Harvard Kennedy School Case
Overview
In 2011, Dillon Beresford, a computer security expert, discovered a series of new vulnerabilities impacting components of widely used industrial control systems. These new previously unknown vulnerabilities—what are known as "zero-days"—were potentially very serious. Zero-day vulnerabilities are key components of computer viruses, worms, and other forms of malware. Vendors and security firms seek these flaws in order to patch and fix insecure software and hardware. Increasingly, however, nation sates and criminals purchase zero-days from independent security researchers in order to develop new destructive cyberweapons and capabilities. Managing the growing trade in zero-day vulnerabilities is a key challenge for policymakers and corporate leaders. The case follows Beresford as he discovers a set of new zero-days and considers the different disclosure options available to someone in his position. The case reviews the mix of incentives that might encourage or discourage the discoverer of a new zero-day to: (1) disclose the flaw to the vendor of the insecure software or hardware privately; (2) disclose the flaw to the public, without notifying the vendor; (3) pursue a hybrid-strategy known as responsible or coordinated disclosure; (4) or opt to sell the vulnerability. The case illuminates the different costs and benefits of each of these approaches for the security researcher, the vendor of the flawed software or hardware, and the public at large. Ultimately, the case asks students to consider which model of disclosure is most beneficial for the public and to consider what policy levers are most useful in supporting that model.
Professor Venkatesh Narayanamurti is the case's faculty sponsor.
Ellis, Ryan. “The Vulnerability Economy: Zero-Days, Cybersecurity, and Public Policy.” Harvard Business Publishing, February 2015