On building a better market for cybersecurity

Anuraag Girdhar
June 1, 2014

Abstract
In this overview, I examine the market for software security vulnera-
bilities. I will focus on zero-days, which are newly-discovered unpatched
vulnerabilities that are especially lucrative for hackers and especially dan-
gerous for software companies. I’ll seek to resolve how to create a well-
functioning market for these vulnerabilities that improves computer secu-
rity for everyone. Often, the only market that exists for security exploits
is a black market, and that will figure heavily into the discussion. This
overview assumes a basic familiarity with economic concepts and game
theory.

1 Introduction
The pioneering computer scientist Donald Knuth (who also invented the TeX
typesetting system that I’m using for this overview) has an ongoing project
called The Art of Computer Programming. Ever since he published the first
volume of this encyclopedic resource in the late 1960s, he has offered a bounty:
a reward check for any reader who discovers an error in his code, in order to keep
everything accurate. While the rewards are small, capped at $327.68, hundreds
of readers have taken him up on this offer, most of them framing the checks as
one would frame an autograph of a movie star or a sports personality. Knuth’s
efforts provide an apt analogue for cybersecurity. Just as he is willing to pay
others to find bugs to improve the access to knowledge for future readers, many
have argued that vendors should be willing to pay for security hacks and bugs
to improve safety for future users.

2 Current state of the black market

However, for reasons that will soon be clear, the black market instead of vendor
bounties remains the primary source of compensation for most hackers. Much
of the current state of knowledge on this topic is encompassed in the recent
Rand Corporation report entitled “Markets for Cybercrime Tools and Stolen
Data.” This study focuses on the increasing sophistication of the black market
for cybercrime. In this section, I will touch upon some of the conclusions the
authors reach. See Figure 1 for a phylogeny of computer hacks.
The authors outline a very rough sketch of what influences black market
prices. In the case of non-zero-day exploits such as the 2013 Black Friday Tar-
get credit card breach, prices for credit cards drop for some time when the

1
market is flooded with Personally Identifiable Information (PII). This is why
large breaches have been infrequent in the past; it’s not (only) because intru-
sion detection systems (IDS) become more robust over time. It appears that
credit cards are easy to price taking type, expiration and limit as parameters,
while pricing other stolen information like intellectual property (IP) is much
more ambiguous. Exploit kits also range widely in price based on the degree of
automation they provide, and they may be bought or rented as a service.
Perhaps the most distinguishing characteristic of the black market is its
reliance on trust for transactions. Malicious hackers have an intricate “vetting”
system on their Internet Relay Chats (IRCs) and forums, ensuring that only
verified buyers and sellers can participate. The recent rise of cryptocurrencies
for online transactions also permits a more anonymous and secure black market.
The report identifies botnets as the primary source of cybercrime today.
Botnets can be used for spam or Distributed Denial of Service (DDoS) attacks.
Indeed, even the nascent Internet of Things (IoT) has recently succumbed to
botnets launching DDoS attacks, including a recent high-profile attack from
a smart refrigerator. Botnets are inherently an internet technology, linking
thousands or even millions of machines to carry out large-scale attacks. Botnets,
like exploit kits, vary widely in price and have gotten cheaper over time.

2.1 Black market legal status

Unfortunately, it is very hard to make a case against exploit trafficking. The
exploits themselves are legal, and as NYU law professor Jason Schultz notes, it
is difficult to charge sellers with ”conspiracy to violate the CFAA [Computer
Fraud and Abuse Act] or Espionage Act,”1 since the average seller cannot know
whether the exploit will be put to illicit or legitimate use. In Section 5, I will
return to how the vetting procedure mentioned above might be used to remedy
this situation. For now though, without a stronger legal framework in place,
fear of prosecution is not much of a deterrent at all.

3 The zero-day vulnerability

In the introduction, I mentioned how vendors should be willing to pay for vul-
nerabilities discovered in their software, the same way Donald Knuth pays for
errors in his books. In this spirit, beginning in 2009 the prominent hackers
Charlie Miller, Alex Sotirov, and Dai Zovi launched a campaign called ”No More
Free Bugs”2 , in which they demanded vendor compensation for finding exploits.
Soon thereafter, they helped popularize CanSecWest’s Pwn2Own competition
and HP’s Zero-Day Initiative (ZDI), both contests that offer a monetary reward
to encourage hackers to responsibly report new vulnerabilities to vendors.

3.1 White-market legal issues

Throughout this section, you will notice how issues that recently plagued the
market for zero-days are being resolved; the market is correcting itself. Before
1 Jason Schultz, Forbes, “Hackonomics: The cost of getting caught”, (April 28, 2014)
2 Ryan Naraine, ZDNet “Questions for Pwn2Own hacker Charlie Miller”, (March 19, 2009)

2
these competitions existed, benign security researchers often feared legal injunc-
tion for their work, and so would not report them to the vendors. For example,
consider the following two anecdotes:

I. Cisco: In July of 2005, a security researcher demonstrated how to re-

motely compromise Cisco routers, but under pressure from Cisco, agreed
to turn over all his materials.3 Marc Maiffret at eEye Digital Security
aptly noted that “people are definitely going to want to find more vul-
nerabilities... and now people aren’t going to care to report things to
Cisco.’
II. Massachusetts Bay Transit Authority: MIT students who hacked
into the MBTA’s automated fare collection system in August of 2008 were,
after a federal lawsuit against them was dismissed, hired by the MBTA as
consultants.4

As is evident from these anecdotes, it is difficult to discern ex ante what the

response from the vendor will be, and until the advent of hacking competitions,
security researchers were forced to play a risky game. Of course, only large and
established vendors participate in these competitions, so the situation is still
the same with the smaller firms. In July of 2013, the security research firm Gib-
sonSec noticed that Snapchat’s symmetric encryption key was in plain sight in
the app, allowing the service to be exploited.5 When they tried to responsibly
inform Snapchat, they received neither praise nor an injunction; they were ig-
nored. They consequently published the encryption key (M02cnQ51Ji97vwT4)
along with an API to exploit the service. And the rest, as they say, is history.

3.2 Gray-market legal issues

For the past few years, the gray-market for zero-days has been largely unregu-
lated. Specialized security research firms make up the majority of the sellers in
this market, and they sell mainly to government clients and security agencies.
Some of these include VUPEN, Endgame, Netragard, ReVuln, and even more
established defense contractors like Northrop Grumman and Raytheon. How-
ever, some of the players in the market are middlemen like Bangkok-based “The
Grugq”, who charges anywhere between $5,000 for a simple Adobe Reader hack
to $250,000 for an iOS exploit, and takes a 15% of the profit.6 “The Grugq”
and people like him provide a valuable gray market link for unaffiliated security
researchers.
The members of VUPEN’s team are particularly outspoken, and have re-
vealed the order of magnitutde of gray-market prices. After finding a critical
Google Chrome exploit in 2012, they did not enter Google’s lucrative Pwnium
competition and win the $60,000 prize, claiming that even $1,000,000 would have
been too small an incentive to disclose the bug.7 Despite high-paying govern-
ment clients, the market will not remain unregulated for long. In the December
3 Robert Lemos, “Settlement reached in Cisco flaw dispute”, (July 29, 2005)
4 DMLP Staff, Massachusetts Bay Transportation Authority v. Anderson, (January 13,
2014)
5 Snapchat Security Advisory, (August 27, 2013), http://gibsonsec.org/snapchat/
6 Andy Greenberg, “Shopping For Zero-Days: A Price List For Hackers’ Secret Software

Exploits”, (March 23, 2012)

7 Ibid., “Meet The Hackers Who Sell Spies The Tools To Crack Your PC”, (March 21, 2012)

3
2013 update of the Wassenaar Arrangment, intrusion software is now dual-use
controlled. (41 countries are signatories on the Wassenaar Arrangement, in-
cluding the United States). According to the European Commission website,
dual-use items are civilian goods that ‘may have military applications;’ indeed,
government clients often stockpile zero-days as cyberweapons in preparation for
attacks against other countries.8 According to COUNCIL REGULATION (EC)
No 428, dual-use controls particularly scrutinize the questions of re-export and
end use, the latter of which may come under fire in the case of zero-day sales.
We haven’t seen the effects of this development yet, but in May 2014, VUPEN
founder Chaouki Bekrar responded to the new regulations via a series of Twitter
posts.

3.3 Corporate responses

In response to these exorbitant gray-market prices, some vendors have been
raising their bounties. In October of 2013, Microsoft paid $100,000 to James
Forshaw of Context Information Security for a Windows bug.9 At the revamped
Pwnium 4 competition, Google will be giving away $2.7 million in prize money.
Google and Microsoft may have the money to shift activity away from the gray
market, but is this the most economical way to encourage hackers to participate
in these competitions? In this vein, I introduce some of the open questions
regarding markets for cybersecurity that require attention. In the remainder of
this overview, I will attempt to address them.

4 Some open questions

I. What is the best way to promote vendor-sponsored hacking com-
petitions over gray-market opportunities? Despite its brash claim
in 2012, VUPEN has been increasingly participating in hacking compe-
titions, finding a zero-day in Firefox at the 2014 Pwn2Own contest and
walking away with $400,000 in cash.10 Even if it’s only a publicity stunt,
is it possible to encourage other hackers to follow in their footsteps?
II. What is the best way to get smaller vendors involved in hacking
competitions? Ironically, only the larger firms that already have security
research teams to handle software vulnerabilities have the prize money to
give away in hacking competitions. Will security research firms always be
so courteous as GibsonSec, or do these smaller vendors need to change?
III. If we manage to subdue gray-market activities, what happens
to the gray-market clients? The report published by the NSA review
committee in December 2013 indicates that the US government should
only levy zero-day attacks for “high priority intelligence collection.”11 Joel
8 Dual-use controls, European Commission, http://ec.europa.eu/trade/import-and-export-

rules/export-from-eu/dual-use-controls/
9 Samuel Gibbs, The Guardian, “Microsoft pays $100k bounty to British researcher who

found Windows 8.1 bug”, (October 10, 2013)

10 Michael Mimoso, Threatpost, “VUPEN CASHES IN FOUR TIMES AT PWN2OWN”,

(March 12, 2014)

11 Chris Bryant, Financial Times, Media: “‘Zero-day’ hacking reform raises hackles with US

tech groups”, (January 14, 2014)

4
 Brenner, former NSA inspector general, responds “to some degree the
proposal to forbid the use of zero-day attacks is a proposal to shut down
signals intelligence.”12 However, the issue seems to only be contentious in
the US; other countries may have fewer qualms about such cyberwarfare.
IV. How to prevent large-scale data breaches (or is it possible?) It is
obvious that the IDS that firms like Target employ are far from foolproof,
but it doesn’t make sense for them to participate in hacking competitions;
such large-scale data breaches are usually low-sophistication botnet at-
tacks, which don’t require a security researcher to crack. Do they need to
hire security research teams of their own?
V. How can we apply game theoretic research to some of these
open questions? There is a growing body of literature on computer
hacking, modeling it as a game played between an attacker and an IDS,
or an attacker, vendor and social planner. They often focus on issues like
optimal vulnerability disclosure time, which will be a useful thing to know
if and when the market is legitimized.

