Why is it so hard to Govern Malware use?
Policymakers have begun to develop policies to regulate the criminal use of malware domestically, but they have not yet developed coherent policies towards government purchase and use of malware across borders at the national or international levels.
In the wake of the Snowden revelations in 2013, policymakers provided little information regarding how their use of malware affects key U.S. policy objectives like maintaining a stable and secure Internet. However, in April 2014, cyber security analysts discovered a major vulnerability, Heartbleed. Heartbleed is a flaw in the Secure Socket Layer (SSL) library maintained by Open SSL. Savvy individuals can use Heartbleed to read the memory of more than two thirds of the servers active on the Internet today. The bug can compromise the secret keys used to encrypt communications between individuals and Internet services like social media and online banking. As a result, attackers could eavesdrop on steal data like user names and passwords, opening up opportunities for fraud and theft. Some individuals feared that the U.S. and other governments could exploit this vulnerability; in late April, 2014, they expressed their concerns at Netmundial, the Brazilian meeting on the future of Internet governance.
On April 28, in response to these concerns, the White House cybersecurity adviser, Michael Daniels issued a blog post where he delineated how and when the U.S. would make decisions about when to reveal vulnerabilities of use for developing malware. While not a complete policy on the development and use of malware, he issued the first public statement on the conditions under which vulnerabilities might be disclosed and or kept secret. Daniel’s post revealed that the U.S. had developed a formal decision making process as to how it would balance malware disclosure, with the policy objective of cyber-security. However, although the blog post was an important effort at transparency, the post raised additional questions—as example, under what authority does the US make these decisions and who participates in the decision making? Moreover, the post said nothing about how decisions are made to purchase malware or to use malware across borders. Finally, the post did not delineate whether the U.S. weighs the trust and human rights spillovers of malware disclosure, although he did state that the U.S. would weigh the economic costs and benefits.