from Net Politics and Digital and Cyberspace Policy Program

New Cyber Brief: Using Incentives to Shape the Zero-Day Market

CFR Cyber Net Politics

September 19, 2016

CFR Cyber Net Politics
Blog Post
Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.

More on:

Cybersecurity

United States

Intelligence

The Digital and Cyberspace Policy Program has launched a new Cyber Brief. This one is authored by yours truly.

There has been a growing debate over the role the U.S. government could and should play in the zero-day market--the market that exists to buy and sell software vulnerabilities that have not been disclosed to software vendors. Some experts have suggested that the federal government corner the market, purchasing all known zero-days and revealing the vast majority of zero-days that it buys or discovers. Others want to regulate the market and make the sale of zero-days to bad actors illegal. Attempts to either monopolize or restrict the zero-day market to specific actors are, however, likely not only to fail but also to undermine security by handicapping legitimate research.

Instead of overreaching to regulate the entire zero-day market, I argue the U.S. government should create incentives for individuals, companies, and governments to find software vulnerabilities, publicize, and patch them, and thus reduce the risk of attack. The U.S. government should expand exemptions for security research under criminal and copyright law, promote secure software engineering early in a product’s development, and expand bug bounty programs throughout the federal system.

You can find the full brief here.

More on:

Cybersecurity

United States

Intelligence

Up
Close