The United States must overhaul the way it acquires and manages offensive cyber capabilities or risk losing what strategic edge it retains against China in cyberspace, according to a recent Atlantic Council in-depth report, "Crash (exploit) and burn: Securing the offensive cyber supply chain to counter China in cyberspace," published on June 30, 2025.
The report reframes a subject that lawyers and policymakers usually approach through the lens of nonproliferation and export control. Rather than treating the market for software vulnerabilities purely as a hazard to be constrained, the Atlantic Council analysis treats the "offensive cyber supply chain"—the pipeline that turns discovered software flaws into usable state capabilities—as a strategic asset that the United States is at risk of underinvesting in relative to Beijing.
A supply-chain framing of cyber power
At the center of the analysis is the distinction between so-called zero-day exploits (previously unknown vulnerabilities) and n-day exploits (known flaws for which patches may exist but remain unapplied). The report argues that the United States should adjust its policy frameworks to incorporate counterintelligence strategies within the zero-day marketplace—in the author's framing, "burning," or neutralizing, the capabilities of malicious actors while drawing willing "responsible" researchers into a more formal government pipeline. It further recommends that the government consider funding n-day research through US Cyber Command where appropriate.
The report also situates the problem within alliance politics, urging Washington to leverage multilateral efforts such as the Pall Mall process to counter what it characterizes as China's growing cyber dominance. That recommendation is notable for legal readers because the Pall Mall process is primarily associated with curbing the proliferation and irresponsible use of commercial intrusion tools—an agenda that the report seeks to connect to the harder-edged goal of sustaining US offensive capacity.
Methodology and provenance
According to the report, its conclusions rest on a mix of quantitative data analysis and interviews with experts drawn from across the offensive cyber capability ecosystem. The underlying research was conducted over roughly ten months, from June 2024 to March 2025, in three stages. The first was a literature review covering US–China cyber conflict, the workings of the offensive cyber capabilities industry, and Biden administration policies on countering spyware proliferation—measures the report says have affected the acquisition and sale of zero-day exploits. A later stage analyzed data scraped from open internet sources, drawing substantially from CTFTime, a site that tracks international Capture the Flag competitions used as a proxy for offensive security talent. The Atlantic Council notes that the project originated as a Policy Analysis Exercise produced during the author's time at the Harvard Kennedy School and was subsequently revised and updated.
Why it matters for cyber law
The dispatch's core policy claim is bluntly stated. Without meaningful reforms, the report warns, the United States risks ceding to China whatever strategic advantage it has left in cyberspace; conversely, a more deliberate supply chain and revised acquisition strategies could help the US maintain a steady supply of offensive capabilities. The report quotes Alexei Bulazel, identified as special assistant to the president and National Security Council senior director for Cyber, who is cited as saying, "America has incredible offensive cyber power. We need to stop being afraid to use it."
For the international-law reader, the report raises questions it does not fully resolve. A strategy premised on stockpiling and deploying offensive exploits sits in tension with norms discussions around vulnerability disclosure, the protection of the civilian information infrastructure, and the responsible-state-behavior framework advanced in United Nations processes. The report's endorsement of "burning" adversary capabilities also invites scrutiny under principles governing sovereignty and non-intervention in cyberspace, questions the report frames primarily in strategic rather than legal terms.
This dispatch reflects a single Atlantic Council analysis and its author's recommendations; it does not represent adopted US policy, and readers should treat the causal and comparative claims about US–China capability as the report's assessments rather than settled fact. Independent verification of the underlying data was outside the scope of this summary.