This post was originally published by Harvard Kennedy School’s Belfer Center for Science and International Affairs.
Targeting the Vulnerability Lifecycle
Summary
States have turned to export controls to block the international transfer of malicious software and limit its harmful effects. Based on the nature of the software and the identity of the end user these controls should, in theory, keep malware out of the hands of the worst actors including those with sinister human rights aims. In practice, export controls fail to check the transfer of malware because they ignore the incentives of those who develop and use this software. Even worse, the controls chill the work of legitimate security researchers, undermining efforts to protect states and users from cyber threats and potentially offering the basis for broader information controls.1 Recognizing these shortcomings, a mix of academics, companies, and civil society group has attempted to reform the current export control regime. However even these modest reform efforts have produced only token changes.
A more effective proposal would limit the supply of vulnerabilities available to attackers by reducing the amount of time any given vulnerability is available for an attacker to use in malware. Doing so will raise of the cost to build and acquire malicious software that depend on vulnerabilities. Using the United States as a model for implementation, this paper outlines ten recommendations to shorten the life cycle of vulnerabilities clustered around four key activities:
- Increase the number of software vulnerabilities discovered by expanding the accessibility of bug bounty programs to new companies, but narrowing their scope to the most important bugs.
- Increase the number of vulnerabilities disclosed by researchers to software developers by reforming two important pieces of federal law that currently chill security research.
- Increase the speed of patch issuance once developers learn of vulnerabilities in their products by improving transparency around how long it takes software developers to issue security patches.
- Increase the number of customers that apply patches to security flaws once issued by software developers by improving transparency around which companies apply patches – and which ones do not.