On Lawfare former Deputy Director of the National Security Agency Rick Ledgett discusses the faulty premise behind calls for the US Government agencies to release to the public all knowledge concerning software vulnerabilities:
WannaCry and Petya exploited flaws in software that had either been corrected or superseded, on networks that not been patched or updated, by actors operating illegally. The idea that these problems will be solved by the U.S. government disclosing any vulnerabilities in its possession is at best naïve and at worst dangerous. Such disclosure would be tantamount to unilateral disarmament in an area where the U.S. cannot afford to be unarmed. Computer network exploitation tools are used every day to protect U.S. and allied forces in war zones, to identify threats to Americans overseas, and to isolate and disrupt terrorist plots directed against our homeland and other nations. It is no exaggeration to say that giving up those capabilities would cost lives. And this is not an area where American leadership would cause other countries to change what they do. Neither our allies nor our adversaries would give away the vulnerabilities in their possession, and our doing so would likely cause those allies to seriously question our ability to be trusted with sensitive sources and methods.
A simple but effective observation – sometimes it’s not the knowledge of the attackers which is the most dangerous, but the negligence of the victims that accounts for the losses. However, I think he makes a dangerous moral error in his conclusion:
As for blame, we should place it where it really lies: on the criminals who intentionally and maliciously assembled this destructive ransomware and released it on the world.
This ignores the fact that ransomware is a subcategory of the larger category of malware; malware contains the category of weaponized software (for lack of a better term). The two subcategories share a number of operational techniques, but the purposes of the two are dissimilar. Ransomware is overwhelmingly a criminal activity, although a government could use it to, say, financially disable a corporate entity deemed critical to the functioning of an adversary. But, in general, ransomware is used by criminal elements to extract resources from other entities, ranging from corporations to individuals.
Weaponized software is generally used by a government or country to advance its national interests. As such, that lies under a different, more poorly defined moral order.
Because Mr. Ledgett is discussing operationality rather than morality, his conclusion becomes confused, and results in a faulty implied directive, which is to condemn the opponents who use these techniques.
As Mr. Ledgett should know best of all, governments & countries must advance their national interests, and using the software vulnerabilities of adversaries against them is simply the latest in a millenia long practice of advancing interests. You can’t condemn that unless you want to condemn the entire system of national entities. And the concrete results of this mistake, besides a certain general attitude of unearned victimhood, is the dissipating discussion such as the one he addresses, when everyone should understand that the context includes aggressive nations which will use our mistakes against us.
