that proportionate counterspace and cyber responses are impossible because escalation control in these domains is too difficult. There are an

“infinite number of scenarios that are neither indicative of a minor harassing incident of jamming nor strategic attack” in space and cyberspace.15 Assessing the effects of such attacks and choosing appropriate responses amid the stress and confusion of a military crisis might be difficult. U.S. and foreign officials likely will have differing views about the severity of nonkinetic disruptions that defy easy

categorization, and the obstacles to developing a common framework might be too formidable.

Secnario 2 is Satellites: zero-day attacks damage satellite functions.Andrea Gini ’14, content strategy consultant specialized in space sector companies, founder of Space Safety Magazine, worked in the European Space Agency in the Independent Safety Office which overviews the ISS 2011-2013. Internally cites Ram Levi, Founder and CEO of Konfidas Ltd, a cybersecurity strategy solutions startup, cybersecurity advisor to the National Research and Development Council, Ministry of Science and Technology and Space, and senior researcher at the Yuval Ne’eman Workshop for Science, Technology and Security, Tel Aviv University. 'Cyber Crime - From Cyber Space To Outer Space', 2/14/15, Space Safety Magazine. http://www.spacesafetymagazine.com/aerospace-engineering/cyber-security/cyber-crime-cyber-space-outer-space/, VL

An attack requires four elements: the possibility to access a system, a vulnerability to exploit, a payload – a malicious logic to be executed within the victim’s system to cause damage once executed, and command and control to tell it what to do. “One scenario could be a distributed denial of service attack (DDoS),” Levi explains. “In this scenario the attacker is denying the ability of the system to provide services to its legitimate user by choking the network or overloading the server with requests to diminish the limited resources of the server. Another attack could grant access to sensitive computers controlling industrial processes to manipulate the outcome of the process – such as changing the speed of an electricity-generating turbine and at the

same time showing ‘normal’ operation status to the control technicians. Such attacks are hard to execute but also extremely hard to deal with – high complexity, high gain attacks.” With computer systems permanently connected to the Internet , the ability to perform an attack depends on the knowledge of a particular vulnerability. “A vulnerability may be due to design errors in coding of software or hardware” Levi explains. “There are also backdoors which can be planned or covertly inserted in the software/hardware

development process.” The most valuable resource for a cyber criminal is what is called Zero Day

vulnerability, a vulnerability that has not been publicly disclosed. “Those vulnerabilities are

unknown to the general public or the software or hardware developers and therefore can be exploited by an attacker,” says Levi, adding that these are literally “a ‘free-pass’ to the organizations’ IT systems that can be used sometimes for over a year , according to research done by Symantec.” Space Systems Vulnerability Space systems, which in turn are composed of a network of ground stations and spacecrafts using satellite communication for specific purposes, are themselves potentially subject to

these same vulnerabilities. “The components of space systems are computers, network components, or components controlled by computers , like uplink antenna motors,” Levi explains. “ None of them would successfully work without the computers that are controlling them, including the onboard computer in the satellite. Computers control everything the space systems do and they are

vulnerable to Cyber-Attack on them.” The worst-case scenario in space Cyber-Attack would be if someone managed to hijack a satellite after penetrating the command and control computer of the satellite. “This scenario is an operator’s nightmare, and we can assume that all measures are being taken to safeguard against such threats,” says

Levi. “However, if we are looking at the satellite service – the service the satellite provides – one can attack the service rather than the satellite itself.” This could mean, for example attacking communication links between satellite ground stations and the broadcasting source instead of jamming the signal. This way, the satellite system would be working perfectly, but its service would be denied. Levi explains that from

the point of view of an attacker, this brings the same result but without the strategic risk of directly attacking or jamming a satellite system. Levi quotes Gen. William Shelton, commander of US Air Force Space Command: “There’s not an operation conducted anywhere at any level that is not somehow dependent on space and cyberspace,” adding that this dependency could be used to attack space assets from cyberspace. “From a cyberspace perspective, it’s irrelevant how high above the

ground a computer is positioned.” But attacking the services a satellite provides is not the only approach to compromise a satellite system. “Space systems are computer systems; this requires a new approach to better safeguard satellite systems from attacks,” Levi says. “Such protection should include not only focusing on the protection of the satellite itself, but thinking about broader protection.” A broader protection would need to take into account the supporting systems that enable the satellite to provide service, like communication, electricity, water supply, sewage and so on. “Such protection is much more complex, but possible. Considerations to this sort of protection should include re-analysis of the systems and the dependence of the satellite systems computer systems and their sensitivity to Cyber-Attacks.”

