Zero-Days Aff - Michigan 7

Contents

zero-days aff

notes

aff background

plan text/mechanism background

1ac

1ac inherency

1ac ip theft advantage

1ac critical infrastructure advantage

1ac oco’s advantage

1ac plan – version 1

1ac plan – version 2

1ac solvency

topicality

2ac domestic surveillance (version 2)

2ac domestic surveillance (version 1)

1ar topicality

at: oriola concludes neg

inherency

2ac inherency

solvency

2ac corporate trust key

2ac modeling

2ac plan solves zero day demand

2ac plan solves cybersecurity

2ac surveillance solves

2ac “relevant vendors”

2ac us key to zero day markets

2ac zero days key

at: businesses won’t cooperate

at: ids solves

at: squo solves cybersecurity

ip theft advantage

2ac econ add-on

1ar ip theft key to econ

1ar econ impact

2ac disease add-on

2ac innovation add-on

2ac organized crime add-on

2ac plan solves ip theft

at: china war defense

at: heg resilient

at: russia war defense

at: no russian modernization

at: no russian ip theft

critical infrastructure advantage

2ac critical infrastructure brink

2ac food shortages add-on

2ac econ add-on

2ac plan solves critical infrastructure

at: critical infrastructure safe

at: grid defense

at: water supply safe

at: water shortage impact d

oco’s advantage

2ac cooperation key

2ac cyber arms race now

2ac cyberwar impact

2ac russia cyberwar impact

2ac vulnerabilities now

at: cyberwar won’t escalate

at: no cyberwar

at: no miscalc

disadvantages

2ac cyber-deterrence da

at: china/taiwan

at: korea war

at: politics

at: spending links

at: terrorism da

counterplans

at: i-law cp

at: internal review solves

at: nato cp

at: national security pic

at: regulations cp

at: oversight cp

zero-days aff

Thanks to Alex M., Camelia, Christina, Dylan, Eugenia, Kalen, Jackie, Jasmine, and Tristen for all of their hard work!

#GHJPXX

notes

Feel free to email me () if you have any questions about the aff/neg.

aff background

Please read this. It will answer 90% of your questions. This aff would be fairly confusing to anyone who hasn’t read about zero-day vulnerabilities or exploits, but it only takes a few minutes to learn the basic background behind the aff.
Who or what is a “zero-day”? Is this some kind of weird K aff?

Zetter 14 [Kim, award-winning journalist who covers cybercrime and security for Wired, “Hacker Lexicon: What Is A Zero Day,” Wired, April 15, 2014,

ZERO DAY ACTUALLY refers to two things—a zero-day vulnerability or a zero-day exploit.

Zero-day vulnerability refers to a security hole in software—such as browser software or operating system software—that is yet unknown to the software maker or to antivirus vendors. This means the vulnerability is also not yet publicly known, though it may already be known by attackers who are quietly exploiting it. Because zero day vulnerabilities are unknown to software vendors and to antivirus firms, there is no patch available yet to fix the hole and generally no antivirus signatures to detect the exploit, though sometimes antivirus scanners can still detect a zero day using heuristics (behavior-tracking algorithms that spot suspicious or malicious behavior).

Zero-day exploit refers to code that attackers use to take advantage of a zero-day vulnerability. They use the exploit code to slip through the hole in the software and plant a virus, Trojan horse or other malware onto a computer or device. It’s similar to a thief slipping through a broken or unlocked window to get into a house.

Okay. Why is it called a zero-day?

Zetter 14 [Kim, award-winning journalist who covers cybercrime and security for Wired, “Hacker Lexicon: What Is A Zero Day,” Wired, April 15, 2014,

The term “zero-day” refers to the number of days that the software vendor has known about the hole. The term apparently originated in the days of digital bulletin boards, or BBSs, when it referred to the number of days since a new software program had been released to the public. Zero day software was unreleased software and was highly coveted by hackers who wanted to be the first to obtain it.

How many of these zero-days are out there?

Zetter 14 [Kim, award-winning journalist who covers cybercrime and security for Wired, “Hacker Lexicon: What Is A Zero Day,” Wired, April 15, 2014,

Zero day vulnerabilities used to be extremely rare. Out of more than a million pieces of malware security firms discovered and processed each month, only about one or two were zero-day exploit code. These days, however, more zero days are being used and discovered. That’s in part due to the emergence of a large market for buying and selling zero-day vulnerabilities and exploits, driven largely by the demand from government intelligence agencies.

What does any of this have to do with surveillance?

Mick 13 [Jason, news editor and columnist for the leading science and technology online publication, “Tax and Spy: How the NSA Can Hack Any American, Stores Data 15 Years,” DailyTech, December 31, 2013,

According to him, the NSA has zero day vulnerabilities on hand that allow it to penetrate virtually any Wi-Fi router, Windows PC, external storage device, server, tablet, or smartphone.

