Paul Stockton (Sonecon, LLC) & Michele Golabek-Goldman (Yale University - Law School) have posted Curbing the Market for Cyber Weapons (Yale Law & Policy Review, Forthcoming) on SSRN. Here is the abstract:
The United States and its international partners are permitting an unregulated, global market for cyber weapons to flourish. Weaponized zero-day ("Øday") exploits to attack the control systems for the power grid and other critical infrastructure components are on sale to criminals, terrorists, and rogue nations. Policymakers have begun to recognize the imperative to curb this market. There is no consensus, however, on the measures needed to do so.
We propose three initial steps to begin curbing the market for weaponized Øday exploits. First, the United States should incentivize developers of critical infrastructure industrial control systems and applications layer software to minimize security flaws in their products. The Support Anti-Terrorism by Fostering Effective Technologies Act provides an especially promising means to strengthen these incentives and should be amended to authorize such software developers to apply for liability coverage under the Act. Second, through the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, the United States and its international partners should establish uniform controls of dangerous Øday exploit sales targeting critical infrastructure. Third, the United States should amend the Computer Fraud and Abuse Act to strengthen its ability to prosecute researchers located both domestically and abroad who recklessly sell dangerous exploits targeting critical infrastructure to America’s adversaries.