Nations are preparing for a cyber conflict involving space assets.Bill Gertz 13, lectured on defense, national security, and media issues at the Defense Department’s National Security Leadership Program, Johns Hopkins University School of Advanced International Studies, the FBI National Academy, the National Defense University, and the CIA, media fellow at the Hoover Institution on War, Revolution and Peace at Stanford University,“China’s Military Preparing for ‘People’s War’ in Cyberspace, Space,” The Washington Free Beacon, http://freebeacon.com/china-military-preparing-for-peoples-war-in-cyberspace-space/

Translated report reveals high-tech plans for cyber attacks, anti-satellite strikes”,  China ’s military is preparing for war in cyberspace involving space attacks on satellites and the use of  both military and civilian

personnel for a digital “people’s war,” according to an internal Chinese defense report . “As

cyber technology continues to develop, cyber warfare has quietly begun,” the report concludes, noting that the ability to wage cyber war in space is vital for China’s military modernization.  According to the report, strategic warfare in the past was built on nuclear weapons. “But strategic warfare in the information age is cyber warfare,” the report said. “With the reliance of information warfare on space, cyberspace will surely become a hot spot in the struggle for cyberspace control,” the report said. The new details of Chinese plans for cyber and space warfare were revealed in a report “Study on Space Cyber Warfare” by four engineers working at a Chinese defense research center in Shanghai. The report presents a rare inside look of one of Beijing’s most secret military programs: Cyber warfare plans against the United States in a future conflict. “Cyber warfare is not limited to military personnel. All personnel with special knowledge and skills on information system may participate in the execution of cyber warfare. Cyber warfare may truly be called a people’s warfare,” the report says. People’s War was first developed by China’s Communist founder Mao Zedong as a Marxist-Leninist insurgency and guerrilla warfare concept. The article provides evidence that Chinese military theorists are adapting Mao’s peasant uprising stratagem for a future conflict with the United States. A defense official said the report was recently circulated in military and intelligence circles. Its publication came as a surprise to many in the Pentagon because in the past, U.S. translations

of Chinese military documents on similar warfighting capabilities were not translated under a directive from policy officials seeking to prevent disclosure of Chinese military writings the officials feared could upset U.S.-China relations. A Chinese government spokesman could not be reached for

comment. However, Chinese spokesmen in the past have denied reports that China engages in cyber attacks. The study links China’s space

warfare development programs with its extensive cyber warfare capabilities . Both programs are considered “trump card” weapons that would allow a weaker China to defeat a militarily stronger U nited S tates in a conflict . “Cyber warfare is an act of war that utilizes space technology; it combines space technology and cyber

technology and maintains and seizes the control of cyberspace,” the study says. Because cyberspace relies on satellites,   “space will   surely   be the main battlefield of cyber warfare,”  the report said. Satellites and space vehicles are considered the “outer nodes” of cyber space and “are clear targets for attack and may be approached directly,” the report said, adding that ground-based cyberspace nodes are more concealed and thus more difficult to attack. Additionally, satellites have limited defenses and anti-jamming

capabilities, leaving them very vulnerable to attack. The report reveals that China’s military,   which controls the country’s rapidly growing space program,   is preparing to conduct space-based cyber warfare—“cyber reconnaissance, jamming, and attack”—from space vehicles. Space-based cyber warfare will include three categories: space cyber attack, space cyber defense, and space cyber support. The space cyber support involves reconnaissance, targeting, and intelligence gathering. “A space cyber-attack i s   carried out using space technology and methods of hard kill and soft kill ,”

the report said. “It ensures its own control  at will while at the same time uses cyberspace to disable, weaken, disrupt, and destroy the enemy ’s cyber actions or cyber installations.”

