Download this Paper Open PDF in Browser

Regulating the Zero-Day Vulnerability Trade: A Preliminary Analysis

I/S: A Journal of Law and Policy for the Information Society. Vol. 11.2 (2015)

80 Pages Posted: 22 Dec 2015 Last revised: 20 Feb 2016

Mailyn Fidler

Yale University, Law School, Students

Date Written: Summer 2015

Abstract

The global trade in zero-day vulnerabilities – software flaws unknown to the maker and public – constitutes a serious cybersecurity problem. Governments use zero days for military, intelligence, and law enforcement cyber operations, and criminal organizations use them to steal information and disrupt systems. The zero-day trade is global and lucrative, with the U.S. and other governments participating as buyers. Cybersecurity experts worry this trade enables governments, non-state actors, and criminals to gain damaging capabilities. The U.S. government’s participation raises concerns because keeping purchased zero days secret to preserve military, intelligence, or law enforcement utility undermines U.S. and global cybersecurity. These problems are generating a nascent, but growing, policy debate about the need to regulate the zero-day trade.

This paper contributes to this debate by analyzing U.S. domestic and international options for controlling the zero-day trade. Domestically, it investigates criminalization, unilateral export controls, and increased oversight of U.S. executive branch actions. Internationally, this thesis analyzes international legal approaches, voluntary collective action through export controls, and cooperation through collective defense organizations. This thesis demonstrates regulation of the global zero-day trade will be difficult, signaling the pervasiveness of realpolitik in cyberspace. If controlling the trade is a desired aim, without U.S. leadership and coordinated international action, the pull of anarchy over regulation will prevail.

Keywords: zero-days, Wassenaar Arrangement, CFAA, export controls, cybersecurity

Suggested Citation

Fidler, Mailyn, Regulating the Zero-Day Vulnerability Trade: A Preliminary Analysis (Summer 2015). I/S: A Journal of Law and Policy for the Information Society. Vol. 11.2 (2015). Available at SSRN: https://ssrn.com/abstract=2706199

Mailyn Fidler (Contact Author)

Yale University, Law School, Students ( email )

127 Wall Street
New Haven, CT 06511
United States

Paper statistics

Downloads
102
Rank
226,770
Abstract Views
638