May 28, 2019
Sharon Bradford Franklin wrote for the Fletcher Security Review Summer 2019 issue about the need for countries to establish robust and transparent vulnerabilities equities processes.
In 2017, leaders of the U.S. Intelligence Community warned that “more than 30 nations are developing offensive cyberattack capabilities.” This means that more than 30 countries may be conducting hacking operations as a method for surveillance, disruption, or destruction. Unregulated cyber surveillance and cyberattacks by government actors can pose risks not only to a government’s foreign adversaries, but also to its own citizens. Thus, as the United States and other nations work to enhance their own offensive cyber capabilities, as well as to develop strategies to defend against potential attacks, it is critical that these countries establish legal regimes to govern such conduct in cyberspace. Although Germany has established a legal framework to regulate government hacking activities, few countries have done so.
To bring government hacking operations within the rule of law, a crucial step is to design rules regarding the management of vulnerabilities that governments discover or acquire. As with other cyber actors, when governments conduct hacking operations, this frequently involves exploiting vulnerabilities in computer hardware and software systems. But these same flaws can also be manipulated by a government’s foreign adversaries or other malicious actors. Therefore, when countries consider their abilities to rely on hacking as an investigative tool, as well as their interests in exploiting vulnerabilities for military and intelligence operations, they must also evaluate the capacity of information and communications technology providers to repair bugs and protect the cybersecurity of all users. Determining whether to exploit a vulnerability or disclose it to a vendor for patching involves balancing a variety of different security concerns against each other.