Any state of affairs which creates three impossible positions needs to be fixed. When that state of affairs directly affects the viability of the Internet at its most fundamental level, it needs to be fixed fast. When Cisco declares that it has been placed in an impossible situation by revelations from a security analyst, the analyst claims the same because of Cisco's intransigence, and the rest of us are left wondering if the core routers in the Internet are going to get hacked to pieces, we can reasonably demand a swift solution.
Yet the problem seems intractable. A responsible analyst should of course go to the vendor whose products are compromised and reveal the information in confidence, and the vendor should then work as hard as is reasonable to effect repairs. When the parties disagree about significance and impact, we descend into an intractable mess of motive, ego, profit and face-saving where the right course of action may be impossible to ascertain.
The solution is mediation. We propose a clearing house for security claims, a certifying body composed of vendors, independent industry and government experts, and with strong connections at CIO level. Reports of problems can be made in confidence to the clearing house, which then has the responsibility to negotiate a timetable for the fix with the vendor concerned. It has the sanction of decertifying a product if it is dissatisfied with the vendor's response — a process which will signal to customers that there is a problem without exacerbating it through detailed revelation — and can also reward researchers with recognition worth more than self-publicity.
In the long term, it is too dangerous to rely on one vendor for critical infrastructure. Single points of failure are bad engineering, and a single point of failure with multiple global vulnerabilities is frighteningly bad engineering. It may be that in time it will be a requirement for vendors of critical systems to co-operate at a level that makes proper multi-source redundancy not only possible but simple, and it would be a proper extension of the clearing house's work to encourage the development of such standards.
Meanwhile, all we can do is hope that whatever problems are in Cisco's operating system are fixed rapidly and effectively, and that Michael Lynn really did do the right thing. Hope is a poor substitute for logic; if we want to forestall such problems in the future, we'll have to take a different route.
Talkback
Lynn only showed that this type of attack is possible. He did not realease any source code or an advisory detailing the problem. He did present the idea and flow of operations of this type of attack, which is a good thing. It would be reckless to think that there are not crackers out there right now developing (or worse yet, already developed) this type of attack. The groups, or countries (since everyone is so worried about 'terrorism') that have access to the IOS source code should be able to do this with no problem. Lynn had to reverse engineer/disassemble this with no special access to source. This needed to be brought to light. This presentation, and media attention, will get the problems addressed and fixed in a much more timely fashion. It is doubtful that anyone that would be interested in developing this type of attack (assuming they didn't already have it made) is going to be able to do anything on any scale before this gets patched.
Michael did the right thing. People should be thankful for his sacrifice, not attacking his judgement.