Should the U.S. stockpile zero days?

To hoard or not to hoard? That is the question that a RAND Corporation study explores in a new report, "Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits."

In the last year, disclosures by WikiLeaks and the hacker group The Shadow Brokers have focused attention on the stockpiling of zero-day exploits by U.S. intelligence agencies, which has raised a number of questions about U.S. policies on collecting and disclosing (or not disclosing) such vulnerabilities.

The concern hinges on whether the National Security Agency and CIA in particular are putting Americans at risk by not disclosing vulnerabilities that the agencies want to use for gathering intelligence.

An unnamed vulnerability research group gave RAND access to more than 200 zero-day exploits and their respective vulnerabilities over a 14-year period. RAND evaluated these in an attempt to develop metrics to determine when a vulnerability should be retained or disclosed.

RAND found that zero-days last on average for 6.9 years, with 25 percent lasting less than 1.5 years and 25 percent living more 9.5 years. They determined that "for a given stockpile of zero-day vulnerabilities, after a year, approximately 5.7 percent have been publicly discovered and disclosed by another entity."

According to RAND, there are no identifiable characteristics of a vulnerability that indicate whether it will have a long or short life. Once a vulnerability is discovered, the median time to develop an exploit is 22 days.

Although there is no "cut-and-dried" answer to the question of whether to stockpile vulnerabilities, RAND said there are two factors central to the debate. They are the longevity of a vulnerability, or "how long the vendor or public remains ignorant of the vulnerability," and the collision rate, or "the likelihood that a zero-day found by one entity will also be found independently by another."

Perhaps the hardest question to answer is how much overlap there is between zero-day stockpiles held by adversaries.

"If both sides have the same stockpiles, then some argue that there is little point to keeping them private -- whereas a smaller overlap might justify retention," RAND said.

Stakeholders also consider the cost of finding vulnerabilities and developing exploits, RAND said, as well as how long target systems go before being patched or updated as factors in determining whether to hold zero-days.

"At the most basic level, any serious attacker can always get an affordable zero-day for almost any target," said RAND. "The majority of the cost of a zero-day exploit does not come from labor, but rather the value inherent in them and the lack of supply."

RAND also said it is extremely difficult to quantify the value of using a zero-day, especially when there are often easier methods of penetration available given the lack of cyber hygiene in many organizations.

"Little is known about the true extent, use, benefit, and harm of zero-day exploits," RAND said. "Discussions are often speculative or based on what is discovered after the vulnerability has been exploited and detected in an attack."

Ultimately, the RAND report said the decision to stockpile zero-days is a case-by-case determination.

"Our analysis shows that zero-day vulnerabilities may have long average lifetimes and low collision rates," RAND said. "The small overlap may indicate that vulnerabilities are dense … or very hard to find… If zero-day vulnerabilities are very hard to find, then the small probability that others will find the same vulnerability may also support the argument to retain a stockpile."

RAND points out that the collision rates for zero-day vulnerabilities are nonzero, which means there is a possibility that an adversary may discover the same vulnerability.

"Then the potentially severe consequences of keeping the zero-day private and leaving a population vulnerable warrant immediate vulnerability disclosure and patch," according to the report. "In this line of thought, the best decision may be to stockpile only if one is confident that no one else will find the zero-day; disclose otherwise," RAND concluded.