28 Pages Posted: 10 Dec 2013 Last revised: 3 Jul 2014
Date Written: December 18, 2013
The United States and its international partners are permitting an unregulated, global market for cyber weapons to flourish. Weaponized zero-day ("Øday") exploits to attack the control systems for the power grid and other critical infrastructure components are on sale to criminals, terrorists, and rogue nations. Policymakers have begun to recognize the imperative to curb this market. There is no consensus, however, on the measures needed to do so.
We propose three initial steps to begin curbing the market for weaponized Øday exploits. First, the United States should incentivize developers of critical infrastructure industrial control systems and applications layer software to minimize security flaws in their products. The Support Anti-Terrorism by Fostering Effective Technologies Act provides an especially promising means to strengthen these incentives and should be amended to authorize such software developers to apply for liability coverage under the Act. Second, through the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, the United States and its international partners should establish uniform controls of dangerous Øday exploit sales targeting critical infrastructure. Third, the United States should amend the Computer Fraud and Abuse Act to strengthen its ability to prosecute researchers located both domestically and abroad who recklessly sell dangerous exploits targeting critical infrastructure to America’s adversaries.
Keywords: zero-day exploit, cyber weapon, cyberattack, software, liability, Safety Act, prosecution, export controls, Wassenaar Arrangement, cyberspace, cyberterrorism, CFAA
Suggested Citation: Suggested Citation
Stockton, Paul and Golabek-Goldman, Michele, Curbing the Market for Cyber Weapons (December 18, 2013). Yale Law & Policy Review, Forthcoming. Available at SSRN: https://ssrn.com/abstract=2364658