BUGS IN THE MARKET: CREATING A LEGITIMATE, TRANSPARENT, AND VENDOR-FOCUSED MARKET FOR SOFTWARE VULNERABILITIES Jay P. Kesan* & Carol M. Hayes** Ukraine, December 23, 2015. Hundreds of thousands of homes lost power. Call center communications were blocked. Authorities reported that 103 cities experienced a total blackout. The alleged cause? BlackEnergy malware. With so much of our daily lives reliant on computers, is modern civilization just a stream of ones and zeroes away from disaster? Malware like BlackEnergy relies on uncorrected security flaws in computer systems. Sometimes, the system owner fails to install a patch. Other times, there is no patch because the software vendor either did not know about or did not correct a critical security flaw. Meanwhile, the victim country’s government or its allies may have knowledge of the same flaw, but kept the information secret so that it could be used against its enemies. There is an urgent need for a new legal and economic approach to cybersecurity that will curtail socially harmful behavior by security researchers and governments. Laws aimed at curbing cyberattacks typically focus on punishment, with little to no wiggle room provided for socially beneficial hacking behavior. Around the world, governments hoard zero-day vulnerabilities while permitting software vendors to sue security researchers who plan to demonstrate critical security flaws at industry conferences. There is also a growing market for buying and selling security flaws, and the buyers do not always have society’s best interests in mind. This Article delves into the world of cybersecurity and software and provides an interdisciplinary analysis of the current crisis, contributing to the limited but growing literature addressing these new threats that cannot be contained by traditional philosophies of war and weaponry. First, the Article presents an economic model to explore incentives for selling vulnerability information in * Professor and H. Ross & Helen Workman Research Scholar, University of Illinois at Urbana-Champaign. ** Research Associate, University of Illinois at Urbana-Champaign. The authors wish to thank the members of the software and security communities who helped in the shaping of the proposal, including Chris Kuethe, Eduardo A. Vela Nava, and Don Hayes. 754 ARIZONA LAW REVIEW [VOL. 58:753 different types of markets. Then, it proposes and designs a revolutionary market for vulnerabilities aimed at facilitating legitimate, transparent, and vendor- focused transactions of critical security information at a fair market price. The proposal combines insights from economics, security, and law, and draws inspiration from around the world; from commodity futures markets in New York to archaeological sites in Iraq. The Article applies the marketplace proposal to several examples, demonstrating that it is a practical and achievable approach that will support socially desirable cybersecurity practices. TABLE OF CONTENTS INTRODUCTION ..................................................................................................... 755 I. CYBER THREATS AND DEFENSES ....................................................................... 762 A. Characterizing Hackers .............................................................................. 769 B. Cybersecurity Regulation ........................................................................... 770 1. Cybersecurity Information Sharing ........................................................ 773 2. Cybersecurity and International Law ..................................................... 776 C. Technological Defensive Measures ............................................................ 778 D. Other Defensive Measures ......................................................................... 779 II. SOFTWARE VULNERABILITIES AND THE MARKET ............................................ 780 A. Computers and Software ............................................................................ 783 1. Evolving Malware Threats ..................................................................... 784 2. Software and Law ................................................................................... 786 B. Vulnerabilities ............................................................................................ 787 1. Zero-Day Vulnerabilities and Research ................................................. 789 2. Finding and Disclosing Zero Days ......................................................... 791 a. Legal issues in vulnerability research ................................................ 791 b. Zero days and the government ........................................................... 792 c. Public disclosure ................................................................................ 793 d. Different types of disclosure .............................................................. 795 e. Disclosure and the First Amendment ................................................. 796 3. Vulnerability Markets............................................................................. 799 4. Vulnerability Market Regulation ............................................................ 802 III. CYBERSECURITY AND DIFFERENT MARKET APPROACHES .............................. 805 A. Regulated Financial Markets...................................................................... 805 B. Markets for Ideas ........................................................................................ 810 C. Risk Shifting............................................................................................... 813 D. Markets for Illicit Goods ............................................................................ 815 IV. BUILDING A THRIVING VULNERABILITY MARKET .......................................... 817 A. Crowding Out the Harmful Markets—An Economic Proposal.................. 818 B. Vulnerability Derivatives ........................................................................... 821 C. Vulnerability Sales ..................................................................................... 824 D. Implementation and Possible Counterarguments ....................................... 828 CONCLUSION ........................................................................................................ 829 2016] BUGS IN THE MARKET 755 INTRODUCTION The Internet is a game changer, connecting people, businesses, and countries like never before in world history. Educational videos from the 1990s painted the Internet as a great tool to help Lisa with her homework and let Dad check the stock reports.1 In the decades since, the Internet has proven to be much more than a useful tool. It is a new road that connects businesses to consumers and governments to citizens. It has dramatically reduced transaction costs to enable outstanding economic growth.2 But new roads can be used by anyone with access to them. As former FBI Director Robert Mueller noted, the same roads that enabled the spread of Roman civilization also led invaders to Roman doorsteps.3 This also applies in the arena of cybersecurity threats. General Keith Alexander, Director of the National Security Agency (“NSA”), declared that ongoing cyber thefts “represent the greatest transfer of wealth in human history.”4 The global nature of cybercrime complicates the enforcement of laws and rights, because investigators are much more constrained by borders than criminals.5 In 2014, experts estimated that cybercrime costs the global economy more than $400 billion every year.6 The United States alone reportedly accounts for $100 billion of that total.7 Harm from cybercrime includes the destruction and theft of information, but the harm can also be reputational or even physical. One careless network user who clicks on a phishing link in an email is sometimes all it takes.8 The defender must simultaneously defend everywhere against everything, but all an attacker needs is one good day.9 1. See, e.g., Eric Mack, Revisit the Amazing Internet the Cool Kids Used in 1997, CNET (Aug. 18, 2013, 12:43 PM), http://www.cnet.com/news/revisit-the-amazing- internet-the-cool-kids-used-in-1997/. 2. See Miriam A. Cherry, Cyber Commodification, 72 MD. L. REV. 381, 407 (2013). 3. Omer Tene, A New Harm Matrix for Cybersecurity Surveillance, 12 COLO. TECH. L.J. 391, 392 (2014). 4. Keith B. Alexander, An Introduction by General Alexander, 19 NEXT WAVE, no. 4, 2012, at 2. 5. Cassandra Kirsch, The Grey Hat Hacker: Reconciling Cyberspace Reality and the Law, 41 N. KY. L. REV. 383, 383 (2014). 6. MCAFEE CENTER FOR STRATEGIC AND INTERNATIONAL STUDIES, NET LOSSES: ESTIMATING THE GLOBAL COST OF CYBERCRIME 2 (June 2014), http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf. 7. Dan Zureich & William Graebe, Cybersecurity: The Continuing Evolution of Insurance and Ethics, 82 DEF. COUNS. J. 192, 192 (2015). 8. See Taiwo A. Oriola, Bugs for Sale: Legal and Ethical Proprieties of the Market in Software Vulnerabilities, 28 J. MARSHALL J. COMPUTER & INFO. L. 451, 465 (2011) (“[T]he human link remains . a potent source of vulnerability in the computing and network systems security chain.”). 9. See Rachel Rue & Shari Lawrence Pfleeger, Making the Best Use of Cybersecurity Economic Models, IEEE SECURITY & PRIVACY, July–Aug. 2009, at 52, 53 (discussing the Clark and Konrad cybersecurity model, and stating that “the defender [against a cyberattack] must defend every front, but the attacker need be successful on only one”). 756 ARIZONA