Stop Blaming NSA For The Ransomware Attack by Patrick Tucker.
Most days I think the NSA should be blamed for everything from global warming to biscuits that fail to rise.
But for leaked cyber weapons? No blame whatsoever.
Why? The answer lies in the NSA processing of vulnerabilities.
From the post:
…
“You’ve heard my deputy director say that in excess of 80-something percent of the vulnerabilities are actually disclosed—responsibly disclosed —to the vendors so that they can then actually patch and remediate for that,” Curtis Dukes, NSA’s former deputy national manager for national security systems, said at an American Enterprise Institute event in October. “So I do believe it’s a thoughtful process that we have here in the U.S.”Dukes said the impetus to conceal an exploit vanishes when it is used by a criminal gang, adversarial nation, or some other malefactor.
We may choose to restrict a vulnerability for offensive purposes, like breaking into an adversary’s network, he said. But that doesn’t mean we’re not also constantly looking for signs whether another nation-state or criminal network has actually found that same vulnerability and now are using it. As soon as we see any indications of that, then that decision immediately flips, and we move to disseminate and remediate.
…
You may think that is a “thoughtful process” but that’s not why I suggest the NSA should be held blameless.
Look at the numbers on vulnerabilities:
80% disclosed by the NSA for remediation.
20% concealed by the NSA.
Complete NSA disclosure means the 20% now concealed, vanishes for everyone.
That damages everyone seeking government transparency.
Don’t wave your arms in the air crying “ransomware! ransomeware! Help me! Help me!,” or “Blame the NSA! “Blame the NSA.”
Use FOIA requests, leaks and cyber vulnerabilities to peel governments of their secrecy, like lettuce, one leaf at a time.