Regulating the Zero-Day Vulnerability Trade: A Preliminary Analysis
I/S: A Journal of Law and Policy for the Information Society. Vol. 11.2 (2015)
80 Pages Posted: 22 Dec 2015 Last revised: 20 Feb 2016
Date Written: Summer 2015
The global trade in zero-day vulnerabilities – software flaws unknown to the maker and public – constitutes a serious cybersecurity problem. Governments use zero days for military, intelligence, and law enforcement cyber operations, and criminal organizations use them to steal information and disrupt systems. The zero-day trade is global and lucrative, with the U.S. and other governments participating as buyers. Cybersecurity experts worry this trade enables governments, non-state actors, and criminals to gain damaging capabilities. The U.S. government’s participation raises concerns because keeping purchased zero days secret to preserve military, intelligence, or law enforcement utility undermines U.S. and global cybersecurity. These problems are generating a nascent, but growing, policy debate about the need to regulate the zero-day trade.
This paper contributes to this debate by analyzing U.S. domestic and international options for controlling the zero-day trade. Domestically, it investigates criminalization, unilateral export controls, and increased oversight of U.S. executive branch actions. Internationally, this thesis analyzes international legal approaches, voluntary collective action through export controls, and cooperation through collective defense organizations. This thesis demonstrates regulation of the global zero-day trade will be difficult, signaling the pervasiveness of realpolitik in cyberspace. If controlling the trade is a desired aim, without U.S. leadership and coordinated international action, the pull of anarchy over regulation will prevail.
Keywords: zero-days, Wassenaar Arrangement, CFAA, export controls, cybersecurity
Suggested Citation: Suggested Citation