5 Proposals and Recommendations

5.1 How to keep zero-day researchers off the gray market
The obvious solution is for vendors to increase the size of the reward to security
researchers. However, this may not be an optimal solution. As things are
currently, some, but not all of the critical vulnerabilities will be discovered and
reported by benign hackers (white hats), but the vendor has no way of knowing
how many will be left for malicious hackers (black hats) to sell or exploit. They
could match the gray-market price, but in case the white hats catch most of the
bugs, they would just be wasting their money.
As I mentioned above, trust and reputation are extremely valuable in the
hacker community. In fact, hackers often desire 1337, or “leet” (elite) status,
and have created an entire internet jargon around it called 1337-speak. If there
were a way to use hacker reputation as a currency for rewarding them with
participation, we can at least expect the hackers who greatly value their repu-
tation (or, as in the case of VUPEN, publicity) to switch over to taking part in
vendor-sponsored hacking competitions. Of course, there will always be those
who will sacrifice pride for money, but I don’t believe that most zero-day security
researchers are so mercenarial.
Suppose Google, the respected technology giant behind the Pwnium com-
petition, issues a comprehensive ranking of all active hackers based on their
exploits. Google would use a very meticulous methodology to ensure that these
rankings reflected all available information, and publish that methodology online
for approval from the hackers. Google would also announce that at random time
intervals it would select a small but arbitrary-sized subset of the rankings, and
scramble them. Of course, Google would also revise the rankings periodically
as new information about the hackers’ exploits came in. Finally, Google would
make its intentions very clear. It would specify within the ranking methodology
12 Ibid.

5
that thenceforth, exploits responsibly revealed to the vendor would earn more
points than those that were sold on the black market.

5.1.1 Why does this work?

As you might have guessed, I’m suggesting that in publishing a list of rankings,
Google would provide a quantified, validated benchmark for 1337-status among
the hacker community. Assuming that hackers buy into it, they would be forced
to participate in vendor-sponsored competitions to level-up against other hack-
ers. But why would anyone buy into such a system, when they’re told outright
that it’s designed to stymie their moneymaking enterprise? Let’s examine this
from the perspective of an example hacker. We’ll call him r@@g.
Every morning when r@@g wakes up, he checks his hacker RSS feed. Two
weeks ago, he found Google’s hacker ranking, along with a blog post describing
the methodology. To his dismay, he found that he was in 167th place. He
returned to his work, but today, he is notified that his ranking has changed.
Now he’s in 182nd place, and his colleague and competitor cl00ney is ahead
of him at 176th . r@@g has no way of knowing whether fifteen other hackers
have surpassed him in their accomplishments of the past two weeks, or whether
Google selected him for its scrambling algorithm and randomly pushed him back
fifteen places. Regardless, he can’t let anyone, especially cl00ney himself, think
that he is less skilled than cl00ney. Since Google only selects a small number
of people for the scrambling algorithm each time, because he was scrambled
this time, it is unlikely that he will be pushed back for a while. And of course,
if he is scrambled forward, all the better for him. Therefore, the scrambling
system doesn’t undermine his incentive to participate in a vendor-sponsored
competition and try to take home first prize.
Of course, Google could easily tag the black hats on the list and vary the
proportion of them selected for the scrambling subset depending on the state
of black market zero-day sales. If there are more black hats in the subset, then
more black hats will be scrambled back, and hence more are likely to shift away
from black market activities in favor of vendor-sponsored competitions. If a
black hat is scrambled back, at worst he decries the list and continues with
his moneymaking, at best, he adjusts his efforts toward responsible disclosure
in order to gain more notoriety. And it is true that the worst-case scenario is
unlikely: even if every hacker believes that every shift downward in their ranking
is due to a random scrambling, if they believe that each of the other hackers
believe the list, or if they believe that each of the other hackers believe that
each of the other hackers believe the list... then each hacker has no choice but
to give the list credence, because it has become synonymous with 1337.
Finally, why should hackers believe that other hackers believe the list? The
scrambled subset is always relatively small compared to the size of the list, and
because of this, most hackers will be content with the list; some will be glad that
they have inexplicably moved forward. Indeed, even when people believe that
rankings are complete rubbish, everyone knows that everyone loves a top-10 or
top-100 list. This is why the US News and World Report college rankings have
so much of an effect on who applies to which school, and why high school seniors
applying to college can’t shrug them off as our intuition tells us they ought to;
they have to factor the rankings into their application decisions too.

