The global trade in zero-day vulnerabilities – software flaws unknown to the maker and the public – constitutes a serious cybersecurity problem. Governments use zero days for military, intelligence, and law enforcement cyber operations, and criminal organizations use them to steal information and disrupt systems. The zero-day trade is global and lucrative, with the U.S. and other governments participating as buyers. Cybersecurity experts worry this trade enables governments, non-state actors, and criminals to gain damaging capabilities. The U.S. government’s participation raises concerns because keeping purchased zero days secret to preserve military, intelligence, or law enforcement utility undermines U.S. and global cybersecurity. These problems are generating a nascent, but growing, policy debate about the need to regulate the zero-day trade.

This thesis contributes to this debate by analyzing domestic and international options for controlling the zero-day trade. Domestically, it investigates criminalization, unilateral export controls, and increased oversight of U.S. executive branch actions. It concludes that increased executive branch oversight is the best national strategy to address the problems of existing U.S. policy. Internationally, this thesis analyzes international legal approaches, voluntary collective action through export controls, and cooperation through collective defense organizations. It concludes that voluntary collective action to harmonize export controls on zero days through the Wassenaar Arrangement is the most feasible international option.

This thesis demonstrates how difficult regulation of the global zero-day trade will be, signaling the pervasiveness of realpolitik in cyberspace. It argues that, without U.S. action and international action, the pull of anarchy over regulation will prevail.