Stockpiling Zero-day Exploits: The Next International Weapons Taboo
USMA Research Unit Affiliation
Army Cyber Institute
In the current state of global affairs, a market exists for zero-day exploits where researchers, nation states, industry, academia, and criminal elements develop, buy, and sell these commodities. Whether they develop zero-days or purchase them, nation states commonly stockpile them for the future. They may then use them for purposes such as: espionage, offensive cyber operations, or deterrent effect. The immediate effect of this stockpiling though is that the exploit is not divulged to the public and is therefore not remediated. In our increasingly networked and code dependent world, this creates the potential for a cyber disaster with yet unimaginable impacts on global stability. It is therefore imperative that nation states responsibly divulge zero-day exploits through an international framework for the global good. Moving from the current state of affairs to one where responsible release of zero-day exploits is the norm will not be easy. There are many stake holders who argue that keeping stockpiles is beneficial or that this is an area that is not feasible to regulate. However, as we have seen with weapons such as nuclear, chemical, and biological weapons, it is possible to develop international regimes that prohibit the use of such weapons due to their extraordinary capabilities and impact. Alternatively, should these exploits be seen as equally pernicious as contagious diseases, nations may join together to form organizations similar to the WHO that can address international cyber issues. If a taboo against the use of zero-day exploits can be established, i.e., we make their use morally illegitimate, the security of all users will be improved.