Venkatesh Narayanamurti, Ryan Ellis
Harvard Kennedy School (KS1014-PDF-ENG)
February 04, 2015
This epilogue accompanies Fall 2029.0. In 2011, Dillon Beresford, an IT security expert, discovered a number of new vulnerabilities affecting widely used industrial control system components. These new, previously unknown vulnerabilities, known as “Zerodays”, were potentially very serious. Zero-day vulnerabilities are key components of computer viruses, worms, and other forms of malware. Security vendors and companies look to these bugs to patch and repair insecure software and hardware. However, increasingly, nation states and criminals are buying Zerodays from independent security researchers to develop new weapons and destructive cyber capabilities. Managing the growing trade in zero-day vulnerabilities is a key challenge for policy makers and business leaders. The case follows Beresford as he discovers a series of new Zerodays and considers the various disclosure options available to someone in his position. The case examines the combination of incentives that could encourage or discourage the discoverer of a new zero-day: (1) privately disclose the bug to the vendor of the insecure software or hardware; (2) disclose the error to the public without notifying the seller; (3) follow a hybrid strategy known as responsible or coordinated disclosure; (4) or choose to sell the vulnerability. The case highlights the different costs and benefits of each of these approaches to the security researcher, the vendor of the faulty software or hardware, and the general public. Ultimately, the case prompts students to consider which outreach model is most beneficial to the public and which policy levers are most useful in supporting that model. File number 2029.1
We don‘t have the case solution, but we pay up to $50 for yours!
- Set a reminder to receive an email after your university‘s case study deadline.
- Upload your case study solution. We will review it for quality.
- Get your money via PayPal or to your bank account.