There’s no phrase as feared in information security as “zero-day.” Zero-days are vulnerabilities no one knew existed, until they’ve been taken advantage of. They got their name because there is literally “zero days” to do anything to prevent them. They are surprise-secrets—“unknown unknowns,” to quote former Secretary of Defense Donald Rumsfeld.
But if it’s the element of being unknown that makes a vulnerability dangerous, then it’s actually our own laws and policies that are making us the most susceptible right now. Our contradictory demands from tech companies and our inconsistent enforcement of laws leaves the public largely unaware of how exposed they are—right up until they’re hit with the realization there’s a problem. Think of these regulatory problems as “policy zero-days.”
They are creating even larger holes in our collective security than hackers themselves, who, as leader of an elite NSA hacker team Rob Joyce says, much prefer email phishing. (The NSA prefers phishing, too.) You can patch yourself or your community into safety from phishing. You can’t patch a policy zero-day.
But President-elect Donald Trump can take several steps to make our cyber policies consistent and, as a result, keep us all safer online. Here’s how.
Simplify Which Devices Law Enforcement Can Search
A federal court in Virginia recently ruled that having a server that hasn’t been patched with the latest security updates, the rough equivalent of skipping your Windows updates for a few months, is the same as leaving your windows open, meaning there is no need for a warrant to look inside it. If that doesn’t scare you, think about the last time you updated your phone’s software. If you’ve put off the last patch, did you just consent to a search?
Earlier this year, the Supreme Court signed off on changes suggested by a little-known committee (the Committee on Rules of Practice and Procedure to the Judicial Conference of the United States) to an obscure part of Federal Rules of Criminal Procedure called Rule 41 that recently went into effect. In one fell swoop, the changes open the door for a judge to approve searches on computers and devices anywhere in the world, if those devices are using one of a number of common tools to protect privacy. This is the perfect example of a policy zero-day that companies can’t prepare for.
Laws like Rule 41 will only exacerbate the overuse of subpoenas, which already dog American companies and force them to be the gatekeepers of what of their users’ data is and isn’t kept private from the government. In the recent San Bernardino terrorist attack, Apple ended up fighting for the privacy of all of its users as the FBI tried to force a way into all its phones.
In another case that shows how broad subpoena use has become, the government tried to prevent the parent company of a chat app called Signal from disclosing a government search to its users. In 2014, the FBI fought Lavabit over its secure email app to the point the service shutdown. We gain nothing by making our communications less secure.
It takes a lot of money and a lot of effort to fight these demands in court. Clear policy that would allow companies to disclose when they’re working with the government and greater transparency on what the government is looking for would only improve what they get out of searches, and it would relieve companies of the burden of litigating sensible rules for privacy for all of us. The rights of our digital lives are at stake, and those decisions deserve to be made in public, by our representatives.
Build International Rules for Data in the Cloud
In addition to navigating things like the Great Firewall of China, companies have to deal with dueling regulations from close allies. A privacy activist in the E.U. recently sued Facebook for shuffling its citizens’ data to the United States, where it’s subject to looser privacy and search regulations. The very strengths of the cloud—that data is borderless and can be accessed anywhere—are now being held against companies on the web.
It’s hard to be truly borderless when you have to treat data from different countries differently. Amazon actually has to maintain separate infrastructure and regions to match policy. President-elect Donald Trump can press for better international rules to give businesses the clarity they need to do their jobs.
Think of Laws as We Do Flaws
Prior administrations have developed a process to determine when to keep a vulnerability secret and when to disclose it. The entire process is put in place because of the realization that these secrets embolden criminals and foreign governments to wreak havoc on our citizens.
Michael Daniel, President Obama’s Cybersecurity Coordinator, says the rules are a “deliberate process that is biased toward responsibly disclosing (a) vulnerability.” The idea is that any flaw in Internet security is a flaw for everyone. This same process should be empowered to include the types of vulnerabilities that exist either by law or other governmental action to look at our policies with the same type of scrutiny. Vulnerabilities, after all, are a legal problem, too. Changing these laws and policies would engender respect and cooperation from the private sector, the group the government needs to work with if it’s going to stop costly, embarrassing and dangerous hacking.
If we want to give the organizations tasked with keeping us safe the best possible chance to protect us all, we need to be clear about what we’re asking for. Good policy would also create a role for the private sector, which has some of the best talent in the field.
The government wants to leave holes in our security so it can walk through them later, if it needs to. But of course, that leaves holes. Hacking methods are, for the most part, shockingly simple. That gives us hope we can fix them. But no amount of innovation can cover our policy gaps that are growing and growing.