What should governments do when they discover a hardware 0-day? In the US, as a matter of policy, any vulnerability that is deemed to affect critical infrastructure is disclosed to the vendors by the government [VEP]. The government can hide vulnerabilities (and weaponize them) if it is in the larger national interest [NYT]. Obviously, this share or save decision is a very hard one: The NSA has said that it discloses nearly 90% of the vulnerabilities it discovers (sometimes after using them).
For hardware 0-days, the save or share decision is likely to tilt more towards the save side largely because of the relatively higher power of hardware 0-days as weapons. Software 0-days can be mitigated by patching. On the other hand, mitigation of a hardware 0-day may need replacement of the vulnerable hardware. When hardware 0-days are used by nation states against nation states, they can be accompanied by trade sanctions which can make replacement of the vulnerable hardware difficult leaving adversaries weakened for longer periods of time.
So, it is likely that governments will not disclose hardware 0-days until they see evidence of the attack or a leak. In the next part, I will discuss what academics should do when they discover hardware 0-days.
Does your government have a process for disseminating (hardware) 0-days? Post a comment!
About the author: Simha Sethumadhavan is an associate professor at Columbia University. His interests are in computer architecture and computer security. He is the founder of Chip Scan Inc. His website is: http://www.cs.columbia.edu/~simha