Private sector cybersecurity companies are increasingly stuck with difficult decisions when it comes to publicizing research into malware. Over the past few years, nation-states have increasingly devoted time, money and man-hours to creating sophisticated weapons that wreak havoc once they are unleashed on the internet.
When private companies find these nation-state tools and break them apart for examination, the dynamic gets complicated very quickly: No longer are they just trying to figure out who is responsible — they have to tiptoe around the ramifications of how a public report could impact relationships with governments around the world.
Beyond merely attributing sophisticated malware, large-scale cybersecurity firms are often left with tough questions: Should those based in the United States avoid publicly releasing research on cyber-espionage campaigns if they look to be conducted by allied governments? What does a company owe its clients when handling homegrown digital threats? Do these companies have a plan of action for upending a government program if and when their research goes public?