Zero-day is referred to those vulnerabilities in the cyberspace realm that are kept secret and not revealed. As the vulnerabilities are not revealed to public or to software companies, the companies could not fix the problem as there has been zero day since they have known about it. Obama administration is allowing Federal Bureau of Investigation (FBI) and other agencies to keep zero-day vulnerabilities secret in order to investigate cyber-spying and hacking. In doing so, they may be leaving the public at large vulnerable to attacks from hackers which could be catastrophic if materialized.
“You might have a bad guy using a zero-day to attack a nuclear facility. The FBI doesn’t disclose that vulnerability because they don’t want to tip their hand,” said Steven Chabinsky, a former deputy assistant director in the FBI’s cybersecurity division.
Some are suspecting that security and intelligence agencies might have known about Heartbleed bug, which is the largest cyber loop-hole ever discovered. The US government has denied that it or any agencies knew about it before hand. FBI does not use zero-day itself as an active cyber-attack methodology but it serves as an important tool to identify the hackers, and spies, and their hacking or spying techniques.
The important debate surrounding zero-day is to strike a balance between security needs and leaving the public vulnerable. In some of the cases, the investigations can take years. Secondly, the criteria is not clear for choosing which vulnerability shall be made public and which should be public.
“The default should be to disclose,” saidJeremy Gillula,a staff technologist with the Electronic Frontier Foundation based in San Francisco. “If it’s super important intelligence and the vulnerability isn’t much of a risk to the core Internet infrastructure, then maybe they could consider not disclosing it right away. I would say those scenarios are few and far between.”
“We’re not asking them to disclose the specifics of any particular investigation,” he said. “It’s the same way that it’s useful to know when the police have the authority to go get a warrant.”
“But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run,” Michael Daniel, the White House cybersecurity coordinator, wrote in an April 28 blog. “Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area.”