ze·ro-day

adjective COMPUTING

1. deriving from or relating to a previously unknown vulnerability to attack in some software.

   "It is known as a 'zero-day' because once a flaw becomes known, the programmer or developer has zero days to fix it."

Zero-days are the key raw materials that make up cyberweapons. In other words, zero-days are the kind of serious security flaw that people don't know about, which is why they remain so open to exploitation and valuable to those who mean to do harm. Cybersecurity, while a challenging topic, is an important issue because of how such vulnerabilities can impact individuals, businesses, and government agencies. Governmental action can both help or make things worse, though it's becoming clear that collaboration is growing increasingly necessary. 

"Cybersecurity threats from nation states and other well-funded, highly motivated actors present risks that neither the public nor the private sector can unilaterally address. "

-Executive Summary, Business Roundtable's report on More Intelligent, More Effective Cybersecurity Protection 

America should be encouraging white-hat hackers to keep working for good. We should be sharing information between government and businesses, and avoid using taxpayer funds for ineffective or even counter-productive initiatives, like keeping backdoors open in order to spy on American citizens.

In a much quoted passage in his inaugural address, President Kennedy said, "Ask not what your country can do for you, ask what you can do for your country."  The Chicago-school economist Milton Friedman subsequently used this quote in the beginning of his book Capitalism and Freedom as a way to analyze and re-evaluate the role of the state. Is America the collection of its free citizenry, along with their shared ideals and traditions? Or is it, like M. Friedman warned of the implications of Kennedy's statement, an increasingly paternalistic super-organism that compels its subjects to serve the state and its agenda? 

These questions are still relevant in the modern condition of fiscal responsibility (think of budget deficits and Keynes-vs.-Hayek arguments), though they are also relevant to the modern state of technology and cybersecurity. Is America supporting electronic freedom, respecting individuals' privacy, and providing citizens reasonable protection from foreign threats?

“One of the great mistakes is to judge policies and programs by their intentions rather than their results.” 
― Milton Friedman

The news of America's intrusive monitoring policies has incurred high costs resulting from the global loss of trust in American tech companies. The ITIF originally estimated PRISM to cost the U.S. economy up to $35 billion in lost cloud computing business around the world. Since that initial estimate, it now looks like loss of trust extended beyond just cloud computing and into the American tech sector more generally and will cost the U.S. economy even more. That's in addition to the tax money spent on building such programs.

Cisco, a member of the national Business Roundtable, saw its sales interrupted in Brazil, China, and Russia because of reports that the NSA had secretly inserted backdoor surveillance tools into its routers, servers and networking equipment. During a quarterly earnings call, Cisco CEO John Chambers even cited the NSA as the factor behind steep sales decreases, saying “I do think (the NSA revelation) is a factor in China.” These reports damaged the company’s international reputation and prompted it to take extra precautions to thwart surreptitious actions by the NSA. The additional costs this involved were passed along to its customers and the lessened profits were passed on to the shareholders.

Milton Friedman would argue for a smaller, more constrained government in the realm of cyberspace on one hand. A government that represents the interests of its citizenry. As he wrote in Capitalism and Freedom, "First, the scope of government must be limited. Its major function must be to protect our freedom both from the enemies outside our gates and from our fellow-citizens: to preserve law and order, to enforce private contracts, to foster competitive markets."

On the other hand, it should be a capable public-private system in order to protect Americans. Rather than secretly encouraging, planting and using zero-days, the U.S. government should help promote open markets where software bugs and security threats can be purchased by manufacturers in order to make timely security patches. Paying a security researcher $10,000 for a security-related bug could save taxpayers much, much more than a purely reactionary scenario - such as the data breach of the Office of Personnel Management. People are currently selling security leaks - to legitimate governments or to nefarious actors. We should work to remove the stigma of "hackers" and work to share information between upstanding citizens, businesses, and government agencies.

"However, instead of focusing on information sharing and collaborative risk management, government proposals misdirect scarce public and private-sector resources to compliance-based, check-the-box models. These proposals place the cart before the horse by calling for government creation of cybersecurity practices and standards before much-needed information sharing legislation is passed and implemented. " 

-Executive Summary, Business Roundtable's report on More Intelligent, More Effective Cybersecurity Protection 

We should encourage communication between government organizations and corporations in order to warn of dangers and to help protect each other. Incentivizing hackers to report on bugs, and then actually fixing those bugs makes us all safer. While the FBI or the NSA may want that backdoor access into your iPhone, so do ill-intentioned actors from around the world. Encryption and security updates are the right choice.

It's a challenging topic, so if you have any questions or would like to express differences of opinion or additional facts of which the author may not have been aware at the time of writing, please comment below. 

If you're interested in seeing and learning more about zero-days, VPRO Backlight, a Dutch documentary group, recently produced this well researched and informative piece entitled "Zero days - Security Leaks for Sale." It's a high-quality, modern introduction: