Backwards from zero: How the U.S. public evaluates the use of zero-day vulnerabilities in cybersecurity

IF 4 1区社会学 Q1 INTERNATIONAL RELATIONS

Contemporary Security Policy Pub Date : 2023-05-25 DOI:10.1080/13523260.2023.2216112

Marcelo M. Leal, P. Musgrave

{"title":"Backwards from zero: How the U.S. public evaluates the use of zero-day vulnerabilities in cybersecurity","authors":"Marcelo M. Leal, P. Musgrave","doi":"10.1080/13523260.2023.2216112","DOIUrl":null,"url":null,"abstract":"ABSTRACT Zero-day vulnerabilities are software and hardware flaws that are unknown to computer vendors. As powerful means of carrying out cyber intrusions, such vulnerabilities present a dilemma for governments. Actors that develop or procure such vulnerabilities may retain them for future use; alternatively, agencies possessing such vulnerabilities may disclose the flaws to affected vendors so they can be patched, thereby denying vulnerabilities not only to adversaries but also themselves. Previous research has explored the ethics and implications of this dilemma, but no study has investigated public opinion regarding zero-day exploits. We present results from a survey experiment testing whether conditions identified as important in the literature influence respondents’ support for disclosing or stockpiling zero-day vulnerabilities. Our results show that respondents overwhelmingly support disclosure, a conclusion only weakly affected by the likelihood that an adversary will independently discover the vulnerability. Our findings suggest a gap between public preferences and current U.S. policy.","PeriodicalId":46729,"journal":{"name":"Contemporary Security Policy","volume":"44 1","pages":"437 - 461"},"PeriodicalIF":4.0000,"publicationDate":"2023-05-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Contemporary Security Policy","FirstCategoryId":"90","ListUrlMain":"https://doi.org/10.1080/13523260.2023.2216112","RegionNum":1,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"INTERNATIONAL RELATIONS","Score":null,"Total":0}

引用次数: 2

Abstract

ABSTRACT Zero-day vulnerabilities are software and hardware flaws that are unknown to computer vendors. As powerful means of carrying out cyber intrusions, such vulnerabilities present a dilemma for governments. Actors that develop or procure such vulnerabilities may retain them for future use; alternatively, agencies possessing such vulnerabilities may disclose the flaws to affected vendors so they can be patched, thereby denying vulnerabilities not only to adversaries but also themselves. Previous research has explored the ethics and implications of this dilemma, but no study has investigated public opinion regarding zero-day exploits. We present results from a survey experiment testing whether conditions identified as important in the literature influence respondents’ support for disclosing or stockpiling zero-day vulnerabilities. Our results show that respondents overwhelmingly support disclosure, a conclusion only weakly affected by the likelihood that an adversary will independently discover the vulnerability. Our findings suggest a gap between public preferences and current U.S. policy.

查看原文本刊更多论文

从零开始:美国公众如何评估网络安全中零日漏洞的使用

零日漏洞是计算机供应商不知道的软件和硬件缺陷。作为实施网络入侵的有力手段，此类漏洞让各国政府进退两难。开发或获取此类漏洞的行为者可能会保留这些漏洞以备将来使用;或者，拥有此类漏洞的机构可能会向受影响的供应商披露漏洞，以便修补漏洞，从而不仅拒绝对手，而且拒绝自己的漏洞。之前的研究已经探讨了这种困境的伦理和影响，但没有研究调查过公众对零日漏洞的看法。我们提出了一项调查实验的结果，该实验测试了文献中确定的重要条件是否会影响受访者对披露或储存零日漏洞的支持。我们的结果显示，受访者压倒性地支持披露，这一结论只受到对手独立发现漏洞的可能性的微弱影响。我们的研究结果表明，公众的偏好与美国当前的政策之间存在差距。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Contemporary Security Policy Multiple-

CiteScore

14.60

自引率

6.80%

发文量

期刊介绍： One of the oldest peer-reviewed journals in international conflict and security, Contemporary Security Policy promotes theoretically-based research on policy problems of armed conflict, intervention and conflict resolution. Since it first appeared in 1980, CSP has established its unique place as a meeting ground for research at the nexus of theory and policy. Spanning the gap between academic and policy approaches, CSP offers policy analysts a place to pursue fundamental issues, and academic writers a venue for addressing policy. Major fields of concern include: War and armed conflict Peacekeeping Conflict resolution Arms control and disarmament Defense policy Strategic culture International institutions. CSP is committed to a broad range of intellectual perspectives. Articles promote new analytical approaches, iconoclastic interpretations and previously overlooked perspectives. Its pages encourage novel contributions and outlooks, not particular methodologies or policy goals. Its geographical scope is worldwide and includes security challenges in Europe, Africa, the Middle-East and Asia. Authors are encouraged to examine established priorities in innovative ways and to apply traditional methods to new problems.