More Web Proxy on the site http://driver.im/

research-article

Shifts in the Cybersecurity Paradigm: Zero-Day Exploits, Discourse, and Emerging Institutions

Authors:

Milton MuellerAuthors Info & Claims

NSPW '14: Proceedings of the 2014 New Security Paradigms Workshop

Pages 63 - 68

https://doi.org/10.1145/2683467.2683473

Published: 15 September 2014 Publication History

Abstract

This ongoing dissertation research examines the institutionalization of new cybersecurity norms and practices that are emerging from current controversies around markets for software vulnerabilities and exploits. A market has developed for the production and distribution of software exploits, with buyers sometimes paying over USD 100,000 for exploits and software vendors offering bounties for the disclosure of underlying vulnerabilities. Labeled a 'digital arms race' by some, it is generating a transnational debate about control and regulation of cyber capabilities, the role of secrecy and disclosure in cybersecurity, and the ethics of exploit production and use. The research takes a qualitative approach to theorize the emerging cybersecurity institutions. It shall provide insights into the technical, economic and institutional shifts in cybersecurity norms and practices. Analyzing the bug bounty programs run by Microsoft and Facebook as examples, the paper briefly discusses the role of institutions in facilitating software vulnerability markets. The paper summarizes the work presented at NSPW 2014, its findings are preliminary.

References

[1]

Bugcrowd. Crowdsource Your Cybersecurity. https://bugcrowd.com.

[2]

R. A. Clarke, M. J. Morell, G. R. Stone, C. R. Sunstein, and P. Swire. Liberty and Security in a Changing World: Report and Recommendations of The President's Review Group on Intelligence and Communications Technologies. Technical report, President's Review Group on Intelligence and Communications Technologies, Washington, DC, 2013.

[3]

P. DiMaggio and W. W. Powell. Introduction. In P. DiMaggio and W. W. Powell, editors, The New Institutionalism in Organizational Analysis, pages 1--38. University of Chicago Press, Chicago, IL, 1991.

[4]

Economist. The digital arms trade. The Economist, 2013.

[5]

P. Edwards. The Closed World: Computers and the Politics of Discourse in Cold War America. MIT Press, 1996.

Digital Library

[6]

B. Fung. The NSA hacks other countries by buying millions of dollars' worth of computer vulnerabilities. http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/31/the-nsa-hacks-other-countries-by-buying-millions-of-dollars-worth-of-computer-vulnerabilities, Aug. 2013.

[7]

HackerOne. Effective vulnerability disclosure programs. https://hackerone.com.

[8]

S. Jasanoff, editor. States of Knowledge. Taylor & Francis, Abingdon, UK, 2004.

[9]

S. Jones. Cyber war technology to be controlled in same way as arms. http://www.ft.com/cms/s/0/2903d504--5c18--11e3--931e-00144feabdc0.html, Dec. 2013.

[10]

G. Keizer. Microsoft kicks off$250,000 security contest. http://www.computerworld.com/s/article/9218845/Microsoft\_kicks\_off\_250\_000\_security\_contest, 2011.

[11]

A. Kuehn and M. Mueller. Analyzing Bug Bounty Programs: An Institutional Perspective on the Economics of Software Vulnerabilities. In The 42nd Research Conference on Communication, Information and Internet Policy (TPRC 42), Washington DC, 2014.

[12]

R. Lemos. Private market growing for zero-day exploits and vulnerabilities. Information Security Magazine, 14(10), 2012.

[13]

Microsoft. Bounty Hunters: The honor roll. http://technet.microsoft.com/en-us/security/dn469163.

[14]

Microsoft. Bounty Evolution:$100,000 for New Mitigation Bypass Techniques Wanted Dead or Alive. http://blogs.technet.com/b/bluehat/archive/2013/11/01/bounty-evolution-100-000-for-new-mitigation-bypass-techniques-wanted-dead-or-alive.aspx, 2013.

[15]

Microsoft. Heart of Blue Gold -- Announcing New Bounty Programs. http://blogs.technet.com/b/bluehat/archive/2013/06/19/heart-of-blue-gold-announcing-new-bounty-programs.aspx, 2013.

[16]

C. Miller. The legitimate vulnerability market: the secretive world of 0-day exploit sales. In 6th Workshop on the Economics of Information Security (WEIS 2007), 2007.

[17]

Mozilla. Bug Bounty Program. http://www.mozilla.org/security/bug-bounty.html.

[18]

M. Mueller. Regulating the Market for Zero-day Exploits : Look to the demand side, 2013.

[19]

D. C. North. Institutions, Institutional Change and Economic Performance. Cambridge University Press, 1990.

[20]

S. Ransbotham and S. Mitra. The Impact of Immediate Disclosure on Attack Diffusion and Volume. In 10th Workshop on Economics of Information Security (WEIS 2011), Fairfax, VA, June 14--15, 2011.

[21]

B. Rappert. How to Look Good in a War - Justifying and Challenging State Violence. Pluto Press, London, UK, 2012.

[22]

J. Reppy, editor. Secrecy and Knowledge Production. Cornell University, Peace Study Program, Ithaca, NY, occasional edition, 1999.

[23]

J. Robertson. Facebook Widens 'Bug Bounty' Program to Combat Internal Breaches. http://www.bloomberg.com/news/2012-07--26/facebook-widens-bug-bounty-program-to-combat-internal-breaches.html, 2012.

