In 2017, National Security Agency hacking tools were leaked on the Internet. One of these hacking tools relied on a vulnerability in Microsoft software. Its leak caused “the most destructive and costly N.S.A. breach in history.” This hacking tool took out: [the British health care system], Russian railroads and banks, Germany’s railway, French automaker Renault, Indian airlines, four thousand universities in China, Spain’s largest telecom, Telefonica, Hitachi and Nissan in Japan, the Japanese police, a hospital in Taiwan, movie theater chains in South Korea, nearly every gas station run by PetroChina, China’s state owned oil company, and, in the United States, FedEx and small electrical companies across the country. Then, this hacking tool was added to a different cyberweapon, where it caused an additional $10 billion in damage. Some consider this total a “gross underestimate.” The executive branch, through an internal process, had withheld this vulnerability from Microsoft for seven years. According to the executive branch, this Microsoft vulnerability was too valuable to disclose: the hacking tool using the Microsoft vulnerability “netted some of the very best counterterrorism intelligence” the NSA received. But the executive branch lacks the authority to unilaterally decide a vulnerability’s intelligence value outweighs the cost of withholding it. Vulnerabilities like the Microsoft one that the executive branch withheld are known as zero-day vulnerabilities (“zero-days”). This Comment’s thesis is that the executive branch can’t unilaterally withhold these zero-days to conduct offensive cyber operations or surveillance. I demonstrate this thesis in three steps. First, I explain what zero-days are and why they are dangerous. Second, I show the executive branch of the U.S. government unilaterally withholds zero-days. Third, and finally, I explain why the executive branch’s unilateral withholding of zero-days to conduct offensive cyber operations or national security surveillance is unconstitutional.
