[jl2718]

BLUF: government should attack vulnerabilities first, disabling systems until they are patched.

Very creative. It might also be done better with an open market where companies set the price there’re willing to pay for red hats.

This also requires some understanding of how zero-days come to exist. Briefly, insiders, many of them foreign assets developed from their earliest education and helped along the way to get to their target. There are some ‘in the wild’ discoveries, but the sophisticated attack chains do not rely on luck.

Given that, here’s another viewpoint: $70m in ransom might be a far better deal than exploitation by a nation state. It’s quite possible that these guys are actually defectors doing us a favor.

So, we should consider that security is something we’ll have to pay for one way or another, and we should seek to establish markets that make that cost predictable and minimize disruption. And yes, I do understand the moral hazard this would create, and I don’t have any good ideas to fix that right now.