Proposals to establish international norms against intruding against other nations' critical infrastructures fail to recognize that while few nation-states want to cause massive systemic risk, nobody can agree on what constitutes systemic risk or what trade-offs are worth what level of risk of a calamitous event.
Dave Aitel is an offensive security expert and the CEO of Immunity, Inc., which conducts vulnerability research, penetration testing tool development and security tests for corporate and government clients. Prior to founding Immunity in 2002, Aitel served for six years as a security scientist at the National Security Agency and was a security consultant for @stake. Aitel has been named one of "The 15 Most Influential People in Security" by eWeek Magazine and has delivered keynote addresses at BlackHat and DEFCON. He is a co-author of “The Hacker’s Handbook,” The Shellcoder’s Handbook” and “Beginning Python," and founder of the Infiltrate offensive security conference."
Subscribe to this Lawfare contributor via RSS.
The vulnerability equities process (VEP) is broken. Because the VEP is a matter of Administration policy, the new administration should take the opportunity to devise a strategy that works.
The technology and investigative process around lawful hacking and vulnerabilities equities is not yet ripe for broad frameworks.
Developing cyber deterrence at scale may require turning to 18th century solutions.
Before the newly-appointed cybersecurity commission can construct an effective long-term policy agenda, the government must first focus on repairing critical relationships.
Legal and polic commentary on the consequences of the Iran hackign indictments has largely overlooked the practical implications for the work of individuals who conduct offensive cyber operations on behalf of the US government.