Should the U.S. stockpile zero days?

broken lock 

To hoard or not to hoard? That is the question that a RAND Corporation study explores in a new report, "Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits."

In the last year, disclosures by WikiLeaks and the hacker group The Shadow Brokers have focused attention on the stockpiling of zero-day exploits by U.S. intelligence agencies, which has raised a number of questions about U.S. policies on collecting and disclosing (or not disclosing) such vulnerabilities.

The concern hinges on whether the National Security Agency and CIA in particular are putting Americans at risk by not disclosing vulnerabilities that the agencies want to use for gathering intelligence.

An unnamed vulnerability research group gave RAND access to more than 200 zero-day exploits and their respective vulnerabilities over a 14-year period. RAND evaluated these in an attempt to develop metrics to determine when a vulnerability should be retained or disclosed.

RAND found that zero-days last on average for 6.9 years, with 25 percent lasting less than 1.5 years and 25 percent living more 9.5 years. They determined that "for a given stockpile of zero-day vulnerabilities, after a year, approximately 5.7 percent have been publicly discovered and disclosed by another entity."

According to RAND, there are no identifiable characteristics of a vulnerability that indicate whether it will have a long or short life. Once a vulnerability is discovered, the median time to develop an exploit is 22 days.

Although there is no "cut-and-dried" answer to the question of whether to stockpile vulnerabilities, RAND said there are two factors central to the debate. They are the longevity of a vulnerability, or "how long the vendor or public remains ignorant of the vulnerability," and the collision rate, or "the likelihood that a zero-day found by one entity will also be found independently by another."

Perhaps the hardest question to answer is how much overlap there is between zero-day stockpiles held by adversaries.

"If both sides have the same stockpiles, then some argue that there is little point to keeping them private -- whereas a smaller overlap might justify retention," RAND said.

Stakeholders also consider the cost of finding vulnerabilities and developing exploits, RAND said, as well as how long target systems go before being patched or updated as factors in determining whether to hold zero-days.

"At the most basic level, any serious attacker can always get an affordable zero-day for almost any target," said RAND. "The majority of the cost of a zero-day exploit does not come from labor, but rather the value inherent in them and the lack of supply."

RAND also said it is extremely difficult to quantify the value of using a zero-day, especially when there are often easier methods of penetration available given the lack of cyber hygiene in many organizations.

"Little is known about the true extent, use, benefit, and harm of zero-day exploits," RAND said. "Discussions are often speculative or based on what is discovered after the vulnerability has been exploited and detected in an attack."

Ultimately, the RAND report said the decision to stockpile zero-days is a case-by-case determination.

"Our analysis shows that zero-day vulnerabilities may have long average lifetimes and low collision rates," RAND said. "The small overlap may indicate that vulnerabilities are dense … or very hard to find… If zero-day vulnerabilities are very hard to find, then the small probability that others will find the same vulnerability may also support the argument to retain a stockpile."

RAND points out that the collision rates for zero-day vulnerabilities are nonzero, which means there is a possibility that an adversary may discover the same vulnerability.

"Then the potentially severe consequences of keeping the zero-day private and leaving a population vulnerable warrant immediate vulnerability disclosure and patch," according to the report. "In this line of thought, the best decision may be to stockpile only if one is confident that no one else will find the zero-day; disclose otherwise," RAND concluded.

About the Author

Sean Carberry is an FCW staff writer covering defense, cybersecurity and intelligence. Prior to joining FCW, he was Kabul Correspondent for NPR, and also served as an international producer for NPR covering the war in Libya and the Arab Spring. He has reported from more than two-dozen countries including Iraq, Yemen, DRC, and South Sudan. In addition to numerous public radio programs, he has reported for Reuters, PBS NewsHour, The Diplomat, and The Atlantic.

Carberry earned a Master of Public Administration from the Harvard Kennedy School, and has a B.A. in Urban Studies from Lehigh University.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group