Should security researchers release offensive security tools (OSTs)?
Industry insiders and outsiders have debated the merits of sharing offensive tools since the 1980s. Proponents primarily argue that releasing offensive tools helps push defense forward by forcing preventive and detective adaptation. Detractors say that releasing these tools does more harm than good, with many organizations unable to adapt quickly enough to prevent damage. Every now and then, the discussion reignites in public forums and persists for a few weeks.
I’m not writing this essay to swing your opinion one way or another. I’m actually going to refrain from offering my opinion at all because I think this argument represents a broader call to action that both sides should get behind.
I offer three ideas:
- Most folks oversimplify the OST release debate
- The OST release debate is important and warrants more research
- We all have a role to play if we hope to move this debate forward
Acknowledging the Fallacies
The tendency of debate is to simplify an argument into two opposing sides where each side is completely right or completely wrong. As the complexity of the argument increases, the likelihood of a simple yes or no answer decreases. When complex arguments are forced into a simple choice, that creates a false dichotomy or false dilemma. An example from broader discourse might be, “Should we fund social welfare programs?”
In this example, the problem begins with a close-ended question. The nature of a close-ended question is that it begets a yes or no answer. If you have any hope of critically examining social welfare, you must first reframe the question, such as, “What types of social welfare programs should we fund, and to what degree?” Of course, this begets even more nuanced questions.
By virtue of changing the question to an open-ended one, you create the opportunity for a critical examination of the topic. For the OST release debate, that probably means phrasing the question like this:
To what degree does the free, unregulated release of offensive security tools make the world inherently more secure or insecure?
People are often averse to asking open-ended questions because they can’t easily be debated in forums folks often rely on now, like Twitter. Of course, it shouldn’t be much of a surprise to anyone that Twitter is a poor forum for nuanced discussion.
The key to avoiding false dilemmas is thinking about the deeper question, and shifting from close-ended to open-ended questions. Not every debate warrants this level of scrutiny, but avoiding the false dilemmas is essential for those that do.
Researching the Efficacy of OST Release
We’ve invested tremendous amounts of resources into information security over the past three decades. Yet, our ability to defend networks has been outpaced by the scope, number, and impact of the attacks against those same networks. There is little room for smugness in doing things “the way we’ve always done them” or citing lessons learned that were based on a limited scope and tremendous bias. The security profession simply doesn’t have a successful enough track record to allow for it. Many of the maxims practitioners blindly accept as best practice fail to meet objective standards required for that designation. The notion that the unfettered release of OSTs is overarchingly and completely beneficial to the cause of security is one such maxim.
Yet, participants in debates on OST not only force the argument into a false dilemma, they often speak as though it’s ridiculous that the other side would even warrant a conversation. This behavior is intellectually dishonest. While few conclusions are valid, most perspectives are. Particularly, on important and nuanced topics. Few argue a complete restriction on any OST release. At the same time, few releasing OSTs operate without some moral line they won’t cross. The OST release debate often gets approached or dismissed like gun control debates, as Daniel Miessler points out in his essay on the topic.
Because critical examination and bonafide empirical research takes time and money, it’s often reserved for issues that reach a high threshold of importance and nuance. The broad release of offensive security tools exceeds that threshold.
Therefore, the most productive form of this debate right now is how we study it. In general, we’d want to measure the proliferation of OSTs to use by malicious adversaries, the proliferation of OSTs to defense by security teams, and make comparisons between the two based on risk and impact. That begins with identifying more specific research questions. For example:
- Malicious Proliferation
- What types of OST are most often and most quickly weaponized by malicious adversaries?
- How quickly do structured malicious adversaries make use of OST releases?
- What types of organizations are attacks using OST most likely to proliferate to quickest?
- Defensive Proliferation
- What types of OST are most often and most quickly weaponized by red teams?
- What are the characteristics of organizations that quickly implement protective and detective controls for OST releases?
While not close to an exhaustive list, once you start to answer these questions, you understand the more tangible effects of the issue. For example, we probably know that small businesses are less likely to implement detection controls resulting from OST release, but how much less likely? At what size does that likeness dramatically start decreasing? What types of detection are more likely to be implemented as business size decreases? I’m sure many of us have opinions on these things, but we could all stand to increase our sample size a bit.
