There was a recent article on NPR about the vulnerability market that has cropped up in the last several years, where researchers can sell their findings to the highest bidder. Sometimes those bidders are governments, sometimes those bidders are cybercriminals, but there is very little way of knowing as there are no regulations.
The fundamental problem here is that having an unregulated grey market for vulnerabilities is part and parcel of accepting the use of “cyberweapons.” By attacking other countries, we’re essentially saying that this is acceptable behavior, which means that it’s also okay for these other companies to attack us. And the incredibly poor state of information security readiness of our national infrastructure could put us in a very dangerous situation sooner than later. If these sales were reported and use was licensed, it would not end sale of vulnerabilities to criminals, but it could certainly decrease them.
On a mundane level it likely means you and I, as everyday users, are surfing around with holes that may already be known to criminals who are actively trying to steal our data. On a more universal level, it could mean we’re open to some very real life-or-death problems.
So, what can you do about it? On a certain level, surfing around with unknown holes is just a fact of life and why security people recommend layered defenses. On a political level, this article’s final point is right on – regulating “cyberweapons” is a no-brainer and something we should request of our legislators.