Soghoian: Cyber weapon regulation excludes zero-day exploits
Carefully worded government guidance on what constitutes a cyber weapon allows the unregulated export of zero-day exploits, said Chris Soghoian, a Washington, D.C.-based privacy activist.
Soghoian, speaking Nov. 15 at the Center for Information Technology Policy at Princeton University, noted that a July 2011 Air Force instruction subjecting cyber capabilities to legal review for compliance with the Law of Armed Conflict excludes software "solely intended to provide access to an adversarial computer system for data exploitation."
"They're focused on the code you install once you've broken in to cause destruction and damage, but the code that you use to get into the door, to have the opportunity to cause destruction, is not considered a weapon at all," Soghoian said.
A zero-day exploit is agnostic as to whether it's used for data exploitation or other uses--and finding and weaponizing them is far more difficult than writing malicious code for post-system penetration havoc.
"The skills to find and deliver those tools are scarce. But everyone knows how to delete and to cause some basic denial of service," Soghoian added.