States, cyber security and the VE-markets: inherent contradictions Having recognized the disruptive capacity of instable information systems, most countries have developed or are in the process of developing strategies to address threats from cyber space, including most Western countries and increasingly some developing countries.6 For example, the US intelligence community lists cyber threats as the number one global risk to US security,7 and the press reports “mega-hacks” on an almost daily basis putting hard pressure on policymakers. Even more so, developing countries are also energetically pushing for international governance reforms as a result of the Snowden disclosures of 2013 (Politorbis 2014: 33), further contributing to the processes of securitization that have been under way arguably since 9/11.8 As a matter of fact, governmental security logics in cyber-space governance have started to dominate, which includes the extension of the subjugation of the domain to military and intelligence control reducing the influence of the more democratically organized, private and civil-society stakeholders. Thus, states have elaborated doctrines designed to provide greater security. The means employed to this end have become more aligned with national security as well, meaning that covert operations to satisfy national interests in the short-term dominate, whereas a decade ago, national security implications were recognized (in the USA) but remained in the background compared to the

ideal of keeping a free and open space for global exchange. Arguably, this shift has important negative implications for the long-term stability of the crossnational cyber space. One issue among many that reinforces this dilemma between long-term international stability versus short-term national stability is the market for vulnerabilities and exploits (VEs). This section illustrates this cyber-security policy tension by first explaining the markets’ origins in a first subsection, presenting plausible reasons why the state engages in these markets in a second subsection and how it does this in a third subsection. It further discusses the implications of the state’s involvement in the fourth and last subsection. All in all, this section mainly argues that for particularistic reasons, national security considerations trump international cyber-security stability and a more long-term security orientation of states.