[24]

B. Schneier. The Story Behind The Stuxnet Virus. http://www.forbes.com/2010/10/06/iran-nuclear-computer-technology-security-stuxnet-worm.html, July 2010.

[25]

W. R. Scott. Institutions and Organizations. SAGE Publications, Thousand Oaks, CA, 2001.

Cited By

Algarni A(2022)The Historical Relationship between the Software Vulnerability Lifecycle and Vulnerability Markets: Security and Economic RisksComputers10.3390/computers1109013711:9(137)Online publication date: 14-Sep-2022
https://doi.org/10.3390/computers11090137
Lannon CNelson JCunneen M(2021)Ethical AI for Automated Bus Lane EnforcementSustainability10.3390/su13211157913:21(11579)Online publication date: 20-Oct-2021
https://doi.org/10.3390/su132111579
Huff PMcClanahan KLe TLi Q(2021)A Recommender System for Tracking VulnerabilitiesProceedings of the 16th International Conference on Availability, Reliability and Security10.1145/3465481.3470039(1-7)Online publication date: 17-Aug-2021
https://dl.acm.org/doi/10.1145/3465481.3470039
Show More Cited By

Index Terms

Shifts in the Cybersecurity Paradigm: Zero-Day Exploits, Discourse, and Emerging Institutions
1. Security and privacy
  1. Cryptography
    1. Cryptanalysis and other attacks
  2. Intrusion/anomaly detection and malware mitigation
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime
    2. Government technology policy

Recommendations

Security beyond cybersecurity: side-channel attacks against non-cyber systems and their countermeasures
Abstract
Side-channels are unintended pathways within target systems that leak internal information, exploitable via side-channel attack techniques that extract the target information, compromising the system’s security and privacy. Side-channel attacks ...
Meta-control for Adaptive Cybersecurity in FUZZBUSTER
SASO '13: Proceedings of the 2013 IEEE 7th International Conference on Self-Adaptive and Self-Organizing Systems

Modern cyber attackers use sophisticated, highly-automated vulnerability search and exploit development tools to find new ways to break into target computers. To protect against such threats, we are developing FUZZBUSTER, a host-based adaptive security ...
A taxonomy and a knowledge portal for cybersecurity
dg.o '14: Proceedings of the 15th Annual International Conference on Digital Government Research

Smart government is possible only if the security of sensitive data can be assured. The more knowledgeable government officials and citizens are about cybersecurity, the better are the chances that government data is not compromised or abused. In this ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

NSPW '14: Proceedings of the 2014 New Security Paradigms Workshop

September 2014

148 pages

ISBN:9781450330626

DOI:10.1145/2683467

General Chairs:
Konstantin Beznosov
University of British Columbia, Canada
,
Anil Somayaji
Carleton University, Canada
,
Program Chairs:
Tom Longstaff
Johns Hopkins University, USA
,
Paul Van Oorschot
Carleton University, Canada

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 September 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

NSPW '14

Sponsor:

ACSA

NSPW '14: New Security Paradigms Workshop

September 15 - 18, 2014

British Columbia, Victoria, Canada

Acceptance Rates

NSPW '14 Paper Acceptance Rate 11 of 32 submissions, 34%;

Overall Acceptance Rate 98 of 265 submissions, 37%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
603
Total Downloads

Downloads (Last 12 months)38
Downloads (Last 6 weeks)4

Reflects downloads up to 19 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Algarni A(2022)The Historical Relationship between the Software Vulnerability Lifecycle and Vulnerability Markets: Security and Economic RisksComputers10.3390/computers1109013711:9(137)Online publication date: 14-Sep-2022
https://doi.org/10.3390/computers11090137
Lannon CNelson JCunneen M(2021)Ethical AI for Automated Bus Lane EnforcementSustainability10.3390/su13211157913:21(11579)Online publication date: 20-Oct-2021
https://doi.org/10.3390/su132111579
Huff PMcClanahan KLe TLi Q(2021)A Recommender System for Tracking VulnerabilitiesProceedings of the 16th International Conference on Availability, Reliability and Security10.1145/3465481.3470039(1-7)Online publication date: 17-Aug-2021
https://dl.acm.org/doi/10.1145/3465481.3470039
Jin ALinkov I(2021)Synthetic Biology Brings New Challenges to Managing Biosecurity and BiosafetyEmerging Threats of Synthetic Biology and Biotechnology10.1007/978-94-024-2086-9_8(117-129)Online publication date: 8-Sep-2021
https://doi.org/10.1007/978-94-024-2086-9_8
Magazinius AMellegård NOlsson L(2021)What We Know About Bug Bounty Programs - An Exploratory Systematic Mapping StudySocio-Technical Aspects in Security and Trust10.1007/978-3-030-55958-8_5(89-106)Online publication date: 10-May-2021
https://doi.org/10.1007/978-3-030-55958-8_5
Straub J(2020)The Use of Runtime Verification for Identifying and Responding to Cybersecurity Threats Posed to State Actors During Cyberwarfare2020 International Conference on Computational Science and Computational Intelligence (CSCI)10.1109/CSCI51800.2020.00021(83-87)Online publication date: Dec-2020
https://doi.org/10.1109/CSCI51800.2020.00021
Fryer HSimperl EFox PMcGuinness DPoirer LBoldi PKinder-Kurlanda K(2017)Web Science Challenges in Researching Bug BountiesProceedings of the 2017 ACM on Web Science Conference10.1145/3091478.3091517(273-277)Online publication date: 25-Jun-2017
https://dl.acm.org/doi/10.1145/3091478.3091517

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents