Stop Blaming the NSA for the Ransomware Attack

This April 12, 2016 file photo shows the Microsoft logo in Issy-les-Moulineaux, outside Paris, France. The cyberextortion attack hitting dozens of countries was a “perfect storm” of sorts.

MICHEL EULER

AA Font size + Print

This April 12, 2016 file photo shows the Microsoft logo in Issy-les-Moulineaux, outside Paris, France. The cyberextortion attack hitting dozens of countries was a “perfect storm” of sorts.

An inside look at how the intelligence community deals with the exploitable software bugs it finds.

Friday’s global ransomware attack has reignited the debate about how the U.S. intelligence community conceals or reveals knowledge about critical software bugs. As confirmed by a former NSA official, WannaCry exploited a vulnerability stockpiled by the agency and exposed in last year’s Shadow Brokers dump. But how much blame should the NSA bear for WannaCry’s rampage across 200,000-plus computers in 130 countries?

On the one hand, the intelligence community really does keep a trove of zero-day bugs. Spies need them to intercept communications — and much more, according to Michael Daniel, an Obama-era White House cybersecurity coordinator.

“Disclosing a vulnerability can mean that the U.S. forgoes an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks. So automatic disclosure is not always the right policy choice,” said Daniel in an email to Defense One.

Yet the notion that the NSA simply hoards every bug it discovers is false. Since July 2011, Daniels said, representatives from various agencies and departments have periodically assembled to discuss newly discovered bugs and vulnerabilities. They vote on each one: reveal or conceal?

When the vote is to conceal, the decision will be revisited in three months to a year, depending on the bug’s attributes and, Daniels said, a wide range of surrounding factors. How dangerous could it be if a criminal gang or adversary began using it? Would the intelligence community be able to detect its use? How badly do spies need the intelligence that the bug might yield? Can they get it another way? Could they use the bug for a short period of time and then disclose it? Can it be patched?

Former NSA officials have praised the process.

“You’ve heard my deputy director say that in excess of 80-something percent of the vulnerabilities are actually disclosed — responsibly disclosed — to the vendors so that they can then actually patch and remediate for that,” Curtis Dukes, the NSA’s former deputy national manager for national security systems, said at an American Enterprise Institute event in October. “So I do believe it’s a thoughtful process that we have here in the U.S.”

Dukes said that the impetus to conceal an exploit vanishes when it is used by a criminal gang, adversarial nation, or some other malefactor.

“We may choose to restrict a vulnerability for offensive purposes,” like breaking into an adversary’s network, he said. “But that doesn’t mean we’re not also constantly looking for signs whether or not another nation-state or criminal network has actually found that same vulnerability and now are using it. As soon as we see any indications of that, then that decision immediately flips, and we move to disseminate and remediate.”

The NSA has made no comment on the bug that enabled WannaCry. But Microsoft issued a patch on March 14, even before the Shadow Brokers dump, which suggests either that the IC disclosed the bug or at least did not succeed in keeping it a secret.

The problem is that many institutions didn’t install the patch, Microsoft President Brad Smith wrote on Sunday in a blog post: “While [the patch] protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected.”

What conclusion can we draw from the WannaCry episode? For one, the NSA process for disclosing zero-days is not broken. But the decision to disclose a vulnerability is only as good as the intelligence about what different gangs or adversaries are up to. And the situation may improve, with more intelligence, better reporting from the field, and better reporting from vendors to the public.

Daniels offered a few more ways to improve the system: “In the future, I think we need to arrive at some metrics for measuring how severe and exploitable a particular vulnerability is. For example, some zero-days may require you to have physical access to a system to exploit it. That’s obviously a very different threat than one that can be exploited remotely. I think we need to have a more standardized way to assess zero-day vulnerability severity.”

Close [ x ] More from DefenseOne
 
 

Thank you for subscribing to newsletters from DefenseOne.com.
We think these reports might interest you:

  • Ongoing Efforts in Veterans Health Care Modernization

    This report discusses the current state of veterans health care

    Download
  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Top 5 Findings: Security of Internet of Things To Be Mission-Critical

    As federal agencies increasingly leverage these capabilities, government security stakeholders now must manage and secure a growing number of devices, including those being used remotely at the “edge” of networks in a variety of locations. With such security concerns in mind, Government Business Council undertook an indepth research study of federal government leaders in January 2017. Here are five of the key takeaways below which, taken together, paint a portrait of a government that is increasingly cognizant and concerned for the future security of IoT.

    Download
  • Coordinating Incident Response on Posts, Camps and Stations

    Effective incident response on posts, camps, and stations is an increasingly complex challenge. An effective response calls for seamless conversations between multiple stakeholders on the base and beyond its borders with civilian law enforcement and emergency services personnel. This whitepaper discusses what a modern dispatch solution looks like -- one that brings together diverse channels and media, simplifies the dispatch environment and addresses technical integration challenges to ensure next generation safety and response on Department of Defense posts, camps and stations.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download

When you download a report, your information may be shared with the underwriters of that document.