Vulnerabilities, the Search for Buried Treasure, and the US Government

Most weeks, it is far outside the normal job responsibilities for cybersecurity professionals to understand what the United States (or other governments) do to find or use computer vulnerabilities. Just stay patched and keep the board of directors happy. This is not one of those weeks. This week we learned that the National Security Agency disclosed to Microsoft that it had discovered a major vulnerability (dubbed CVE-2020-0601) in Windows 10. A Washington Post article, by veteran cyber journalist Ellen Nakashima, declared this to be a “a major shift in the NSA’s approach, choosing to put computer security ahead of building up its arsenal of hacking tools that allow the agency to spy on adversaries’ networks.” This unique story puts the spotlight on vulnerabilities and the U.S. government process for determining whether to disclose or retain the vulnerability. This first half of a two-part article looks examines these issues, while the second half assesses that program and the implications for enterprise technologists.