A New Strategy for Reducing the Threat of Dangerous Øday Sales to Global Security and the Economy
68 Pages Posted: 19 May 2014
Date Written: March 25, 2014
Zero-day (“Øday”) vulnerabilities are defects in software that are unknown to computer users and software manufacturers. They can be “exploited” for cyber espionage and cybercrime purposes or even “weaponized” to execute commands that cause our nation’s computer systems — including those deployed by critical infrastructure sectors — to malfunction. In recent years, the market for these vulnerabilities has proliferated worldwide. Since the global market is unregulated and many companies do not screen their customers, criminals, terrorists, rogue governments, the Chinese People’s Liberation Army, and other nations and individuals seeking to exploit these vulnerabilities for “malicious cyber activities” may be gaining unprecedented access to them.
This report provides recommendations for mitigating the threat emanating from this global, unregulated market. It acknowledges the immense challenge of regulation and proceeds from the premise that eliminating dangerous Øday sales is virtually impossible. Such transactions are “intangible” and often anonymous, and determined buyers and sellers could frequently circumvent regulations. The threat of dangerous Øday sales to buyers seeking to deploy them for malicious purposes is also one of the most global threats that exist today. Øday discoverers, exploiters, purchasers, brokers, perpetrators, software vendors, and victims reside in nations throughout the world and therefore no single country can mitigate the threat acting alone. While acknowledging these challenges, this report proposes initial measures that would begin to mitigate the current threat, rendering it more difficult and costly to sell Ødays to those who seek us harm.
Suggested Citation: Suggested Citation