On June 30, 2025, the Atlantic Council's Cyber Statecraft Initiative published a landmark comparative study titled *Crash (Exploit) and Burn: Securing the Offensive Cyber Supply Chain to Counter China in Cyberspace*, authored by Winnona DeSombre Bernsen—a nonresident fellow at the Initiative and a dual-degree candidate at Harvard Kennedy School and Georgetown Law, who previously served as a security engineer at Google's Threat Analysis Group tracking targeted threats against Google users.
The Core Argument
The report advances a pointed and uncomfortable thesis for US policymakers: that the United States may be losing ground to the People's Republic of China in the market for offensive cyber capabilities, not because of a lack of technical talent, but because of structural failures in how the government acquires and sustains those capabilities. As the report states directly, if the United States wishes to compete in cyberspace, it must compete against China to secure its offensive cyber supply chain. Strategic competition between the two powers has long played out in cyberspace, where offensive cyber capabilities—like zero-day vulnerabilities—are a strategic resource.
China's Systematic Market Strategy
The report's most significant empirical contribution is its comparative mapping of the US and Chinese acquisition models—described as the first study of its kind. Since 2016, according to DeSombre Bernsen, China has been converting the zero-day marketplace in East Asia into a state-controlled funnel of offensive cyber capabilities for its military and intelligence services, serving the dual purpose of enabling China to penetrate the most secure Western technologies while simultaneously denying the United States access to comparable capabilities sourced from that region. This deliberate market-shaping strategy represents a form of cyber statecraft that operates below the threshold of armed conflict, yet has long-term operational consequences that are arguably more durable than any single intrusion campaign.
Structural Weaknesses in US Acquisition
The report's diagnosis of the US side is equally pointed. Developing a single zero-day exploit against a widely used technology product may require between six and eighteen months of full-time engineering and research work, a timeline that sits uncomfortably against the "feast-or-famine" payout schedule that currently characterises the private vulnerability research sector—a dynamic that carries serious risks for companies that depend on one or two annual windfalls to cover overhead and personnel costs. Compounding the problem, the pathway from researcher to government buyer is opaque and relationship-dependent: potential sellers must typically find an existing government contract through which to sell their exploits, or know the right government individual to approach. Without structural reform, these friction points constrain the supply of capabilities available to US military and intelligence consumers.
Policy Recommendations
DeSombre Bernsen puts forward three broad reform tracks. First, the report calls for improving acquisition processes by establishing a government-sponsored vulnerability broker housed within a federally funded research and development center (FFRDC), which would decentralize and simplify exploit purchases, increase cyber capability budgets, and expand research on automated exploit-chain generation. Second, it recommends adjusting policy frameworks to incorporate counterintelligence strategies within the zero-day marketplace—including burning the capabilities of malicious actors while channeling willing researchers into more formal government pipelines—and funding n-day research directly through US Cyber Command (USCYBERCOM). Third, and perhaps most internationally significant for readers of this journal, the report urges greater use of multilateral alliances such as the Pall Mall Process to counter China's growing cyber dominance.
Significance for International Cyber Law
The Pall Mall Process—a joint initiative launched by the United Kingdom and France in 2024 to develop responsible norms around the proliferation of commercial cyber intrusion tools—is here recast not merely as a human-rights or rule-of-law project but as a competitive instrument of US foreign policy. That framing may prove contentious: the Process was conceived partly as a supply-side governance mechanism, and mobilising it as a vehicle for great-power competition risks straining the coalition of states and civil society organisations that have supported it in good faith. The report's frank acknowledgment of this tension—alongside its effort to avoid "mirror-imaging bias" and "whataboutism"—marks it as intellectually honest, even if the prescriptions will generate debate.
The broader implications for international law are clear: as states treat the zero-day market as a domain of active supply-chain competition, longstanding questions about the legality of peacetime cyber operations—state responsibility, due-diligence obligations, and the applicability of neutrality law to third-country exploit brokers—become more urgent, not less. Without meaningful reforms of the kind DeSombre Bernsen proposes, the report concludes, the United States risks ceding to China whatever strategic advantage it has left in cyberspace.