![\"Computer](\"https:\/\/wwwassets.rand.org\/content\/rand\/blog\/2017\/11\/its-time-for-the-international-community-to-get-serious\/_jcr_content\/par\/blogpost.aspectcrop.868x455.cm.jpg\/x1510851710897.jpg.pagespeed.ic.yg9cMONbLC.jpg\")
The U.S. government took a long-needed step when it\u00a0announced on Wednesday<\/a>new details about its Vulnerability Equities Process (VEP), the interagency process used to determine whether to notify a software vendor about a previously unknown (\u201czero-day\u201d) vulnerability, or to temporarily use the vulnerability for lawful, national security purposes. The public release of this charter is a positive step toward increasing transparency on this controversial process. This announcement is certain to prompt a new round of national debate as people continue to examine and question the specifics of the charter. But another key challenge is also beginning to surface: multiple countries around the world are likely discovering, retaining and exploiting zero-day vulnerabilities without a process to properly consider the trade-offs. This needs to change. It’s time for the international community to get serious about vulnerability equities.<\/p>\nAs Offensive Cyber Capabilities Rise, Few Consider Vulnerability Equities<\/strong><\/p>\n More nations are bearing the responsibility to make well-informed trade-offs regarding vulnerabilities. In early 2017, senior U.S. intelligence officials\u00a0told Congress (PDF<\/abbr>)<\/a>\u00a0that\u00a0more than 30 nations (PDF<\/abbr>)<\/a>\u00a0are adopting offensive cyber capabilities. Such programs are increasingly integrated into military operations and planning. The\u00a0United States<\/a>\u00a0and\u00a0United Kingdom<\/a>\u00a0speak openly about their use of offensive cyber operations against ISIS. Russia has\u00a0publicly stated (PDF<\/abbr>)<\/a>\u00a0its intention to use offensive cyber operations before resorting to conventional military force.<\/p>\n To accomplish offensive cyber missions–including law enforcement, military and traditional intelligence missions–states look for flaws or weaknesses in hardware and software that allow them to remotely access and manipulate an adversary’s computer system. Zero-day vulnerabilities provide valuable access to targets; in fact, they played important roles in prominent malware such as\u00a0Stuxnet and Flame<\/a>, which was used to disrupt Iran’s nuclear program. In addition to these offensive interests, every nation also has defensive cyber interests, such as securing the systems upon which its government, businesses and citizens rely. Stronger defensive concerns relative to offensive ones, might induce a state to disclose a vulnerability to the vendor, which may then issue a patch or otherwise protect its users.<\/p>\n