First, Do No Harm

Opinion

May 20, 2017

The big news last week was the WannaCry attack on 230,000 computers, including those of big players like the British National Health Service. The attack reveals just how powerless the world is against hacking; the recommended solution for the WannaCry victims is to pay the $300 ransom. A big part of the story will be that WannaCry hackers used the EternalBlue hack developed by the United States National Security Agency and leaked to the world by other hackers. The real story, however, is that we not only knew this would happen but also were warned a while ago. 

In an August 2016 Washington Post article, national security and technology reporters Ellen Nakashima and Andrea Peterson warned of the dangers of the NSA using software flaws to hack foreign targets. This was shortly after The Shadow Brokers hacker group published several leaks containing hacking tools, which it claimed had been acquired from the NSA. Although the NSA publicly denies the charge, it is widely understood that the NSA hoards and exploits security flaws before software companies themselves find and patch them.

Despite its denials, the NSA does not have a policy of immediately notifying software companies when it finds flaws in their codes. Nakashima and Peterson noted, “The government has a process for determining when to share software flaws. Agencies such as the NSA and the FBI are supposed to submit any flaws they discover to a multiagency group of experts, who then weigh whether the advantage of keeping the vulnerabilities secret outweighs the public’s cybersecurity.” In other words, the government is willing to risk a potential threat to citizens of the U.S., and the world, if it thinks it might be able to first exploit the flaw for its own uses.

In a textbook display of hubris, the NSA in-house hackers so overvalue their abilities that they assume their discovery is unique, something no one else will ever find. They assume that they are smarter or luckier (or both) than anyone else in the world. They’re wrong. A key element used in the WannaCry attack came from the NSA, stolen by someone who outsmarted its people.

While hubris might be entertaining in a Greek tragedy, it is dangerous in governments. Despite its high opinion of itself, even the NSA is vulnerable. It might have denied that Shadow Broker’s leak came through the NSA, but the world is certain it did. As we saw earlier this spring when WikiLeaks posted a list of code flaws the FBI held, government agencies aren’t without their own security problems.

It’s easy to pick on the United States because we’re fairly open about these things (as governments go), but this is a worldwide problem. If our NSA is finding and holding software flaws, it’s safe to assume there are a least a few other governments doing exactly the same thing. There is equal probability that the flaws those governments are holding will be revealed. Governments are fallible; the cybersecurity information they withhold will come back to hurt their own people. Governments, corporations, and individuals have an obligation to quickly report any threats they discover. This is not a new idea.

On April 13, 2017, a month before the WannaCry attack, Brad Smith, Microsoft’s president and chief legal officer called for a Digital Geneva Convention to “establish international norms for responsible nation state behavior in cyberspace.” His blog post focused on cyberattacks by nations — the ultimate reason that nation’s hoard security flaws. More importantly, he calls for a change in government attitudes. Smith wants the NSA and its worldwide counterparts to stop looking at cyber security as something to exploit and begin seeing it as an obligation to protect. He calls for “100 percent commitment to defense and zero percent to offense.” He didn’t specifically address the practice of holding discovered security flaws, but if the NSA had employed the 100 percent defensive strategy he suggests, it would have immediately and aggressively reported the EternalBlue flaw to Microsoft and worked with them to repair it.

Sunday morning, after Friday’s attack, Smith pointed fingers. His post in April called for a constructive philosophical change; his May 14 post got right to it. “This most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today — nation-state action and organized criminal action,” Smith wrote. He has a point. Every time any government holds back information on potential security vulnerabilities, it is willingly putting its citizens at risk. While the NSA thought it could use the EternalBlue flaw to protect the interests of the United States, by withholding it until after it had been leaked, they delayed updates that have cost Americans and the world. Timing is critical in these matters — not only for getting software patched but also for users to install the provided updates. On March 17, 2017, Microsoft issued a patch for the vulnerability used by WannaCry; by May 12, 2017, when the attack occurred, a significant number of users still had not applied the patch.

The hackers who built and circulated the WannaCry Trojan horse are ultimately responsible. Yet, the leak of EternalBlue that led to WannaCry could have been avoided if the NSA had not stored and hoarded the code. While it is not the absolute role of government to protect citizens from cyber threats, it is its moral obligation to not help propagate them.