6
5.1.2 Conclusion
In the end, it’s not really trickery that accomplishes the task, but a principle
from mathematical logic called common knowledge (or common belief, in this
case). An item p is common knowledge among a set of players G if all the players
in G know p, they all know that they all know p, and so on, ad infinitum. And
once they buy into it, the only way that hackers could undermine this system is
if they were to read this paper and through their internet channels, distribute
it. In that case, they could collectively boycott the system as follows: each
of the hackers would individually proclaim to the entire group that they were
abandoning the Google rankings in favor of some other ranking list, or to return
to the informal pre-ranking system.

5.2 Improving small vendor responses to security issues

Since small vendors will be increasingly forced to address security issues in the
future, in this subsection I will try to address their options and what they can do
to expand them. “Small” also refers to large firms with peripheral extensions
in the technology sphere. For example, the New Yorker is primarily a print
magazine, but in 2010, the paywall for its online site suffered a security breach.13
For vendors like Snapchat and the New Yorker, the app is only a means
to facilitate an end, and they don’t have large software development teams
working on the technology, let alone security researchers. How then, can they
avoid major fiascos? Snapchat’s response to GibsonSec was in some ways un-
derstandable; it was difficult for Snapchat to discern whether GibsonSec was
responsibly reporting a real zero-day or setting off a false alarm designed to
trick the anonymous photo-sharing service. One might suggest that Snapchat
should have conducted some internet reconnaisance on GibsonSec when they
received the first email, taking a cue from the vetting system exercised by black
market hackers (indeed, black market hackers are also trying to weed out so-
called “rippers,” purveyors who don’t deliver on their promises to offer their
services).
However, the solution is not so simple. GibsonSec was only formed in re-
sponse to the SnapChat zero-day, and it is comprised of Australian students
with, as they themselves admit, “no formal qualifications.” A Google search for
GibsonSec with the dates restricted to just before they unveiled the Snapchat
exploit yields only five pages of results, many of which link to Arabic language
websites. The vetting procedure, even on the individual members that comprise
GibsonSec, would have been prohibitively hard. This is more likely the rule
than the exception among security research firms, since many are little more
than hacker collectives.
Another, perhaps more viable solution is for vendors to take preventative
measures. Many firms within an industry might come together and collectively
pledge a prize amount in one of the major hacking competitions. If only one
firm’s product is successfully cracked, they will share the cost of a single bounty.
If most of the products are cracked, they will each be forced to pay most of the
pledged amount. Such a scheme not only allows smaller vendors to crowdsource
13 Nate Freeman, New York Observer, “How to Hack into the Paywall-Protected New Yorker

Archives”, (October 25, 2010)

7
their security vulnerabilities, but it also encourages accountability and peer-
monitoring. With a larger group of people looking out for the interests of such
a corporate collective, vulnerabilities are more likely to be repaired even before
they are subject to the inquest of one of the hacking competitions.

5.3 What happens to the government clients

Short of retaliation against other countries that are using zero-days for cyber-
attacks, there is no reason the US should be purchasing zero-days. When the
US government exploits a vulnerability instead of warning the public, the vul-
nerability is left without patch for too long. When hackers rediscover it as a
“half-day” (a much more common breed of vulnerability than the zero-day), they
can build up an infrastructure around it to levy attacks on personal computers
and corporate networks until a patch is developed.
However, the defense industry’s demand for zero-days shows no sign of de-
clining. The US cybercrime investigation website HostExploit, which is perhaps
best known for exposing the Russian Business Network (RBN), identifies the US
as having the largest number of malicious host servers.14 An anonymous former
defense contractor alleged that his “job was to have 25 zero-days on a USB stick,
ready to go.”15 As a result, security researchers have a much more lucrative
option than vendor-sponsored competitions. If some program like the ranking
system proposal I suggested successfully convinces hackers to stop selling to
government clients, the governments may bid up prices to coax the hackers to
return.
The ideal long-term solution is to draft international cybersecurity legisla-
tion that prohibits any government use of zero-days except, as the NSA review
committee recommends, under exceptional circumstances. This would assuage,
for example, American and Chinese mutual allegations of cyberattacks by the
foreign country against domestic computer networks. However, Sofaer et. al.
(2009) note that those allegations are precisely the reason that no legislation on
cyberwarfare has been established. They recall that when Russia proposed to
outlaw cyberwar many years ago, China blatantly refused, and the US ignored
the proposition. US military officers even announced their intent to “dominate”
cyberspace. While the US, China, Russia and 12 other nations in 2010 agreed to
follow “confidence building, stability, and risk reduction” measures with regard
to offensive use of communications technology, it doesn’t seem to mean much in
light of Russia’s recent cybercombat with Ukraine and ongoing tensions between
the US and China. This will truly be a difficult issue to resolve.

