I have a new peer-review publication in the German Sicherheit + Frieden/Security + Peace Journal. In it, I toy around with the idea of governmental vulnerability disclosure processes or vulnerability equity processes (VEP), trying to figure out if these could serve as a model for cyber arms control. Although the threat of cyber-conflict is rising at the moment, not much ground has been gained with cyber arms control regimes. The article analyses proposals for cyber arms control, modeled after traditional arms control regimes. It finds that challenges of the digital domain, issues of regime verification, and the lack of political will are big inhibitors in transferring these to the cyber-domain. To overcome these inhibitors, cyber-experts proposed a new type of regime focusing on Zero-day vulnerabilities. Since nobody so far explained how a so-called International Vulnerabilities Equities Process (IVEP) could look like, the article picks up the task and presents two models with their advantages and shortcomings. The article concludes that the IVEP proposal holds some promise, but due to many open questions, it is currently not feasible as a policy option.
Matthias Schulze, The State of Cyber Arms Control. An International Vulnerabilities Equities Process as the Way to go Forward? in: S&F Sicherheit und Frieden, page 17 – 21, S+F, Volume 38 (2020), Issue 1, ISSN: 0175-274X, ISSN online: 0175-274x, https://doi.org/10.5771/0175-274X-2020-1-17
See my other publications here.