Abstract
In an earlier work entitled Regulating Cybersecurity, I argued that cyber defense should be understood not just as a matter for law enforcement and the armed forces, but as a regulatory problem in need of regulatory solutions. This companion article proposes a series of market-based responses to complement those governmental responses. It argues that hackers and other private actors are an important source of cybersecurity data—especially information about vulnerabilities and how to exploit them. Yet the white market, in which researchers can sell bugs to vendors that will patch them, suffers from high transaction costs, low prices, and other imperfections. Many hackers therefore choose to sell on the gray market to military and intelligence agencies that will exploit the flaws, which means that vulnerabilities persist and users remain exposed to attacks by hostile powers that have found the same flaws. The solution, I argue, is twofold: fostering white market brokers to reduce the transaction costs of legitimate bug sales, and increasing the payouts offered on the white market through a combination of liability protections, tax benefits, and subsidies.
