The zero-day dilemma: Are we ready for a cyber meltdown?

When award-winning author and journalist Nicole Perlroth first started her cybersecurity beat at The New York Times, the threat of an impending, major cybersecurity event often came up in interviews with experts.

"In the beginning, it all really felt like marketing, but the deeper I got into this space, the more I realized how vulnerable we were getting," Perlroth says, planting the seed for her New York Times bestseller "This Is How They Tell Me the World Ends."

"I knew I needed to write a book or at least piece together a narrative to grab people and say, 'Hey, you need to know about this,'" she explains in "Element of Protection: The Zero-Day Dilemma," a special security broadcast with Sunil James, senior director of security engineering at Hewlett Packard Enterprise.

A huge—and lucrative—market

As the title of the segment suggests, one of the most dangerous yet sought-after hacks today is the zero-day exploit, whereby an attacker is able to penetrate an organization's defenses through a software flaw that the software maker doesn't yet know exists—and therefore has zero days to fix it, Perlroth explains. That exploit, in turn, is often sold to whomever is willing to pay for it, opening the door to critical infrastructure breaches, government and corporate espionage, and much more.

The hidden market for zero-day hacks is huge—and lucrative. Perlroth notes that U.S. brokers will pay as much as $2.5 million for an exploit in which the user can read text, turn on a device's camera, record phone calls, and track location. "What else would a spy agency want?" she says. "If they can get a really good remote way into your iPhone, that's gold to a lot of governments."

Please read: Cyber resilience, unknown unknowns, and the transformation of enterprise security

And there are various reasons why a government, including U.S. federal agencies, would want to acquire such hacks, with counterterrorism activities and criminal investigations topping the list. But that brings up two important questions, Perlroth says: What is a terrorist, and who has oversight over the sale of zero-day exploits?

"I joke that the zero-day market is like fight club: The first rule is no one talks about the zero-day market, and the second rule is no one talks about the zero-day market," she says.

But Perlroth says that needs to change, noting her reporting is focused on flagging such activity, the lack of rules around it, and "the tradeoffs being made in the name of national security."

In through the back door

As James points out, hackers are targeting not just products from well-known vendors but everything from SCADA and embedded systems to mom-and-pop billing software—all of which could provide a foothold into critical infrastructure.

Today, "every country is investing in offensive hacking tools and zero-day exploits," Perlroth says, not just for espionage activities but also for destructive capabilities, as seen in the 2010 discovery of Stuxnet, which is said to have caused significant damage to Iran's nuclear program.

Please read: Get the security basics right—it could prevent catastrophe

Increasingly, zero-day exploits are becoming the equalizer among countries large and small, James says, and they are changing how we think about collateral damage. While governments use zero-day hacks to protect their interests, he says, many are carried out by tunneling through interconnected enterprises. So the question becomes: Is the government, the enterprise, or vendors responsible?

Perlroth borrows a quote from U.S. Sen. Angus King: "The U.S. has become the world's cheapest state when it comes to cyber," which means "our adversaries are not paying a price for attacks on our systems, for IP theft," she says. "This isn't just a Cold War game of two superpowers. This is a game where cybercriminals are often costing the most amount of damage."

'A blessing in disguise'

Perlroth and James point to the example of ransomware, which spiked as attack surfaces grew during the pandemic, and the fact that the endless stream of code being released today creates many more opportunities to find and exploit zero-day flaws than in the past.

"In some ways, ransomware has been a blessing in disguise because it has been penetration testing the U.S. and exposing just how vulnerable we are," Perlroth says.

Please read: Best of Enterprise.nxt: Ransomware holds business hostage

So, where are enterprises in terms of readiness and what they should expect from the government and their vendors?

While zero trust and other security measures have helped, offensive hacking tools haven't been much of a deterrent, Perlroth says, leaving both the government and enterprises open to attack.

As such, Perlroth and James agree shared responsibility is key, noting 85 percent of critical infrastructure is run in the private sector, not by government, and zero-day exploits often aren't targeting enterprises themselves but using them as a conduit to get to higher-level targets.

They say better cyberdefenses begin with vendors' internal commitment to security, along with up-to-date systems, security best practices, and modern technology that can detect anomalous activity in an automated, scalable way.