Should U.S. Hackers Fix Cybersecurity Holes Or Exploit Them?

Bruce Schneier | The Atlantic | May 19, 2014

Maybe someday we'll patch vulnerabilities faster than the enemy can use them in an attack, but we're not there yet.

There’s a debate going on about whether the U.S. government—specifically, the NSA and United States Cyber Command—should stockpile Internet vulnerabilities or disclose and fix them. It's a complicated problem, and one that starkly illustrates the difficulty of separating attack and defense in cyberspace.

A software vulnerability is a programming mistake that allows an adversary access into that system. Heartbleed is a recent example, but hundreds are discovered every year.

Unpublished vulnerabilities are called “zero-day” vulnerabilities, and they’re very valuable because no one is protected. Someone with one of those can attack systems world-wide with impunity...