Rather than give this data to private sector firms to offer increased security to users, the NSA turns around and exploits these flaws to spy on everyone -- sort of a digital equivalent of "sometimes you have to burn a village to save it."

The NSA calls its attack toolkit "FOXACID". FOXACID is packed with "QUANTUM" tools, which are NSA's digital lockpicks. Like many clumsy picks, they can damage the lock they attack, but it appears the NSA isn't terribly concerned about that.

There’s a market for zero-days? Where can I get them?

Zetter 14 [Kim, award-winning journalist who covers cybercrime and security for Wired, “Hacker Lexicon: What Is A Zero Day,” Wired, April 15, 2014,

The zero-day market has three parts. These include the black underground market where criminal hackerstrade in exploit code and vulnerability information to break into systems and steal passwords and credit card numbers; the white market, which encompasses the bug bounty programs where researchers and hackersdisclose vulnerability information to vendors, in exchange for money, so the holes can be fixed—this market includes security companies that purchase zero-day exploits to use in their penetration-testing products to determine if a customer’s system is vulnerable to attack; and the “gray” market, where researchers and companies, some of them military defense contractors, sell zero-day exploits and vulnerability information to militaries, intelligence agencies and law enforcement to use for surveillance and offensive computer operations.

What have they been used for?

Zetter 14 [Kim, award-winning journalist who covers cybercrime and security for Wired, “Hacker Lexicon: What Is A Zero Day,” Wired, April 15, 2014,

Some of the most famous attacks that used zero-day exploits are:

Stuxnet—a virus/worm that targeted computers in Iran’s uranium enrichment plant at Natanzand used five zero-day exploitsto spread and gain privileged access on systems. Though one of the vulnerabilities was patched by Microsoft before the attackers could unleash their code, so technically, at the time Stuxnet was discovered, it was using only four zero-days.

Aurora—in 2010 hackers believed to be from China broke into Google, Adobe, and more than a dozen other companies using a zero-day vulnerability found in several versions of Microsoft’s Internet Explorer browser software. The attackers were targeting, at least in part, Google’s source code—possibly to study it and discover additional zero-day vulnerabilities for future use. The group behind those attacks is still active and has been caught using at least eight other zero-day exploits since then.

What is our current policy regarding these vulnerabilities?

Zetter 14 [Kim, award-winning journalist who covers cybercrime, civil liberties, privacy, and security for Wired, “Obama: NSA must reveal bugs like Heartbleed, unless they help the NSA,” Wired, April, 2014,

AFTER YEARS OF studied silence on the government’s secret and controversial use of securityvulnerabilities, the White House has finally acknowledged that the NSA and other agencies exploit some of the software holes they uncover, rather than disclose them to vendors to be fixed.

The acknowledgement comes in a news report indicating that President Obama decided in January that from now on any time the NSA discovers a major flaw in software, it must disclose the vulnerability to vendors and others so that it can be patched, according to the New York Times.

But Obama included a major loophole in his decision, which falls far short of recommendations made by a presidential review board last December: According to Obama, any flaws that have “a clear national security or law enforcement” use can be kept secret and exploited.

This, of course, gives the government wide latitude to remain silent on critical flaws like the recent Heartbleed vulnerability if the NSA, FBI, or other government agencies can justify their exploitation.

plan text/mechanism background

The most common reform regarding zero-day vulnerabilities that anti-surveillance advocates push for is to have the NSA disclose zero-day’s to relevant vendors (basically, the firm/organization that released the software and antivirus vendors that have the proper clearances to deal with software vulnerabilities from that company, common ones being McAfee, Norton, etc.) The solvency cards all assume this disclosure mechanism.

There are two versions of the plan that attempt to contrive topical methods to do the plan, each of which has advantages and disadvantages.

Version 1: The United States federal government should substantially curtail its domestic surveillance using computer software vulnerabilities or exploits unknown to relevant vendors.

This version of the plan, which simply reduces surveillance activities that use zero-day vulnerabilities, is definitively topical, but it may not solve the aff. There are two solvency flaws in this text that negative teams can exploit:

1. “Surveillance” --- although surveillance is a major use for zero-day vulnerabilities, it is not the only one. Cyber capabilities, which the aff would ideally like to reduce, may be able to continue as usual…. There is a card in solvency under “2ac surveillance solves” that attempts to answer this claim most specifically by saying that surveillance is a prerequisite to cyberweapons (i.e. disruptive cyber operations), which means that disallowing surveillance is tantamount to disallowing cyberweapons.

2. “Domestic surveillance” --- the aff basically has the same problem that PRISM affs have by using the word “domestic.” If “domestic electronic surveillance” limits the targets of surveillance in any meaningful way, the NSA can presumably keep zero-day’s as long as they’re targeting non-domestic persons.

That being said, even if the neg wins either of those arguments (and I don’t think they’re necessarily easy victories), the aff can probably still disclose enough vulnerabilities to solve the corporate trust internal links.

