FBI struggles with greater good concept in zero-day exploits

It’s no secret that viruses of all kinds make their way into laptops and desktop PCs. If you think it’s impossible, just ask Apple about the Trojan virus that infected over 600,000 Macs worldwide just a few years ago. While viruses and malware often prove to be over-hyped events for many individuals who never experience them, software vulnerabilities are always present zero-day exploitsno matter how secure the software. In those cases, consumers expect hardware manufacturers to report these vulnerabilities and issue patches for them so as to protect consumers. They are unable to do so in zero-day exploits, for example, because of the nature of these software loopholes.

Zero-day exploits are named “zero-day” because manufacturers are not aware of them and thus, are unable to warn customers and issue patches to fix the problems. It’s no surprise to anyone, but the Federal Bureau of Investigations (FBI) is aware and uses of these zero-day exploits and yet, chooses not to reveal them to hardware manufacturers because of what FBI science and technology executive director Amy Hess calls “the greater good” in an interview with The Washington Post.

Hess acknowledged that the bureau uses zero-days – the first time an official has done so. She said the trade-off is one the bureau wrestles with. “What is the greater good – to be able to identify a person who is threatening public safety?” Or to alert software makers to bugs that, if unpatched, could leave consumers vulnerable? “How do we balance that?” She said. “That is a constant challenge for us.”

The “Greater Good” in Greater Detail: The Danger of Zero-Day Exploits

Zero-day exploits are bad in and of themselves, but Hess believes that the FBI has a more important duty to protect citizens and catch someone who is harming the public welfare. This is true, but why do it at the expense of millions of innocent citizens? At some point, catching that one cybercriminal may or may not be worth it if millions of citizens are impacted. This is a danger of taking zero-day exploits to their logical conclusion.

What zero-day exploits also show us is that hardware manufacturers themselves are not fully in control of their devices and thus, aren’t always responsible for loopholes that go undetected for months or years. The FBI, through Hess’s admission, is aware of these vulnerabilities. The FBI knows that the security backdoors exist, that customers are at risk to criminal hackers who know how to take advantage of them, and so on, yet choose not to reveal these so that they can catch cybercriminals. However, if cybercriminals are aware of these same backdoors and are getting smarter by the day, what “greater good” is achieved if the government catches 5 cybercriminals but exposes 5 million people to identity theft and the loss of personal information?

This is no different than a police task force that has its guns and ammo aimed at a building in which there are few windows, where 5 criminals have a room of 50 people in a hostage circumstance. Should the task force shoot blindly into the building and rejoice in killing the 5 criminals who were going to shoot the 50 others, all while taking a risk that the same bullets could hit the other 50 people? Yes, those 5 criminals may die, but the task force may also injure and kill many of the 50 innocent hostages. In other words, the lives injured and lost may outweigh and number more than the criminal lives left untouched.

The FBI should create a zero-day exploit compensation fund

By Hess’s admission, the FBI keeps all zero-day exploits to itself in order to catch criminals blindly (in other words, the FBI doesn’t seem to know which criminals thrive on which specific mobile devices), but if the FBI thinks this is the greater good, then I propose another: why not bless cybervictims blindly by creating a zero-day exploit compensation fund for them? You can’t endanger the welfare of citizens and call it protecting them without providing some form of relief for their lives as a result.

Let’s think about this on another scale: would we deem it okay if a mother threw her child in front of a train “to spare him from a criminal life with his father” because his father is a serial killer? No; rather, we would want the mother to go to jail for endangering the welfare of a child. How then, can this judgment be honored for the mother but overlooked in the case of the FBI? How can the FBI endanger the welfare of citizens under the guise of protecting them, then have no responsibility toward those same citizens when they become cybervictims? If the FBI knows about these zero-day exploits and does not disclose fully to hardware manufacturers, then the FBI should be on the hook to compensate citizens whenever someone reports that he or she is a victim of identity theft.

Now some may think here that I’m talking about fraud protection; I’m not. I’m talking about compensating every person who reports cybertheft, whether or not the victim in question lost money in the attack. The reason is simple: the FBI has a duty to protect citizens and, since its knowledge could help manufacturers patch zero-day exploits but is not revealed to catch criminals, the FBI should be on the hook when its citizens are endangered in cyberspace. In other words, a mother can’t endanger her child and go off scot-free; the FBI is no exception.

The issue I have with the FBI is that it has no responsibility in compensating cybervictims when a hack attack occurs, which is not acceptable for an entity that claims it’s pursuing the greater good in protecting citizens by trying to catch cybercriminals. The FBI is saying with zero-day exploits that it is breaking the laws so that it can force citizens to obey them. That just doesn’t add up.