5.4 How to prevent large-scale data breaches

Why was Target such an easy target for a data breach? The details reveal that
the operation exploited a series of missteps rather than a genius hack. The
thieves first targeted a heating and air conditioning contractor with a phishing
scam, allowing them entry into the system. They then proceeded to infect the
point-of-sale (PoS) machines, i.e., credit card readers, with a kind of malware
14 TOP 10 BAD HOSTS, (March 2014), http://hostexploit.com/
15 Joseph Menn, Reuters, “SPECIAL REPORT - U.S. cyberwar strategy stokes fear of
blowback”, (May 10, 2013)

8
known as a RAM-scraper.16 The account data is decrypted within the RAM
of the PoS machine, and the RAM-scraper harvests this data using regular
expression searches. Target already has a security team in Minneapolis, and
recently installed a malware detection system called FireEye (although it’s most
reliant on the free consumer product Malwarebytes Anti-Malware), which was
set up to alert another security team in Bangalore, India.17 The Bangalore
team reported back to the Minneapolis team, and they Minneapolis team did
not respond. And thus, 70 million accounts were compromised.
As I mentioned above, heists of this scale used to occur very infrequently,
because they would depress the market value of PII. However, with more hackers
operating today than ever before (many from geographically disparate regions),
it is harder to collusively time large attacks. Nieman Marcus experienced a
very similar attack in December of 2013, compromising 1.1 million credit card
accounts. Moreover, PoS malware is a relatively new technology, and many
hackers will try to exploit it before retailers universally implement the relevant
anti-malware. The disturbing result is that data breaches have been increasing
in size over time.
Trend Micro (2014) suggests many precautionary measures for retailers in
the meantime, viz., limit access to the internet, disallow remote access, update
OS patches, routinely delete cardholder data, but this is all rote advice. And of
course, remove poor management. The real question becomes how to create a
market to regulate access to technology like the ALINA family of PoS malware.
While the Amazon-esque website ExploitHub has been in operation since 2010,
billing itself as “the first legitimate marketplace for validated, non-zero-day
exploits,” most new malware is still shared on hacker forums. The best way to
prevent large-scale data breaches is for ExploitHub or a similar website to extend
its reach into the shadier hacker forums and more carefully vet its customers.

6 Some game theoretic frameworks

In this section, I will briefly shift away from the discussion of constructing
exploit markets with optimal regulation and participation, and examine some
of the above scenarios as games. I will not attempt to solve the games, but if
these games are well understood, they can serve as a launchpad for mechanism
design approaches to the open questions posed in Section 4.

6.1 Data breach attacks

Let us consider the interactions between retailers and attackers as a game. In
the case of Target, the players would be the attackers, the team of security
researchers, and the malware-detection software (effectively a “nature” player
that provides the other two players with information on the state-of-the-world).
The efficacy of the nature player can vary from game to game, and the two
other players can vary the strength of their attack or defense (which of course
vary positively with their cost functions).
16 Charlie Osbourne, ZDNet, How hackers stole millions of credit card records from Target,

(February 13, 2014)

17 Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack; Bloomberg Businessweek

Technology, Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew
It, (March 13, 2014)