Satellites are perceived as key to military posturing – aggression risks sparking war now.Lee Billings ’15, editor at Scientific American covering space and physics, ‘War in Space May Be Closer Than Ever’, 8/10/15, Scientific American, http://www.scientificamerican.com/article/war-in-space-may-be-closer-than-ever/, VL

The world’s most worrisome military flashpoint is arguably not in the Strait of Taiwan, the Korean Peninsula, Iran, Israel, Kashmir or Ukraine. In fact, it cannot be located on any map of Earth, even though it is very

easy to find. To see it, just look up into a clear sky, to the no-man’s-land of Earth orbit, where a conflict is unfolding that is an arms race in all but name. The emptiness of outer space might be the last

place you’d expect militaries to vie over contested territory, except that outer space isn’t so empty anymore. About 1,300 active satellites wreathe the globe in a crowded nest of orbits, providing worldwide communications, GPS navigation, weather forecasting and planetary

surveillance. For militaries that rely on some of those satellites for modern warfare, space has become the ultimate high ground, with the U.S. as the undisputed king of the hill. Now, as China and Russia aggressively seek to challenge U.S. superiority in space with ambitious military space programs of their own, the power struggle risks sparking a conflict that could cripple

the entire planet’s space-based infrastructure. And though it might begin in space, such a conflict could easily ignite full-blown war on Earth. The long-simmering tensions are now approaching a boiling point due to several events, including recent and ongoing tests of possible anti-satellite weapons by China and Russia, as well as last month’s failure of tension-easing talks at the U nited N ations.

Ensures retaliation.Karl P. Mueller ’13, senior political scientist at the RAND Corporation, specializes in research related to military and national security strategy, particularly coercion and deterrence, professor of comparative military studies at the U.S. Air Force's School of Advanced Air and Space Studies in 2001, currently an adjunct professor at Johns Hopkins University and the Security Studies Program at Georgetown, associate director of the RAND Arroyo Center’s Strategy and

Resources Program and a faculty member in the Pardee RAND Graduate School, ‘The Absolute Weapon and the Ultimate High Ground: Why Nuclear Deterrence and Space Deterrence Are Strikingly Similar - Yet Profoundly Different’ pgs. 50-51, Published in ‘Anti-satellite Weapons, Deterrence and Sino-American Space Relations’ by Stimson, September 2013, http://www.stimson.org/images/uploads/Anti-satellite_Weapons.pdf , VLThe two most important of these similarities both derive from the tendency for nuclear and ASAT attacks to be difficult to defend against. Defending against ASAT attacks tends to be hard because of physics and the geography of orbital space: Satellites are difficult, even often impossible, to conceal and difficult or costly to maneuver out of harm’s way. Defending against nuclear strikes can also be very hard, particularly when the weapons are delivered by ballistic missiles, but the fundamental problem with trying to intercept incoming nuclear warheads is that even defenses with a high success rate may be of little strategic value because a very small number of “leakers” can be sufficient to cause vast destruction. If an attacker has high confidence that an attack of either type will be at least operationally successful because defenses are not effective , deterrence efforts will need to focus on punishment and reward strategies because deterrence by denial will have little to offer. This is a problem that extends beyond the confines of crisis stability, but it can be especially acute in a crisis by creating powerful incentives for a first strike if war appears inevitable, or even merely likely. Moreover, when the stakes are high, making punitive threats (or reward offers) that are powerful enough to deter , absent being able to threaten an attacker with actual defeat, can be a very difficult strategic mountain to climb.

The second issue is closely related. Under conditions of real or perceived first-strike advantage, and with weapons for which tactical warning from detection to attack may be measured in minutes (or even less for some directed energy attacks or for attacks by prepositioned “space mines”), decision-making timelines are likely to be very compressed. 18 This can cause or contribute to a witch’s brew of pathological effects, limiting opportunities for communication and signaling between adversaries or mediation by third parties, constraining the collection and analysis of info rmation and consideration of alternative options, even causing panic and other psychological problems for decision makers under intense pressure. 19

