Belfer Center Home > Publications > Academic Papers & Reports > Papers > The Vulnerability Economy: Zero-Days, Cybersecurity, and Public Policy

EmailEmail   PrintPrint Bookmark and Share

 
"The Vulnerability Economy: Zero-Days, Cybersecurity, and Public Policy"

"The Vulnerability Economy: Zero-Days, Cybersecurity, and Public Policy"

Harvard Kennedy School Case

Paper KS1013-PDF-ENG, Harvard Business Publishing

February 2015

Author: Ryan Ellis, Associate, Cyber Security Project

Ordering Information for this publication

Belfer Center Programs or Projects: Science, Technology, and Public Policy; Cyber Security Project

 

OVERVIEW

In 2011, Dillon Beresford, a computer security expert, discovered a series of new vulnerabilities impacting components of widely used industrial control systems. These new previously unknown vulnerabilities—what are known as "zero-days"—were potentially very serious. Zero-day vulnerabilities are key components of computer viruses, worms, and other forms of malware. Vendors and security firms seek these flaws in order to patch and fix insecure software and hardware. Increasingly, however, nation sates and criminals purchase zero-days from independent security researchers in order to develop new destructive cyberweapons and capabilities. Managing the growing trade in zero-day vulnerabilities is a key challenge for policymakers and corporate leaders. The case follows Beresford as he discovers a set of new zero-days and considers the different disclosure options available to someone in his position. The case reviews the mix of incentives that might encourage or discourage the discoverer of a new zero-day to: (1) disclose the flaw to the vendor of the insecure software or hardware privately; (2) disclose the flaw to the public, without notifying the vendor; (3) pursue a hybrid-strategy known as responsible or coordinated disclosure; (4) or opt to sell the vulnerability. The case illuminates the different costs and benefits of each of these approaches for the security researcher, the vendor of the flawed software or hardware, and the public at large. Ultimately, the case asks students to consider which model of disclosure is most beneficial for the public and to consider what policy levers are most useful in supporting that model.

 

Professor Venkatesh Narayanamurti is the case's faculty sponsor.

 

For more information about this publication please contact the STPP Web Manager at 617-496-1981.

For Academic Citation:

Ellis, Ryan. "The Vulnerability Economy: Zero-Days, Cybersecurity, and Public Policy." Paper, Harvard Business Publishing, February 2015.

Bookmark and Share

Events Calendar

We host a busy schedule of events throughout the fall, winter and spring. Past guests include: UN Secretary-General Ban Ki-moon, former Vice President Al Gore, and former Soviet Union President Mikhail Gorbachev.