When a crippling ransomware attack wreaked havoc on computers around the world earlier this year, it did so with alarming, worm-like speed. It didn’t take long for security researchers to find out why. The highly sophisticated code that was used to sneak silently into computers, largely undetected, had been stolen from the NSA.
The incident thrust a long-simmering debate about the disclosure of previously undiscovered software flaws into the spotlight: how should government agencies decide which vulnerabilities to report, and which ones to keep secret for future use?
In the U.S., the policy governing this careful weighing of stakes is known as the Vulnerabilities Equities Process, or VEP.
In Canada, spies have for the first time acknowledged that a similar process exists here, too.
Date: September 8th, 2017
1) “So-called zero-day vulnerabilities are considered especially serious because no patches have been developed to fix them, and software developers — be it Microsoft, Apple, Google, or others — don’t know the flaws exist.” How long do you think it makes sense for the likes of Microsoft, Apple or Google to be given to fix these issues?
2) How long should the intelligence services be given to track down the cybercriminals before these issues are made public?