{"title":"Backwards from zero: How the U.S. public evaluates the use of zero-day vulnerabilities in cybersecurity","authors":"Marcelo M. Leal, P. Musgrave","doi":"10.1080/13523260.2023.2216112","DOIUrl":null,"url":null,"abstract":"ABSTRACT Zero-day vulnerabilities are software and hardware flaws that are unknown to computer vendors. As powerful means of carrying out cyber intrusions, such vulnerabilities present a dilemma for governments. Actors that develop or procure such vulnerabilities may retain them for future use; alternatively, agencies possessing such vulnerabilities may disclose the flaws to affected vendors so they can be patched, thereby denying vulnerabilities not only to adversaries but also themselves. Previous research has explored the ethics and implications of this dilemma, but no study has investigated public opinion regarding zero-day exploits. We present results from a survey experiment testing whether conditions identified as important in the literature influence respondents’ support for disclosing or stockpiling zero-day vulnerabilities. Our results show that respondents overwhelmingly support disclosure, a conclusion only weakly affected by the likelihood that an adversary will independently discover the vulnerability. Our findings suggest a gap between public preferences and current U.S. policy.","PeriodicalId":46729,"journal":{"name":"Contemporary Security Policy","volume":"44 1","pages":"437 - 461"},"PeriodicalIF":4.0000,"publicationDate":"2023-05-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Contemporary Security Policy","FirstCategoryId":"90","ListUrlMain":"https://doi.org/10.1080/13523260.2023.2216112","RegionNum":1,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"INTERNATIONAL RELATIONS","Score":null,"Total":0}
引用次数: 2
Abstract
ABSTRACT Zero-day vulnerabilities are software and hardware flaws that are unknown to computer vendors. As powerful means of carrying out cyber intrusions, such vulnerabilities present a dilemma for governments. Actors that develop or procure such vulnerabilities may retain them for future use; alternatively, agencies possessing such vulnerabilities may disclose the flaws to affected vendors so they can be patched, thereby denying vulnerabilities not only to adversaries but also themselves. Previous research has explored the ethics and implications of this dilemma, but no study has investigated public opinion regarding zero-day exploits. We present results from a survey experiment testing whether conditions identified as important in the literature influence respondents’ support for disclosing or stockpiling zero-day vulnerabilities. Our results show that respondents overwhelmingly support disclosure, a conclusion only weakly affected by the likelihood that an adversary will independently discover the vulnerability. Our findings suggest a gap between public preferences and current U.S. policy.
期刊介绍:
One of the oldest peer-reviewed journals in international conflict and security, Contemporary Security Policy promotes theoretically-based research on policy problems of armed conflict, intervention and conflict resolution. Since it first appeared in 1980, CSP has established its unique place as a meeting ground for research at the nexus of theory and policy.
Spanning the gap between academic and policy approaches, CSP offers policy analysts a place to pursue fundamental issues, and academic writers a venue for addressing policy. Major fields of concern include:
War and armed conflict
Peacekeeping
Conflict resolution
Arms control and disarmament
Defense policy
Strategic culture
International institutions.
CSP is committed to a broad range of intellectual perspectives. Articles promote new analytical approaches, iconoclastic interpretations and previously overlooked perspectives. Its pages encourage novel contributions and outlooks, not particular methodologies or policy goals. Its geographical scope is worldwide and includes security challenges in Europe, Africa, the Middle-East and Asia. Authors are encouraged to examine established priorities in innovative ways and to apply traditional methods to new problems.