Yes war – an absence of a shared framework means any attack uniquely causes cross-domain responses and escalation.Vincent Manzo ’11, fellow in the Defense and National Security Group of the CSIS International Security Program, specializes in U.S. defense strategy, nuclear weapons, missile defense, space and cyber policy, with a focus on exploring deterrence, employment strategies and escalation control in the emerging strategic environment, former research analyst at the National Defense University’s Institute for National Strategic Studies, ‘Deterrence and Escalation in Cross-domain Operations: Where Do Space and Cyberspace Fit?’ pgs. 4-5, Institute for National Strategic Studies Strategic Forum at the National Defense University, December 2011, https://www.law.upenn.edu/live/files/1323-manzo-deterrence-and-escalation, VL

Unfortunately, countries lack a shared framework for interpreting how counterspace and cyber attacks fit into an escalation ladder. Competition and vulnerability in space and cyberspace are new relative to land, air, and sea. Countries have less experience fighting

wars in which space and cyberspace are part of the battlefield. Unlike conventional and nuclear

weapons, experts are less certain about the precise effects of attacks in these domains. 9

For these reasons, a widely shared framework for judging how counterspace and cyber attacks correspond with interactions in other domains and , more broadly, with political relations between potential adversaries during peacetime, in crises, and in wars does not yet exist. Without one, decisionmakers will have difficulty distinguishing between proportional and escalatory attacks and reprisals that cross from traditional strategic domains into these newer ones and vice versa.

The absence of a shared framework within the U.S. strategic community complicates effective cross-domain contingency planning. Developing coherent, effective, and usable options for responding to attacks in space and cyberspace requires that military planners in the different Services and combatant

commands possess similar assumptions about cross-domain proportionality and escalation. For example, Principal Deputy Under Secretary of Defense for Policy James Miller testified that U.S. responses to counter space attacks “could include necessary and proportional responses outside of the space domain. ” 10

Yet there are a variety of types of counterspace attacks and even more potential nonspace targets for U.S. reprisals. A common framework would help planners determine which “nonspace” responses best correspond with counterspace attacks of varying scope and severity.

The absence of a shared framework between the United States, allies, and potential adversaries undermines deterrence and increases the potential for miscalculation. Effective deterrence requires that U.S. officials influence potential adversaries’ perceptions of the likely consequences of the actions the United States wishes to deter. The United States might threaten to respond to a particular type of attack in space or cyberspace by employing different capabilities against different targets in other domains. Such threats, however, are less likely to resonate as credible with potential adversaries if they do not understand U.S. assumptions about how domains are linked and why a particular response is a logical and proportional reaction to the initial attack.

As an example, imagine the United States threatened to respond to ASAT attacks on U.S. intelligence, surveillance, and reconnaissance (ISR) satellites with attacks against the adversary’s air defense network.

The logic underlying this policy is that the United States might employ ISR aircraft over the adversary’s territory to compensate for the lost satellites. Attacks on the air defense network would be necessary to ensure that the aircraft could effectively penetrate the country’s airspace. This policy is proportional because the United States is restoring its lost ISR capability, thereby denying the benefits of the ASAT attack.

However, the U.S. response would be different from the adversary’s attack. Instead of responding in space, the U nited S tates would attack targets on or around the adversary’s homeland. To further complicate the situation, the United States might use conventional weapons to destroy the air defense network even if the initial ASAT attack was nonkinetic. Without a shared framework, potential adversaries might consider this deterrence threat illogical and therefore not credible.

If deterrence failed, they might perceive such a U.S. response as arbitrary and escalatory. Even with a shared framework , they may still consider this response as escalatory , but they would also understand it to be a likely consequence of employing ASATs against the United States before authorizing an attack.

1AC – SolvencyCONTENTION 2: SOLVENCYCurrent NSA policy virtually guarantees non-disclosure – banning surveillance removes all disincentives to discloseKim Zetter ‘15, award-winning journalist who covers cybercrime and security for Wired, 'Turns Out The US Launched Its Zero-Day Policy In Feb 2010'. WIRED. Accessed July 24 2015. http://www.wired.com/2015/06/turns-us-launched-zero-day-policy-feb-2010, VL

