Paper - Cyber Security Project, Belfer Center
Countering the Proliferation of Malware
Targeting the Vulnerability Lifecycle
Summary
States have turned to export controls to block the international transfer of malicious software and limit its harmful effects. Based on the nature of the software and the identity of the end user these controls should, in theory, keep malware out of the hands of the worst actors including those with sinister human rights aims. In practice, export controls fail to check the transfer of malware because they ignore the incentives of those who develop and use this software. Even worse, the controls chill the work of legitimate security researchers, undermining efforts to protect states and users from cyber threats and potentially offering the basis for broader information controls.1 Recognizing these shortcomings, a mix of academics, companies, and civil society group has attempted to reform the current export control regime. However even these modest reform efforts have produced only token changes.
A more effective proposal would limit the supply of vulnerabilities available to attackers by reducing the amount of time any given vulnerability is available for an attacker to use in malware. Doing so will raise of the cost to build and acquire malicious software that depend on vulnerabilities. Using the United States as a model for implementation, this paper outlines ten recommendations to shorten the life cycle of vulnerabilities clustered around four key activities:
- Increase the number of software vulnerabilities discovered by expanding the accessibility of bug bounty programs to new companies, but narrowing their scope to the most important bugs.
- Increase the number of vulnerabilities disclosed by researchers to software developers by reforming two important pieces of federal law that currently chill security research.
- Increase the speed of patch issuance once developers learn of vulnerabilities in their products by improving transparency around how long it takes software developers to issue security patches.
- Increase the number of customers that apply patches to security flaws once issued by software developers by improving transparency around which companies apply patches – and which ones do not.
For more information on this publication:
Please contact
Cyber Project
For Academic Citation:
Herr, Trey. “Countering the Proliferation of Malware.” Paper, Cyber Security Project, Belfer Center, June 27, 2017.
The Author
- Recommended
- In the Spotlight
- Most Viewed
Recommended
Video
- SNF Agora Institute
Election 2020 — Securing the Vote
Audio
- Pioneer Institute
Ballot Question 1: Risks & Regulations Regarding Right to Repair
Analysis & Opinions
- Scientific American
The Next Administration Must Get Science and Technology Policy Right
In the Spotlight
Most Viewed
Policy Brief
- Quarterly Journal: International Security
The Future of U.S. Nuclear Policy: The Case for No First Use
Discussion Paper
- Belfer Center for Science and International Affairs, Harvard Kennedy School
Why the United States Should Spread Democracy
Report
- Belfer Center for Science and International Affairs
David Petraeus on Strategic Leadership
Summary
States have turned to export controls to block the international transfer of malicious software and limit its harmful effects. Based on the nature of the software and the identity of the end user these controls should, in theory, keep malware out of the hands of the worst actors including those with sinister human rights aims. In practice, export controls fail to check the transfer of malware because they ignore the incentives of those who develop and use this software. Even worse, the controls chill the work of legitimate security researchers, undermining efforts to protect states and users from cyber threats and potentially offering the basis for broader information controls.1 Recognizing these shortcomings, a mix of academics, companies, and civil society group has attempted to reform the current export control regime. However even these modest reform efforts have produced only token changes.
A more effective proposal would limit the supply of vulnerabilities available to attackers by reducing the amount of time any given vulnerability is available for an attacker to use in malware. Doing so will raise of the cost to build and acquire malicious software that depend on vulnerabilities. Using the United States as a model for implementation, this paper outlines ten recommendations to shorten the life cycle of vulnerabilities clustered around four key activities:
- Increase the number of software vulnerabilities discovered by expanding the accessibility of bug bounty programs to new companies, but narrowing their scope to the most important bugs.
- Increase the number of vulnerabilities disclosed by researchers to software developers by reforming two important pieces of federal law that currently chill security research.
- Increase the speed of patch issuance once developers learn of vulnerabilities in their products by improving transparency around how long it takes software developers to issue security patches.
- Increase the number of customers that apply patches to security flaws once issued by software developers by improving transparency around which companies apply patches – and which ones do not.
The Author
- Recommended
- In the Spotlight
- Most Viewed
Recommended
Video - SNF Agora Institute
Election 2020 — Securing the Vote
Audio - Pioneer Institute
Ballot Question 1: Risks & Regulations Regarding Right to Repair
Analysis & Opinions - Scientific American
The Next Administration Must Get Science and Technology Policy Right
In the Spotlight
Most Viewed
Policy Brief - Quarterly Journal: International Security
The Future of U.S. Nuclear Policy: The Case for No First Use
Discussion Paper - Belfer Center for Science and International Affairs, Harvard Kennedy School
Why the United States Should Spread Democracy
Report - Belfer Center for Science and International Affairs
David Petraeus on Strategic Leadership
