Visible to the public EAGER: Collaborative: Policies for Enhancing U.S. Leadership in CyberspaceConflict Detection Enabled

Project Details

Performance Period

Sep 15, 2014 - Aug 31, 2017


University of Michigan Ann Arbor

Award Number

Outcomes Report URL

Cybersecurity is threatened by the zero-day exploits (software vulnerabilities that have not been previously disclosed and are therefore potential vectors for attack). The threat is serious for exploits in the hands of major cyber powers that are potentially hostile nations. Publication of a zero-day exploits can enhance the resilience of domestic cyber-infrastructure (if an adversary has discovered the same exploit), and it could give other countries the opportunity to patch their systems proactively, increasing confidence that they will not be penetrated. Communicating zero-day exploits, however, has the obvious drawback that the exploit loses value as a weapon, because countries could patch their own systems to resist it. Thus, the cost of publication is the loss of such exploits for use in deterrence and/or future offensive cyber operations. U.S. policy has recently begun to address the question of which zero-day exploits known to the government should be published, both to enhance national security and to instill confidence by others. The project analyzes various costs and benefits of publishing exploits or patches, and studies how the costs might be mitigated whether through policy or technical means.

In a new collaboration, computer scientist, Stephanie Forrest, and political scientist, Robert Axelrod, are developing integrated approaches to the rapidly expanding problem of cyber conflict, combining historical analysis, technical research, strategic analysis, and computational modeling. This project focuses on three areas where U.S. policy could provide additional leadership in cyberspace: publication of zero-day exploits; labeling of neutral infrastructure, such as networks associated with hospitals or religious sites, and shared norms to protect neutral cyberspaces; and sustainment of Internet interoperability, which allows Internet users on different networks to communicate directly without interference. The findings may benefit national security by giving policymakers a way of assessing the costs and benefits of publishing exploits or patches. This project injects a fresh and timely voice into debates about the cyberagenda, suggesting concrete measures for minimizing the likelihood and impacts of conflict among state actors.