When the NSA or another agency discovers a software vulnerability, they use the Equities process to determine whether there is more to be gained from keeping the vulnerability secret or from disclosing it to be patched. That process was apparently weighted on the side of exploiting vulnerabilities over disclosing them until last year when the government had to “reinvigorate” the policy because it was not being implemented in the

intended manner. The President’s Privacy and Civil Liberties Oversight Board had

determined that the Equities process wasn’t being implemented as the board thought it should be, suggesting that more zero days were being kept secret than the board thought wise. Information about vulnerabilities also wasn’t being shared among all the agencies that needed to have a say in

the decision-making process. The new document, which is heavily redacted, provides little additional information about the Equities

process or the government’s use of zero-days. But it does describe the order of events after a zero-day vulnerability is discovered. The vulnerability first undergoes a classification process to determine if it requires “special handling.” If it reaches a certain “threshold”—the threshold isn’t disclosed in the document—then the executive secretariat is notified immediately. The executive secretariat, for this purpose, is the NSA/Information Assurance

Directorate. The NSA then notifies other agencies participating in the equities process to give them a chance to indicate if they “have an equity at stake” and want to participate in the

decision process for determining if the vulnerability will be disclosed or kept secret. What the document doesn’t say, however,

is whether all parties in the decision making process have equal input. The document notes

that the purpose of the Equities process is to ensure that decisions are made in the “best interest of intelligence collection, investigative matters and information assurance. Understanding that in most circumstances all three interest [sic] will not be satisfied but the best resolution for the overall good

will be put forth…” Nathan Wessler, staff attorney for the ACLU, says this is the crux of the whole Equities process. “How they make the decision about which interest to prioritize when they find the zero day vulnerability [is]

the decision that everything rides on,” he says. “But at no point …. have government officials ever explained how they ’re going to balance these competing interests and how they ’re going to ensure that the cybersecurity voices at the table will be as loud and respected as the law-enforcement voices. ”

The grey market incentivizes intentionally weak software – plan spurs long-term cybersecurity.Schneier 12 [Bruce, security expert with 13 books, fellow at the Berkman Center for Internet & Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute and the CTO of Resilient Systems, “The Vulnerabilities Market and the Future of Security,” Forbes, 5/30/2012, http://www.forbes.com/sites/bruceschneier/2012/05/30/the-vulnerabilities-market-and-the-future-of-security/] //khirn

Recently, there have been several articles about the new market in zero-day exploits: new and unpatched computer vulnerabilities. It’s not just software companies, who sometimes pay bounties to researchers who alert them of security vulnerabilities so they can fix them. And it’s not only criminal

organizations, who pay for vulnerabilities they can exploit. Now there are governments, and companies who sell to governments, who buy vulnerabilities with the intent of keeping them secret so they can exploit them . This market is larger than most people realize, and it’s becoming even larger. Forbes recently published a price list for zero-day exploits, along with the story of a hacker who received $250K from “a U.S. government contractor” (At first I didn’t believe the story or the price list, but I have been convinced that they both are true.) Forbes published a profile of a company called Vupen, whose business is selling zero-day exploits. Other companies doing this range from startups like Netragard and Endgame to large defense contractors like Northrop Grumman, General Dynamics, and Raytheon. This is very different than in 2007, when researcher Charlie Miller wrote about his attempts to sell zero-day exploits; and a 2010 survey implied that there wasn’t much money in selling zero days. The market has matured substantially in the past few years. This new market

perturbs the economics of finding security vulnerabilities. And it does so to the detriment of us all. I’ve long argued that the process of finding vulnerabilities in software system increases overall security. This is because the economics of vulnerability hunting favored disclosure. As long as the principal gain from finding a vulnerability was notoriety, publicly disclosing vulnerabilities was the only obvious path. In fact, it took years for our industry to move from a norm of full-disclosure — announcing the vulnerability publicly and damn the consequences — to something called “responsible disclosure”: giving the software vendor a head start in fixing the vulnerability. Changing economics is what made the change stick: instead of just hacker notoriety, a successful vulnerability finder could land some lucrative consulting gigs, and being a

responsible security researcher helped. But regardless of the motivations, a disclosed vulnerability is one that — at least in

most cases — is patched. And a patched vulnerability makes us all more secure . This is why the

new market for vulnerabilities is so dangerous; it results in vulnerabilities remaining secret and unpatched. That it’s even more lucrative than the public vulnerabilities market means that more hackers will choose this path . And unlike the previous reward of notoriety and consulting gigs,

it gives software programmers within a company the incentive to deliberately create vulnerabilities in the products they’re working on — and then secretly sell them to some government agency . No commercial vendors perform the level of code review that would be necessary to detect , and prove mal-intent for, this kind of sabotage .

