Why cyber warfare isn’t
Mike Hearn
53233

Correction

The NY Times article i read said the patch was released “last March” which i sloppily misinterpreted as last year. I then compounded my error by typing 2015 instead of 2016. I stand by the rest of my comments.

Microsoft released the patch to this bug in March 2015. The systems hacked are networks running antiquated code administrators know full well is vulnerable to hacks. That the National Health Service for the entire UK was foolish enough to rely on software they knew was vulnerable, and for at least a year, cannot be laid at the feet of cybersecurity policymakers.

Your assertion that the brilliant minds of the NSA, the CIA, Mossad, MI5, MI6 etc are too incompetent to grasp the double edged sword of mutual vulnerability is laughably naive. I’d venture to guess that their entire intelligence gathering apparatus is built precisely on that premise.

Most of the offensive cyber warfare tools of the state NEVER see the light of day because they are reserved for use only under specific, usually dire circumstances. An attack like today’s is pointless for the state because it exposes valuable code for no real gain.

You can bet that vulnerabilities uncovered for use offensively are quietly and immediately deployed internally to harden the most sensitive government networks. They have to follow processes very similar to what the British and Americans did in WWII with the Enigma in Europe and the breaking of Japanese codes in the Pacific. Known targets were left unprotected and brave soldiers died simply to prevent the enemy from knowing we were reading their private communications. It’s no different today.

Just like the Stuxnex used to sabotage Iranian centrifuges, I’m sure several governments have developed systems to disrupt all sorts of sensitive public infrastructure, especially communications, transportation, and utilities. The actual use of those tools though, will never be random nor isolated to a single piece of code.

The the most intractable problem is that the greatest vulnerability isn’t the network itself, it’s the flawed human beings with access to the source codes.

As always, avarice, misplaced idealism, or incompetence are the greatest risk factors to data security, not the offensive actions of enemy nation-states.