For years I have wondered why after cyber-vulnerabilities go undiscovered for significant periods of time, multiple groups of information security professionals seem to simultaneously discover them.
While I do not have scientific data to prove that any statistically significant pattern of such concurrent discovery exists, I can state that over the course of my entire career in information security I have observed this type of phenomena occurring too often to be ignored. I have even experienced it personally – consider Microsoft Security Bulletin MS01-047 – Critical (which, incidentally, was also the first vulnerability report made by CERT after 9/11) which thanked two reporters; having been the person who submitted the vulnerability report from one of the teams, I know firsthand that neither of the parties who reported the critical-level bug involved ever spoke with the other before the report was published; somehow, two unrelated parties independently discovered the same vulnerability at the same time.
I speculated at the time that the recent increase in popularity of Outlook Web Access – the source of the vulnerability – may have caused multiple companies to concurrently examine the product with increased scrutiny – but that did not fully explain how the two teams ended up discovering and reporting the same bug within days of one another, or why a similar simultaneous-reporting phenomenon seemed to regularly repeat itself.
This week, Wired reporter, Andy Greenberg, published a piece examining this matter. It seems that the recent Meltdown and Spectre vulnerabilities affecting most computers and smartphones – bugs which have been around for over 20 years – were discovered by no fewer than four teams around the same time. That’s right – for 20 years nobody noticed that anything was wrong, and then, suddenly, four independent teams discovered similar major problems.
Greenberg quotes security researcher and Harvard Belfer Center fellow, Bruce Schneier, who pointed out that “If I discover something lying dormant for 10 years, something made me discover it, and something more than randomly will make someone else discover it too.”
I share Schneier’s opinion – and will add that, even as thinking beings, we humans do not always understand what motivates us to think a certain way. Multiple security researchers may decide to explore a certain path of experimentation without any of them ever fully comprehending why they chose to follow that particular route of thinking, rather than another.
As such, while our motivating factors may never be fully obvious, there is a clear lesson from the existence of this “simultaneous discovery phenomena” (sometimes known as “bug collision”): Government security agencies should think much harder about the consequences of their weaponizing security vulnerabilities and storing such cyberweapons for long periods of time instead of reporting the bugs to parties who can fix them. Creating cyberweapons out of zero-day vulnerabilities is dangerous – the weapons may be stolen, and, even if they are not, the failure to report exploitable vulnerabilities leaves businesses, organizations, individuals, and even other areas of the government vulnerable to attack; if we believe that whatever motivated our own government’s experts to explore and find underlying bugs is likely to, on a statistically significant basis, also motivate agents of hostile nations and organized crime to explore similar paths, reporting bugs quickly is essential to preserving our national security.
In fact, I recently received a phishing email that utilized a technique for tricking people that I had recently demonstrated and reported to several vendors, as it exploits the way web browsers and social media platforms handle links. It is not just the “good guys” who experience a “simultaneous discovery phenomena;” criminals and cybersecurity pros are locked in a race, and often reach the same milestones at similar times. We must recognize this reality – and not deceive ourselves into believing that the zero days that we discover are likely known to only us.