WannaCry fallout: is hoarding exploits, delaying fixes ever justified?
Government agencies hoard undisclosed vulnerabilities in order to aid surveillance, but what about the consequences as exposed by WannaCrypt0r attack?
The fallout from the WannaCry attack continues to spread fear, uncertainty and doubt across the globe. However, there are a couple of interesting issues that have emerged from this pretty unprecedented (in scale at least) cyber-attack, so we set out to discover, is vulnerability hoarding ever acceptable, and ditto for the patches that fix them? Here’s the thing: despite all the government denials over the years, pretty much everyone and their aunt in the security business knows that it isn’t just the criminal element that swallows up zero days. Stuxnet put that particular argument to bed a few years back now.
Pertinent to this case, the EternalBlue vulnerability exploit that had been hoarded (along with others) by the NSA swiftly bit them and us on the behind by enabling the rapid spread of WannaCry (or WannaCrypt0r). You could blame the Shadow Brokers group for releasing the code, although it’s more tempting to blame the lack of code security at an agency – which has an S in its name, after all. So what does the industry think about the whole state-sponsored hoarding of vulnerability data? SC Media has been asking if national security surveillance capability should take priority over the data security of citizens?