Version 2: The United States federal government should substantially curtail its domestic surveillance of computer software vulnerabilities or exploits unknown to relevant vendors.

This version, with a very precise definition of terms,is a way of topically phrasing the proposal discussed above (disclosure of vulnerabilities). My reading of this sentence’s functional meaning is basically “the NSA/other agencies should stop acquiring and maintaining their current cache of zero-day vulnerabilities/exploits.”

How is this topical? Well, define “domestic surveillance” as “acquiring nonpublic information about U.S. persons.” Given that:

1) “U.S. persons” includes corporations; and

2) “Nonpublic information” includes “intellectual property.”

3)Zero-day vulnerabilities/exploits are “intellectual property.”

As a result, it could be argued that disclosing zero-day vulnerabilities to corporations would definitionallycurtail the USFG (e.g. NSA)’s acquisition of nonpublic information (zero-day’s, which are intellectual property)of U.S. persons (corporations).

One last note about the aff: the DA and CP sections of the file may not appear particularly robust, but the case sections have more than enough material to answer the cyberdeterrence DA and oversight/regulation CP. Some assembly may be required, but most of the aff advocate’s responses to those proposals are represented in the file.

1ac

1ac inherency

Obama announced that the US would disclose zero-day vulnerabilities, or unknown software flaws, to their vendors --- but loopholes allow the NSA to stockpile zero-days and jeopardize widespread cybersecurity

Soghoian and Roubini2015 (Chris Soghoian, Principal Technologist and Senior Policy Analyst, American Civil Liberties Union Speech, Privacy, and Technology Project &Sonia Roubini, ACLU Speech, Privacy, and Technology Project, “Feds Refuse to Release Documents on “Zero-Day” Security Exploits”, March 3, 2015,

Federal agencies served with a Freedom of Information Act request are refusing to release documents related to their purchase, use and disclosure of zero-day exploits, keeping the American public in the dark about a practice that leaves the Internet and its users less secure. Zero-day exploits are special software programs that take advantage of security vulnerabilities in software that are unknown to the software’s manufacturer. These exploits are frequently used by intelligence agencies and the military as well as, we suspect, by federal law enforcement agencies. But they can be used by any hackers, whether they work for the U.S. government, a foreign government, a criminal group, or anyone else. Zero-day vulnerabilities and the tools that exploit them are extremely powerful, because there is very little that potential targets can do to protect themselves. But the effectiveness of such exploits depends on their secrecy—if the companies that make the affected software are told about the flaws, they will issue software updates to fix them. Governments thus have a strong incentive to keep information about the exploits they have developed or purchased secret from both the public and the companies who create the software we all use. On February 5, we received a response from the Office of the Director of National Intelligence (ODNI) to a Freedom of Information Act request we filed for the disclosure of guidance or directives related to the government’s policies for the purchase, discovery, disclosure and exploitation of zero-days. The ODNI claimed that these records are classified under Executive Order 13526, Section 1.4(c), which states that information can be considered for classification if its disclosure could reasonably be expected to cause damage to national security issues pertaining to “intelligence activities (including covert action), intelligence sources or methods, or cryptology.” This response is consistent with the Obama administration’s refusal to make public most information related to its surveillance and cybersecurity policies. The formal United States policy regarding zero-day exploits, published in April 2014, states that federal agencies should reveal any major flaws in Internet security to companies in order to ensure that they are promptly resolved. However, this policy also carves out a broad exceptionfor flaws that are being exploited for national security or law enforcement purposes—a loophole that effectively ensures that the government can and will continue to quietly exploit zero-days without warning companies or individuals of their existence. It is also unclear whether this policy only applies to zero days that government employees discover, or whether it also applies to vulnerabilities and exploits purchased from defense contractors, boutique security firms and exploit brokers. While zero-day exploits are no doubt useful to U.S. law enforcement and intelligence agencies, their use raises serious public policy concerns. Zero-days are also regularly used by foreign, hostile governments, criminals and hackers engaging in cyberattacks. That means our government’s choice to purchase, stockpile and use zero-day exploits instead of promptly notifying manufacturers is effectively a choice to leave both the Internet and its users less secure. This policy of prioritizing cyber offense over defense is highly problematic, particularly given Congress and the White House’s recent focus on cybersecurity. On February 2, Obama pledged $14 billion towards improving cybersecurity defenses, and proposed new legislation intended to help prevent cyberattacks, some form of which is expected to pass through Congress this legislative session. If, as we are told, cybersecurity is such a top priority for the government, federal agencies should be doing everything in their power to ensure that vulnerabilities are fixed as soon as they are discovered, not months or years later after they have been fully exploited by law enforcement and intelligence agencies. At a time when cybersecurity legislation that would weaken existing privacy laws is being pushed through Congress, the American public deserves to know more about the government’s policies regarding the purchase, use and disclosure of zero days. There is an important public debate that must be had about the government’s role in cybersecurity, but without documents like the ones we have requested, this debate cannot take place.