With enough of these answers, we are able to consider more perspectives and think more critically about the impact of various “what if” scenarios. For example:
- Should we keep doing things as we are now with completely unrestricted OST release?
- Should we legally require those releasing OSTs to also provide complementary detection tools/signatures/techniques meeting an industry standard?
- Should there be a centralized authority for OST release?
- Should OST release only be legal for licensed entities or individuals?
- Is it possible to create a framework for evaluating the moral hazard of OST release?
For the record, I don’t know the answer to any of these questions. I could speculate on potential outcomes, but that would have to be weighed carefully against the evidence from research that doesn’t yet exist to make a reasonable conclusion.
Let’s be realistic here — answering these questions is hard. Finding answers requires a level of attack and defense visibility limited to large companies, vendors, or governments. Most of these groups aren’t compelled to conduct research. They require smart people who understand the security industry and have training in academic-level research. That intersection is incredibly low. Then, even if you were to get the right folks in the room with access to the right data, they all have to be paid.
Hard does not mean impossible. It’s time to stop admiring the problem.
A Call to Action
The question of whether the unrestricted release OSTs causes more harm than good is fundamentally important for the development of the information security profession. Therefore, we should collectively take action to push this debate forward. That means different things based on your role in the industry.
If you are a student or inexperienced member of the cyber security profession, discuss this issue with those whose opinions you admire. Ask your professors, mentors, and managers the question — To what degree does the free, unregulated release of offensive security tools make the world inherently more secure or insecure? Talk with people who have different and diverse opinions, ask them why they think the way they do, and ask them what would make them change their minds.
If you are an experienced member of the cyber security profession, be critical of your own opinion. Ask yourself, why do I think this way? Spend time talking with someone who has the extreme opposite opinion and do more listening than talking. Consider what things would need to change or what would you need to observe to change your opinion? Welcome the nuance and complexity of the topic. It’s okay to have an opinion that doesn’t boil down to “yes” or “no”.
If you are an educator or professor, facilitate discussions about this topic in your classrooms. Scaffold the question with prerequisite knowledge and spur the conversation with relevant examples. Don’t force your opinion on students, but instead, expose them to a variety of diverse opinions. If the conversation gravitates too far one direction, be prepared with examples and scenarios to challenge that conclusion. This is where I mostly fit in, so I created a lesson plan for a Socratic-style seminar designer to spur constructive conversation around this topic.
If you are someone with an industry voice and a following, do not settle for simple close-ended questions and answers. Do not be afraid to shift discussions to more nuanced questions and do not be afraid to say “I don’t know.” Perhaps most importantly, echo a call to action for more data, whether quantitative or qualitative.
The importance of the OST release issue warrants that everyone should have exposure to perspectives and research regarding its impacts. But, more of that research must exist first. Given the resource requirements of conducting such studies, I challenge organizations well-positioned for this type of research to invest in studying the proliferation and impact of unrestricted offensive security tool releases.
Realistically, this probably means a coalition of security vendors with visibility from relevant data (something akin to what Verizon produces with the DBIR), university researchers (perhaps in places with a history of this sort of research like Stanford), and industry educators (particularly those with the ability to mobilize resources, like SANS Institute). Funding could come from the coalition members or any number of grant-providing organizations likely to see the benefit of this research.
The goals of this effort should include defining key terms, identifying stakeholders, articulating critical research questions, conducting that research, and sharing the results for the benefit of the information security community. Any release should include a discussion of methods, participants, and funding sources.
The thoughts I provide in this essay apply to the OST debate, but also to any number of core debates in infosec that warrant this degree of scrutiny. Use it as a template, if you may. We must put forth resources and effort to thinking bigger than what any given moment provides us. Anything less is selling ourselves, our futures, and the safety of our constituents short.
Until we have more research, the best we can conclude right now is, “I don’t know.” The best question we can ask to move forward is, “How would I know if I was wrong?”