Abstract: Zero-day exploits (ZDEs) are programs that make use of newly-discovered software vulnerabilities to allow attackers to break into and manipulate information systems. A market for software vulnerabilities and exploits has developed, with military and intelligence agencies sometimes paying over $100,000 for exploits and software vendors offering bounties for their disclosure. Labeled a ‘digital arms race’ by some, it is generating a transnational debate about control and regulation of cyber capabilities, the role of secrecy and disclosure in cybersecurity, the ethics of exploit production and use, and the implications of trading software vulnerabilities for a secure and reliable Internet.

This research uses concepts and methods of science and technology studies (STS) and institutionalism to the debate over the production, sale and regulation of ZDEs. The goal of this research is to advance understanding of the way discourses are related to the emergence of governance institutions. The work also sheds light on the socio-technical and economic consequences of efforts to control software vulnerabilities and exploits, and make more transparent applications of ZDEs and cyber capabilities.

This talk will report on the ongoing dissertation work and explore how the discourse on software vulnerabilities and exploits is co-produced along with new institutions and practices in cybersecurity.

About the Speaker: Andreas Kuehn is a Ph.D. Candidate in Information Science and Technology and a Fulbright Scholar at Syracuse University. He joined CISAC as a Zukerman Cybersecurity Predoctoral Fellow in October 2014. Before joining Stanford, he was a visiting graduate student at Cornell University’s Department of Science & Technology Studies.

In his dissertation research, Andreas examines the discourse and the emerging institutions in cybersecurity with a particular focus on software vulnerability and exploit markets. The trade with exploitable security flaws in software and their use in cyber attacks has sparked a controversy about the control and regulation of information technology, and the role of secrecy and disclosure in achieving cybersecurity. While at CISAC, Andreas is conducting qualitative, empirical research on cybersecurity institutions.

His broader research agenda is informed by Science and Technology Studies and Internet Governance to study emerging technology and its relation to privacy, security, and surveillance. Previous research included an NSF-funded project on deep packet inspection technology (DPI) and its implications on Internet governance (www.deeppacket.info), and the use of information technology in the public administration (e.g., enterprise architecture, standardization, interoperability).

Andreas worked in various research positions for the Austrian Ministry of Finance, the Swiss E-Government Institute, the Swiss Federal Office of Communications, and the Malaysian National Advanced IPv6 Centre of Excellence. The Austrian Computer Society awarded him an eGovernment Innovation Award for his research on multidisciplinary actor coordination and collaboration in large scale public ICT efforts. Andreas holds a M.Sc. in Information Systems from the University of Zurich, Switzerland, and an M.Phil. in Information Science and Technology from the School of Information Studies at Syracuse University. He is originally from Zurich, Switzerland.