In the interconnected cyberspace, our fragile digital infrastructure is constantly exposed to cyber threats from various actors. Exploiting vulnerabilities in IT hardware and software has become a primary tool in cyber espionage and cyber warfare, posing significant challenges to global cybersecurity. Advances in artificial intelligence further contribute to these challenges, with AI-enabled cyber weapons and AI-based automated cyber defences contributing to an increasingly complex landscape.
State actors, driven by long-term strategic security interests, often retain knowledge of vulnerabilities and vulnerability exploits to support their military or intelligence operations in cyberspace. While international treaties and regulations are being discussed to limit such activities through vulnerability disclosure, concerns over sharing unique knowledge with each other or with third parties is preventing progress, as this could create a potential tactical disadvantage and compromise state interests.
Addressing political challenges with tech
In their paper, researchers from Prof. Thomas Schneider's “ExTRUST: Reducing Exploit Stockpiles with a Privacy-Preserving Depletion System for Inter-State Relationships” and Prof. Christian Reuter's group Cryptography and Privacy Engineering Group (ENCRYPTO) propose a privacy-preserving solution to this problem using cryptography. The ExTRUST system enables two or more state actors to privately compare their vulnerability stockpiles using multi-party computation (MPC) and a novel exploit description method to detect common elements without disclosing them to opposing parties. This approach allows for careful consideration of disclosure while preserving the secrecy interests of the parties involved. Science and Technology for Peace and Security (PEASEC)
While the researchers point out that the MPC-based ExTRUST system does not currently meet all conceptual requirements, it shows to be scalable and can withstand several attack scenarios. The potential of ExTRUST goes beyond the inter-governmental context and is also transferable to other zero-trust applications such as bug bounty programmes. This versatile system represents a notable step forward in the pursuit of arms control and disarmament and provides new impulses on how technology can be used to address political challenges. The paper won the 2 and has now been published in the IEEE journal Transactions on Technology and Society. CROSSING Collaboration Award 202
Thomas Reinhold, Philipp Kühn, Daniel Günther, Thomas Schneider, and Christian Reuter. . IEEE Transactions on Technology and Society, May 29, 2023. ExTRUST: Reducing exploit stockpiles with a privacy-preserving depletion system for inter-state relationships
This research has been funded by the German Research Foundation (DFG) via the Collaborative Research Center CROSSING, and co-funded via the Research Training Group Privacy & Trust. Further support came from the German Federal Ministry of Education and Research and the Hessian Ministry of Higher Education, Research, Science and the Arts within their joint support of the National Research Center for Applied Cybersecurity ATHENE, as well as the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation program.