Author Archives: Dave Aitel

Why a global cybersecurity Geneva convention is not going to happen

Posted on by

Microsoft President and Chief Legal Officer Brad Smith has been pounding the pavement all year asking for a “global cyber Geneva Convention” in the face of threats facing his employer’s software and the greater internet at large. It’s a pipe dream and I’ll tell you why. Any global effort works best when there are clear answers. For instance, there is a clean line between “nuclear war” and “not nuclear war.” The cyber domain is different. While there is some consensus within Microsoft that’s driven by business concerns and hyped as social concerns, there isn’t the same consensus within or between global governments. We don’t even know the trade-offs that would be implied by the things Microsoft is asking for: a barrier on the trade of “cyberweapons” resulted in massive outcry when it was codified in the Wassenaar Arms Control Arrangement last year, some of which came from the very same […]

The post Why a global cybersecurity Geneva convention is not going to happen appeared first on Cyberscoop.

Continue reading Why a global cybersecurity Geneva convention is not going to happen

Why reforming the Vulnerability Equities Process would be a disaster

Posted on by

When the authors of WannaCry turbo-charged their ransomware with NSA exploits leaked by the Shadow Brokers, people thought it was the Vulnerability Equities Process’ worst-case scenario. It’s really not. The VEP is the policy process the U.S. government undertakes when one of its agencies finds a new software vulnerability. It’s how the government decides whether to tell the manufacturer about the bug, so they can patch it and keep all their customers safe; or to keep it secret and stealthily employ it to spy on foreign adversaries who use that software. In the wake of Shadow Brokers dumping several sets of highly advanced NSA hacking tools online — many using previously unknown vulnerabilities — there have been rising demands for reform of the VEP. Lawmakers have got in on the act, pledging to legislate the process with the Protecting Our Ability to Counter Hacking, or PATCH Act of 2017. But […]

The post Why reforming the Vulnerability Equities Process would be a disaster appeared first on Cyberscoop.

Continue reading Why reforming the Vulnerability Equities Process would be a disaster