Wow, this is so insane. I really don't think the NSA should be finding vulnerabilities and keeping them to themselves.
I mean I get it is all to help stop the bad guys, but if you are keeping cyber weapons like this. You should be required to keep them as secure and locked as possible if you don't follow responsible disclosure.
Just like how a cop would keep their weapon on them, instead of sitting it down on the table while eating lunch.
Your analogy doesn't really work because you can't copy a gun. These tools are way more dangerous than a gun because you can replicate them very quickly. You can never destroy the tools once they are created, someone always has a copy.
This is what scares me more than nuclear weapons. A nuke requires a huge amount of people and infrastructure to maintain and launch. But a digital weapon? Pfft, copy that shit onto a USB key and one guy can wipe out power stations across the entire country.
Because you left an infected usb key or ten in the power station parking lot, the power of human curiosity, and the marginal cost of proactively protecting against something "very unlikely" by e.g. epoxying usb slots because procedure says it can't happen.
Your incredulity would be fully justified in the 1990s, but with every year that passes, it is becoming harder and harder to fully isolate computer systems from other computer systems. I'd like to think I wouldn't let untrusted devices near my power plant, but I have some sympathy for those who struggle to keep their stuff secure in a world where security is ever harder to achieve.
Your last sentence seems to contradict your first, whereas what you would really prefer is to disarm the police. Sadly I don't think that's so practical, in the same way that it would be impractical for US police to go unarmed given the high incidence of gun ownership in the US. I grew up in a country where police are not normally armed (other than with a small baton or similar personal defense weapon) and much prefer that, but when there's a lot of weapons around that's a reality you have to deal with.
As regards these cyberattacks, the NSA is at fault for its poor security allowing the weapons to become available to bad actors, but the mere existence or stockpiling of weapons is not the direct cause of crime. It might be more useful right now to consider who is operating these weapons, where they are firing them from, and how best to neutralize them.
tl;dr when you're under fire is not the time to worry about gun control.
The problem with the gun analogy in your particular argument is that a 'cyber weapon' or exploit is the flip side of a flaw in normal software.
The NSA is in a very weird position because they have a task to protect the systems of the US (Information Assurance) but also to attack those of adversaries.
In this case I think they are legitimately to blame for failing to discharge their assurance duties. They've failed to properly calculate the risk of leaking the exploit and now US interests are harmed because of that failure. This is a direct result of stockpiling exploits and not exposing them to the respective software vendors. In my opinion the security of your own systems is more important the insecurity of that of your adversaries, which is why I believe that the hoarding is bad.
I'm not defending the NSA's poor security of bad strategic choices; the reason I use the gun analogy is that mass -production of weapons is as much the flip side of industrial production as cyber weapons are the flip side of normal software vulnerabilities.
Also, when you're under attack it might be more useful to worry about the identity and source of your attackers than where they stole the weapons from. Weapons facilitate aggression but are not the cause thereof, and we're not the only people who know how or maintain an interest in such weapons.
I think we should have armed police, along with anyone else that's sane. All for the second amendment. Just in the cyber world, it just feels irresponsible because of the unlimited nature the internet has. Also probably the fact, I read posts that get popular on HN from time to time where the researcher does a responsible disclosure is probably influencing that feeling too.
I guess what's standard in the "tech world", is probably totally different in the intelligence community.
Like companies can't protect themselves, if there's no updates. There's basically no defense. Same reason I'm not a fan of nuclear power. Once you make the waste, it's hard to get rid of.
Right, I'm sure the NSA doesn't currently take any effort to secure their trove of 0-days. It's not like they're valuable assets or anything.
Edit: My point is that thinking that requiring the NSA to keep them "as secure as possible" as though that would eliminate risk is just silly. There will always be risk of breach or insider theft, as well as the requirement that the exploits actually be put to use outside some theoretical digital lockbox. And more importantly, there will always be the risk of human error. The only way to ensure this can't happen again is to require disclosure & patching.
Wasn't the story behind the NSA leak that it explicitly wasn't well protected, and was passed relatively freely between contractors and without much in the way of oversight?
Yeah, I am pretty sure all governments do this. Why would they release it if their goal is to get unrestricted access to the public. They don't want those holes patched, so to speak.
I wonder how much of their efforts are deterred when good minded infosec persons find vulnerabilities and report them; remember Heart bleed.
The problem is that the NSA is run by humans. Humans leak things by their own volition. No amount of best practices or levels of trust can change this.
I mean I get it is all to help stop the bad guys, but if you are keeping cyber weapons like this. You should be required to keep them as secure and locked as possible if you don't follow responsible disclosure.
Just like how a cop would keep their weapon on them, instead of sitting it down on the table while eating lunch.