Don't be so offensive

Recognition is growing that cybersecurity presents a systemic - and potentially existential - threat to companies, governments, and even modern civilisation itself. Yet, even today, many policy choices are producing a paradoxical outcome: in seeking digital advantage, we may be systematically increasing our own exposure to digital catastrophe. 

Nicole Perlroth's This Is How They Tell Me the World Ends: The Cyberweapons Arms Race  documents the rise of the global market for software exploits and zero-day vulnerabilities — previously unknown flaws that can be used to compromise systems before vendors can patch them. One uncomfortable conclusion emerges: governments purchasing vulnerabilities and exploits played a significant role in professionalizing and expanding that market. By offering high prices and legal protection for exploit acquisition, intelligence agencies helped shift researcher incentives away from disclosure and remediation and toward secrecy and weaponization.

The world's major powers appear to have invested more heavily in developing offensive cyber capabilities than in defending their own digital infrastructure. Often, this offensive focus actively weakens collective security. Vulnerabilities discovered in widely used software are often kept secret so they can be exploited on adversaries' targets rather than disclosed and patched. 

From a narrow intelligence perspective, stockpiling vulnerabilities can appear rational. From a systemic perspective, it is destabilizing. Modern digital infrastructure is deeply shared: governments, businesses, and adversaries rely on much of the same software, hardware, and protocols. Retaining exploitable flaws in widely deployed systems does not create isolated advantage — it preserves structural weakness across the entire ecosystem.

The old warning that people who live in glass houses should not throw stones takes on a new meaning in a deeply connected digital world.

There are countervailing trends. Bug bounty programs have made responsible disclosure more viable and more rewarding than it once was. However, more is needed to reverse the trajectory toward years, even decades, of significant digital disruption affecting infrastructure, institutions, and daily life.

Policy should focus on how to prevent offensive incentives from undermining systemic security. Several practical steps would materially reduce risk:

• Reform vulnerability retention processes to default toward disclosure for widely deployed software, with time-bound exceptions and independent oversight

• Expand and fund defensive vulnerability reward programs at levels competitive with exploit markets

• Treat critical open-source and foundational software as infrastructure, with dedicated maintenance and security funding

• Provide safe-harbor legal protections for good-faith security researchers

• Establish norms and agreements around rapid disclosure for vulnerabilities affecting civilian and safety-critical systems

• Measure and publish resilience metrics such as patch latency, dependency risk, and exposure concentration

The imbalance between offensive and defensive cyber investment is no longer a marginal concern — it is itself a source of strategic fragility. Prioritizing exploit development over vulnerability remediation weakens the shared digital environment on which governments, markets, and societies depend. A sustainable cyber strategy should treat defense and resilience not as supporting functions, but as primary objectives. Until defensive investment, disclosure incentives, and infrastructure hardening receive greater priority than offensive tools, cyber defense capbilities will continue to be self-undermining.