Soghoian: Cyber weapon regulation excludes zero-day exploits

Tools

Carefully worded government guidance on what constitutes a cyber weapon allows the unregulated export of zero-day exploits, said Chris Soghoian, a Washington, D.C.-based privacy activist.

Soghoian, speaking Nov. 15 at the Center for Information Technology Policy at Princeton University, noted that a July 2011 Air Force instruction subjecting cyber capabilities to legal review for compliance with the Law of Armed Conflict excludes software "solely intended to provide access to an adversarial computer system for data exploitation."

"They're focused on the code you install once you've broken in to cause destruction and damage, but the code that you use to get into the door, to have the opportunity to cause destruction, is not considered a weapon at all," Soghoian said.

A zero-day exploit is agnostic as to whether it's used for data exploitation or other uses--and finding and weaponizing them is far more difficult than writing malicious code for post-system penetration havoc.

"The skills to find and deliver those tools are scarce. But everyone knows how to delete and to cause some basic denial of service," Soghoian added.

For more:
- go to a CITP webpage with information about Soghoian's talk
- watch Soghoian's talk (embedded video)

Related Articles:
Air Force must subject cyber weapons to legal review
Cyber attacks subject to international law, says State Dept.
Air Force upping its cyber arsenal