[rosalinekarr]

This idea that the government should somehow be exempt from proper cybersecurity ethics is disgusting. When the CIA or the NSA find zero day attacks in software, they should report them immediately to be fixed, not build tools specifically to exploit them. It's only a matter of time before these attacks either leak or are rediscovered by other malicious parties. The government is effectively turning their own people into cannon fodder for their ridiculous "cyberwar."

[BearGoesChirp]

We are past the point of holding them to even basics ethics. The CIA and NSA already see the people as cannon fodder at best. If we can no longer expect moral behavior concerning issues like black sites for torture, drug trafficking, or setting up murder and rape regimes, then why even waste the breath asking for cybersecurity ethics?

[Spooky23]

I think that's an absurd position. The government has a need to be able to access hostile systems. A hacked computer can avoid armed conflict where people die.

A better question is... why aren't major vendors devoting a fraction of the resources to find this stuff and fix t on their own?

[andai]

They're being paid by the spooks!

On a serious note, doesn't cyberwarfare sound more like it could lead to nasty consequences, such as regular warfare, rather than preventing it?

[Spooky23]

As nuclear proliferation becomes more and more common, "regular warfare" is going to become impossible.

The reality is that there isn't going to be a traditional war with any nuclear power. WW2 was the last big state on state conflict -- that cannot happen again. Since 1948, the US vs. USSR model has applied, where nuclear powers have proxy wars at the fringes with various minor states.

As nukes become available to 2nd/3rd tier states, you need lower impact fighting methods to avoid setting off a nuclear chain reaction. "Cyber warfare", IMO, is a tool in the toolbox. Instead of proxy states, we fight with proxy corporations.

[LyndsySimon]

> WW2 was the last big state on state conflict -- that cannot happen again.

Respectfully, the belief that large-scale war was impossible between modern states was prevalent prior to the First World War.

I strongly believe that there will eventually be another large conflict, and that the only reason there hasn't been one to date is because we've managed to maintain the balance between Russian and American interests throughout the Cold War.

The collapse of the Soviet Union marked the beginning of a transitional state, and we've not reached a stable balance of power since.

[Spooky23]

Perhaps "cannot" was the wrong word choice. "must not" may be more appropriate.

I share your fears and find it terrifying, as that large scale war with the technology that we have today is a profoundly more damaging thing.

[tgragnato]

Ok, but the current trend seems to suggest a strong preference for SIGINT, ELINT, ... over traditional HUMINT.

Isn't this overestimating only a peculiar aspect ?

[Spooky23]

I think what we're seeing is that "SIGWAR" is a thing. Why blow up something if you can undermine it?

If you think about it, it's similar to how the physical world evolved. I was recently up at Fort Ticonderoga, which is an example of a fort designed to resist and leverage the cannon as a defensive weapon. In Europe forts of similar design were nearly impregnable, but ultimately obsolete -- mobility and artillery rendered fixed positions useless. There's a similar thing at play here!

[tgragnato]

I am not skeptical about this concept in particular, but about the lack of practical confirmation for the results of their tools.

This is perceived (at a later stage & by the public opinion) when many in the government itself publicly question the trustworthiness of the information given.

When you're blacked out by an immense quantity of basically useless infos, you're spending money and resources in an ineffective manner.

Is all this enough to target what has to be targeted, so that you have a real balance between your effort and your results?

I don't think so, a quick look to their budget is enough for me to disagree.

[MaxfordAndSons]

> why aren't major vendors devoting a fraction of the resources to find this stuff and fix it on their own?

I'm pretty sure most of the competent ones are... it's just really slow, expensive, hard work, with little financial upside (beyond preventing the financial downside of disastrous long-tail exploits). Spending ever more on it probably isn't an easy sell to business people with normal (read: bad) human probabilistic intuitions. And a lot of the people best at it probably just choose to work for themselves because they can auction their work to IC or criminal collectors for much more than they'd get from a fixed rate bug bounty.

[tmaly]

Or Why don't we have like a "Open BSD" equivalent on the Android Platform?

[chinathrow]

> A hacked computer can avoid armed conflict where people die.

Yet we see armed conflicts with CIA origins within plenty of history books...

[tyingq]

True, but that's a general indictment of any spy agency for any country. More broadly than just software, their mission is to control information...who gets it / who doesn't.

[spoiler]

This might sounds naive, but I am genuinely wondering whether they are failing at this mission in the long run, though? They can hardly believe they're they are the only ones in control of these exploits. Can't the same exploits be used against them?

[nkassis]

The NSA does albeit it's not advertised when they report bugs to companies. Not sure about the CIA but the NSA has a dual mission of intercepting foreign intelligence and helping secure american systems. Hence how we got things like SELinux and other contributions.

They've done some terrible stuff but they are big agencies with many competing objectives within.

[Sunset]

There are no "proper cybersecurity ethics". Whatever your chosen ethical framework is, it's not absolute and you don't get to impose yours on all other people.

[PleaseHelpMe]

LoL why are you so naive? It's CIA, not google Zero day project

[imron]

After Snowden, the Obama administration made a commitment to the tech community that it would not hoard security vulnerabilities, and would instead pass them on to vendors to fix.

This release shows that they did not honour that commitment.

[justaman]

A government would only ever disclose a vulnerability once it has a better one to replace it. The government needs a method to counteract an attack from another source(thats their reasoning).

[imron]

Not necessarily. The reasoning should surely be that if we can discover it and use it against them, then they can discover it and use it against us, therefore we should notify the vendors and have the vulnerability removed.

[daenney]

The parent isn't being naïve, they take issue with the current state of affairs and tell how they would like it to work. They're not surprised that that's not the case.

[hubert123]

Nope, he is very naive. He calls [cyber] war "ridiculous".There is nothing ridiculous about wanting to be ahead of rivaling countries and having backdoors into their software and computers. What is however ridiculous is the attitude that we should all hug each other and make the bad people go away with love and prayer.

[PleaseHelpMe]

Thank you for clearing my point although I still got downvote.