| Abstrakt: |
Vulnerabilities in Soft- and Hardware have global implications in an interconnected world since they affect every user who uses a system containing such a vulnerability. Since cyber-attacks relying on software vulnerabilities produce significant costs for national economies world wide and affect societies in its entirety due to the strong dependencies from IT systems, finding and closing these vulnerabilities is in the rational interest of many countries. Coordinating vulnerability disclosure and timely patching on global scale thus would be a common interest shared by all states targeted by cyberattacks. However, states in particular also maintain more narrow interests, like withholding software vulnerabilities for the purpose of foreign espionage, for surveillance and law enforcement purposes or military cyber weapons. Thus, common and particular national security interests collide, resulting in what game theory calls a tragedy of the commons: global cyberspace becomes more insecure as more and more states withhold critical software vulnerabilities for reasons of national security. In game theoretic terms, rational-actions on a local level produce irrational effects on a global scale, representing a prisoners dilemma. The paper uses game theory to develop a set of international best practices to escape the prisoners dilemma of software vulnerabilities. In international relations, global regimes and norms are generally seen as a way out of prisoners dilemmas. The questions thus becomes, what the smallest common denominator of such a global vulnerability disclosure regime could be and under what conditions can such an agreement could reached. The case for developing these proposition is the EternalBlue incident of 2017, a software vulnerability that was hold back by an intelligence service and whose unintended disclosure resulted in several destructive malware campaigns with economic damage on a global scale. [ABSTRACT FROM AUTHOR] |