Even more importantly, the new market for security vulnerabilities results in a variety of government agencies around the world that have a strong interest in those vulnerabilities remaining unpatched . These range from law-enforcement agencies

(like the FBI and the German police who are trying to build targeted Internet surveillance tools, to intelligence agencies like the NSA who are trying to build mass Internet surveillance tools , to military organizations who are trying to build cyber-weapons. All of these agencies have long had to wrestle with the choice of whether to use newly discovered vulnerabilities to protect or to attack. Inside the NSA, this was traditionally known as the “equities issue,” and the debate was between the COMSEC (communications security) side of the NSA and the SIGINT (signals intelligence) side. If they found a flaw in a popular cryptographic algorithm, they could either use that knowledge to fix the algorithm and make everyone’s communications more secure, or they could exploit the flaw to eavesdrop on others — while at the same time allowing even the people they wanted to protect to remain vulnerable. This debate raged through the decades inside the NSA. From what I’ve

heard, by 2000, the COMSEC side had largely won, but things flipped completely around after 9/11. The whole point of disclosing security vulnerabilities is to put pressure on vendors to release more secure software. It’s not just that they patch the vulnerabilities that are made public — the fear of bad press makes them implement more secure software development processes. It’s another economic process; the cost of designing software securely in the first place is less than the cost of the bad press after a vulnerability is announced plus the cost of writing and deploying the patch. I’d be the first to admit that this isn’t perfect —

there’s a lot of very poorly written software still out there — but it’s the best incentive we have . We’ve always expected the NSA, and those like them, to keep the vulnerabilities they discover secret. We have been counting on the public community to find and publicize vulnerabilities, forcing vendors to fix them. With the rise of these new pressures to keep zero-day exploits secret, and to sell them for exploitation, there will be even less incentive on software vendors to ensure the security of their products. As the incentive for hackers to keep their vulnerabilities secret grows, the incentive for vendors to build secure software shrinks. As a recent EFF essay put it, this is “security for the 1%.” And it makes the rest of us less safe.

Disclosure resolves countless vulnerabilities.Jordan Robertson and Michael Riley ’14, reporters for Bloomberg, ‘US Contractors Scale Up Search for Heartbleed-Like Flaws’, 5/2/14, Bloomberg Business, http://www.bloomberg.com/news/articles/2014-05-02/us-contractors-scale-up-search-for-heartbleed-like-flaws, VL

Zero-day Exploits The U.S. has poured billions of dollars into an electronic arsenal built with so-called zero-day exploit s , manipulations of missteps or oversights in code that can make anything that runs on a computer chip

vulnerable to hackers. They go far beyond flaws in web encryption like SSL and OpenSSL, which the NSA has exploited for years without warning the public about it, according to people

with knowledge of the matter. The agency’s stockpile of exploits runs into the thousands, aimed at every conceivable device, and many are not disclosed even to units within the agency responsible for defending U.S. government networks , people familiar with the program said. Under a directive made public April 11, after Bloomberg News reported the NSA’s utilization of the infamous Heartbleed bug -- a use the agency denied -- the White House said exploits should in most cases be disclosed so computer users can protect themselves.

That disarms hackers globally – weapons become useless.Masnick ‘14 [Mike, founder and CEO of Floor64 and editor of the Techdirt blog, “Obama Tells NSA To Reveal, Not Exploit, Flaws... Except All The Times It Wants To Do The Opposite,” Techdirt, April 14, 2014, https://www.techdirt.com/articles/20140413/07094726892/obama-tells-nsa-to-reveal-not-exploit-flaws-except-all-times-it-wants-to-do-opposite.shtml] //khirnHowever, the NY Times had a story this weekend about how this move has forced the administration to clarify its position on zero day exploits. It's

already known that the NSA buys lots of zero day exploits and makes the internet weaker as a result of it . Though, in the past, the NSA has indicated that it only makes use of the kinds of exploits that only it can use (i.e., exploits that need such immense computing power that anyone outside of the NSA is unlikely to be able to do anything). However, the NY Times article notes that, following the White House's intelligence review task force recommendation that the NSA stop weakening encryption and other technologies, President

