Thursday, May 25, 2017
Vulnerability disclosure debates.
When intelligence agencies discover vulnerabilities in computer systems, they face a choice: either to make public their existence, which could allow them to be fixed and thus protect civilian end-users from cyberattack, or to conceal the knowledge and exploit the vulnerabilities for future intelligence and cyber operations. As the recent WannaCry ransomware attack shows, the decision is far from clear-cut.
- Large releases of vulnerabilities may hamper intelligence agencies in conducting intelligence gathering and offensive cyber operations.
- Technology firms will continue to argue for a large release of vulnerabilities, but the security benefits are mixed.
- Russia, China, Iran and North Korea enjoy an asymmetrical advantage, with their cyberagencies under less commerical pressure to disclose.