9
 Alpcan and Başar (2004, 2006) modeled a similar game, although abstracted
away from this specific context. The nature player they described in their game
was a sensor network, and the security research team corresponds to an IDS
in their framework. In their first paper, they came to some fairly intuitive
conclusions: by increasing the cost to itself, the IDS can make the attacker suffer
also, but reducing the defense response leaves it vulnerable. In the dynamic
game where the sensor network’s detection capabilities gradually improve over
time (a very reasonable assumption), the hacker is best off launching brief,
high-intensity attacks, which we of course observe.
The second paper more closely approximates reality and, using Markov De-
cision Processes (MDPs), varies the information available to each player. Here,
the sensor detection network has an associated matrix of transition probabili-
ties, and both the attacker and defender can have knowledge of subsets of this
matrix. If the sensors consistently report inaccurately and the IDS has perfect
information (i.e., complete knowledge of the inaccurate reporting), then it will
stop relying on the sensor detection network and play aggressively regardless of
the signal it receives. This is the opposite of the case we observe in the Target
data breach. The signal sent by the FireEye software was accurate, but appar-
ently the chain of communication from FireEye to Bangalore to Minneapolis
obfuscated the signal like a game of telephone, and the security team responded
meekly in turn.

6.2 Cyberwarfare
Game theory often accomplishes more than what rhetoric alone can in the way
of persuasion. The following analysis provides a stronger case for why countries
should enter into multilateral agreements to restrict the use of zero-days for
military operations.
Moore, Friedman and Procaccia (2010) define three variable parameters for
inclusion in their analysis: technological sophistication p, social externality cost
δ, and willingness to attack q. δ corresponds to the risk of hackers re-discovering
the vulnerability and exploiting it as a half-day. In the first game they consider,
the strategy spaces of the players are to Stockpile knowledge of discovered secu-
rity flaws in preparation for future attakcks, or Defend: (S, D). They conclude
that without internalizing the social externality cost, neither player has incen-
tive to defend. Therefore, to dissuade country-level players from engaging in
cyberwarfare, we need to force them to internalize their externalities.
In the second game, they allow players to acutally carry out attacks. They
find that the strategy is most likely to be (A, A) if Player 1’s p and q values are
both middling, or if one is high and another is low. Thinking about what the
parameters p and q represent, one realizes that this covers most of the situations
that are likely to occur. With such bilateral belligerence, shortcircuiting is
inevitable.

7 Conclusion
Simply given the scope of vulnerabilities that exist, the market for cybersecurity
is a difficult topic to tackle. This has only been a brief overview, but the list
of references will no doubt be a valuable resource for further exploration into

10
this field. There are many open questions in addition to the ones I addressed in
Section 4: I reproduce selected questions mentioned in the RAND corporation
report here as directions for future research:

• What benefit might there be by hacking back, or including an offensive

component within law enforcement that denies, degrades, or disrupts black
market business operations? Would this do more harm than good?
• How efficient or effective is it for banks or merchants to buy back their
customers’ stolen data?
• What lessons learned from the black market for drugs or arms merchants
could be applied to the black market for cybercrime?

There are many other interesting applications of game theory to the market
for exploits, including, as I mentioned earlier, determining optimal vulnerability
disclosure time. While the players and their strategies are often tricky to tease
out in black market contexts, I believe that game theory provides a valuable
tool to understand these markets. And certainly, in true hacker spirit, we could
reverse engineer these games to ensure that everything plays out as we desire.

References
Point-of-sale system breaches: Threats to the retail and hospitality industries.
Trend Micro Incorporated, 2014.
Tansu Alpcan and Tamer Başar. IEEE, 2:1568 – 1573, 2004.

Tansu Alpcan and Tamer Başar. International Society on Dynamic Games,

2006.
Lillian Ablon Andrea A. Golay and Martin C. Libicki. RAND Corporation:
National Security Research Division, 2014.

L Jean Camp and Catherine Wolfram. Economics of Information Security, 12:

17–34, 2004.

11