Obama put in place an official rule that the NSA should have a "bias" towards revealing the flaws and helping to fix them, but leaves open a massive loophole: But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons. Amusingly, the NY Times initially had a title on its story saying that President Obama had decided that the NSA should "reveal, not exploit, internet security flaws," but the title then changed to the much more accurate: "Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say." Of course, the cold war analogy used by people in the article

seems... wrong: “We don’t eliminate nuclear weapons until the Russians do,” one senior intelligence official said recently. “You are not going to see the Chinese give up on ‘zero days’ just because we do.” Except, it's meaningless that no one expects the Chinese (or the Russians or anyone else) to give up zero days . The simple fact is that if the NSA were helping to stop zero days that would better protect everyone against anyone else using those zero days . In fact,

closing zero days is just like disarming both sides , because it takes the vulnerability out of service . It's not about us giving up our "weapons," it's about building a better defense for the world. And yet the NSA isn't willing to do that. Because they're not about protecting anyone -- other than themselves.

NSA can’t make effective calls – disclosure reasserts commitments to cybersecurity, which is the necessary catalyzing factor for international cyberdefense treaties.Bruce Schneier ‘14, internationally renowned security technologist, fellow at the Berkman Center for Internet and Society at Harvard Law School and a program fellow at the New America Foundation's Open Technology Institute.

“Should U.S. Hackers Fix Cybersecurity Holes or Exploit Them?”, May 19, 2014, http://www.theatlantic.com/technology/archive/2014/05/should-hackers-fix-cybersecurity-holes-or-exploit-them/371197/, VL

The NSA, and by extension U.S. Cyber Command, tries its best to play both ends of this game. Former NSA Director Michael Hayden talks about NOBUS, “nobody but us.” The NSA has a classified process to determine what it should do about vulnerabilities, disclosing and closing most of the ones it finds, but holding back some—we don't know how

many—vulnerabilities that “nobody but us” could find for attack purposes. This approach seems

to be the appropriate general framework, but the devil is in the details. Many of us in the security field don’t know how to make NOBUS decisions , and the recent White House clarification posed more questions than it answered. Who makes these decisions, and how? How often are they reviewed? Does this review process happen inside Department of Defense, or is it broader? Surely there needs to be a technical review of each vulnerability, but there should also be policy reviews regarding the sorts of vulnerabilities we are hoarding. Do we hold these vulnerabilities until someone else finds them, or only for a short period of time? How many do we stockpile? The US/Israeli cyberweapon Stuxnet used four zero-day vulnerabilities. Burning four on a single military operation implies that we are not hoarding a small number, but more like 100 or more. There’s one more interesting wrinkle. Cyber-weapons are a combination of a payload—the damage the weapon does—and a delivery mechanism: the

vulnerability used to get the payload into the enemy network. Imagine that China knows about a vulnerability and is using it in a still-unfired cyber-weapon, and that the NSA learns about it through espionage. Should the NSA disclose and patch the vulnerability, or should it use it itself for attack? If it discloses, then China could find a replacement

vulnerability that the NSA won’t know about it. But if it doesn’t, it’s deliberately leaving the U.S. vulnerable to cyber-attack. Maybe someday we can get to the point where we can patch vulnerabilities faster than the enemy

can use them in an attack, but we’re nowhere near that point today. The implications of U.S. policy can be felt on a variety of levels. The NSA 's actions have resulted in a widespread mistrus t of the security of U.S. Internet products and services , greatly affecting American business. If we show that we're putting security ahead of surveillance, we can begin to restore that trust . And by making the decision process much more public than it is

today, we can demonstrate both our trustworthiness and the value of open government. An unpatched vulnerability puts everyone at risk, but not to the same degree. The U.S. and other Western countries are highly vulnerable, because of our critical electronic infrastructure, intellectual property, and personal wealth. Countries like China and Russia are less vulnerable—North

