Weighing A Stockpile Of Computer Threats
Last week, some computer users booted up their machines to encounter not their normal desktop, but a ransom note. The ransomware program, called WannaCry, spread rapidly by making use of an old flaw in the Windows operating system. It encrypted files on affected computers and threatened that the data would remain encrypted forever—unless the owners paid a ransom in the online currency BitCoin. The perpetrators behind the hack are still unknown, although some cybersecurity experts have said that clues point in the direction of North Korea. Some of the technology used in the hack, however, was apparently developed by, then stolen from, the U.S. government.
This isn’t the only hack in the government cyber arsenal. When it comes to vulnerabilities that could affect millions, what is the government’s responsibility to help those flaws get fixed? How does it decide which flaws to report, and which to stockpile? Jason Healey, a senior research scholar at Columbia University’s School of International and Public Affairs, says that the Vulnerability Equities Process, or VEP, is the route that government officials are supposed to take in deciding whether to report or conceal a previously undisclosed vulnerability—but that system may not always work as it’s supposed to.
Jason Healey is a Senior Research Scholar at Columbia University’s School of International and Public Affairs in New York, New York.