Korea much less—so they have considerably less incentive to see vulnerabilities fixed. Fixing vulnerabilities isn't disarmament; it's

making our own countries much safer. We also regain the moral authority to negotiate any broad international reductions in cyber-weapons ; and we can decide not to use them even if others do. Regardless of our policy towards hoarding vulnerabilities, the most important thing we can do is patch vulnerabilities quickly once they are disclosed . And that’s what companies are doing, even without any government involvement, because so many vulnerabilities are discovered by criminals. We also need more research in automatically finding and fixing vulnerabilities, and in building secure and resilient software in the first place. Research over the last decade or so has resulted in software vendors being able to find and close entire classes of vulnerabilities. Although there are many cases of these security analysis tools not being used, all of our security is improved when they are. That alone is a good reason to continue disclosing vulnerability details, and something the NSA can do to vastly improve the security of the Internet worldwide. Here again, though, they would have to make the tools they have to automatically find

vulnerabilities available for defense and not attack. In today's cyberwar arms race, unpatched vulnerabilities and stockpiled cyber-weapons are inherently destabilizing , especially because they are only effective for a limited time. The world's militaries are investing more money in finding vulnerabilities than the commercial world is

investing in fixing them. The vulnerabilities they discover affect the security of us all. No matter what cybercriminals do, no matter what other countries do, we in the U.S. need to err on the side of security and fix almost all the vulnerabilities we find. But not all, yet.

Policy clarity gives the US sufficient credibility for international modeling – conditional limits on zero-days fail.Fidler 14 (Mailyn Fidler, graduate student at the Center for International Security and Cooperation Freeman Spogli Institute for International Studies, Stanford University. “ANARCHY OR REGULATION: CONTROLLING THE GLOBAL

TRADE IN ZERO-DAY VULNERABILITIES”, May 2014, https://stacks.stanford.edu/file/druid:zs241cm7504/Zero-Day%20Vulnerability%20Thesis%20by%20Fidler.pdf)//CLi

International cooperation is needed on the zero-day issue, but U.S. leadership is required to catalyze such cooperation . Snowden’s disclosures have caused significant problems for the United States, reducing receptivity to cooperation with the United States on cyber issues. This 178 problem is exacerbated by the need to have the United States, as a major cyber

player, involved in international negotiations. Existing confusion and controversy over national U.S. policies towards zero-day vulnerabilities create further obstacles to addressing these issues at an international level. The United S tates needs to establish policy clarity at a national level to set the stage for collective action, signaling to other nations its seriousness about the problem and the nature of American interests towards it. Richard Clarke and Peter

Swire agree: “we create a more secure and useful global Internet if other nations, including China and Russia, adopt and implement similar policies” to what the Obama

administration recently announced about U.S. zero-day policy, but “because they [other nations] are unlikely to do so any time soon, the Obama administration should also step up its efforts” and create “the basis for an international norm of behavior.”669 This thesis argues that the U.S. government must do more to strengthen its own zero-day policies as a necessary element of addressing the need for collective action.

Only a complete commitment to de-militarization overcomes international skepticism.Adam Segal ’11, Maurice R. Greenberg Senior Fellow for China Studies and Director of the Digital and Cyberspace Policy Program, Ira A. Lipman senior fellow for counterterrorism and national security studies at the Council on Foreign Relations, ‘Cyberspace Governance: The Next Step’, Policy Innovation Memorandum No. 2, March 2011, Council on Foreign Relations Press, http://www.cfr.org/cybersecurity/cyberspace-governance-next-step/p24397, VL

This decentralized strategy is particularly important after Stuxnet , the malware that appears to target

the Iranian nuclear program. It is now widely assumed that the U nited S tates , along with Israel, was behind the code . As a result, many countries will remain skeptical about Washington 's intentions. Rules that appear to be the work of the United States alone will have little chance of gaining international support. But building a coalition of states who will gain from and are willing to

push for new rules may give these norms greater legitimacy. There has been in the U nited S tates' international engagement, however, a tendency to substitute process for strategy . While the decentralized approach to cyberconflict is the right one, it does not help in identify ing strategic goals. The White House will have to be come actively involved in order to push the process forward. The National Security Council's Information and Communications Infrastructure Interagency Policy Committee (ICI-IPC) subcommittee

on international cyberspace policy efforts should drive action, not just coordinate and share information about what other agencies are doing. An informal multilateralism is best suited to cyberspace, and by focusing on some of the norms of interstate cyberconflict, and on thresholds and legitimate targets in particular, the United States will be better able to begin shaping international norms.