This week’s worldwide cybersecurity crisis is just the latest black eye for the National Security Agency and its practice of stockpiling secret means of snooping into computer systems.
That’s because whoever launched the global series of ransomware assaults is using a flaw in Microsoft Windows that the U.S. spy agency had apparently exploited for years — until someone leaked the NSA’s hacking tools online and allowed cyber criminals to copy them.
Now, critics ranging from Microsoft to Vladimir Putin to fugitive NSA leaker Edward Snowden are denouncing the agency’s practice of stockpiling computer vulnerabilities for its own use instead of informing the developers or manufacturers so they can plug the holes. And some privacy advocates and technology experts want Congress to make the agency rein in the practice.
Here’s POLITICO’s summary of where that debate stands:
How did hackers get ahold of the NSA’s tools?
That’s a good question. But the ransomware racing around the globe is based on a cache of apparent NSA hacking software and documents that a group calling itself “the Shadow Brokers” posted online on April 14. (Shadow Brokers first began making these kinds of dumps last year.) The Trump and former Obama administrations have refused to confirm that the NSA had lost control of its tools, but former intelligence officials say the leaked material is genuine.
How the hacking tools escaped the NSA is unknown. But there are three main possibilities: An NSA employee or contractor went rogue and stole the files; a sophisticated adversary such as the Russian government hacked into the spy agency and took them; or an NSA hacker accidentally left the files exposed on a server being used to stage a U.S. intelligence operation, and someone found them.
Contractors, who can lack the institutional loyalty of regular employees, have long been a source of heartache to the intelligence community, from the 2013 Snowden leaks to the arrest last year of Harold Martin, a Maryland man charged with stealing reams of classified files and hoarding them in his home.
Which NSA tool are the hackers using?
It appears to be a modified version of an NSA hacking tool, a software package dubbed “ETERNALBLUE,” that was buried in the Shadow Brokers’ leak.
The tool took advantage of a flaw in a part of Windows called the Server Message Block, or SMB, protocol, which connects computers on a shared network. In essence, the flaw allows malware to spread across networks of unpatched Windows computers, a dangerous prospect in the increasingly connected world.
After the cache leaked, cybersecurity researchers, realizing that the SMB vulnerability could expose organizations to massive hacks, “reverse engineered” the tool, checking how it worked and evaluating how to defeat it. These researchers posted their work online to crowdsource and accelerate the process.
But their work also helped digital thieves. At some point, the criminals behind the ransomware attack grabbed the reverse-engineered exploit and incorporated it into their malware.
This separated their attack tool from previous popular iterations of ransomware. Whereas normal ransomware locks down an infected computer’s files and stops there, this variant can jump from machine to machine, infecting entire businesses like the internet’s earliest computer worms.
What did the NSA do after learning of the theft?
The spy agency probably warned Microsoft about the vulnerability soon afterward. Microsoft released a patch for computer users to repair the flaw in March, a month before the Shadow Brokers leak.
But that’s not good enough for civil liberties advocates, who want stricter limits on how long the government can hold onto vulnerabilities it discovers.
“These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies, but by hackers and criminals around the world,” said Patrick Toomey, a national security attorney at the American Civil Liberties Union, in a statement. “Patching security holes immediately, not stockpiling them, is the best way to make everyone’s digital life safer.”
The agency’s defenders disagree. “That nobody else discovered these vulnerabilities as far as we know suggests that it is right for the NSA to hold onto them if they have confidence that nobody else has a copy of their tools,” Nicholas Weaver, a researcher at the University of California in Berkeley, told POLITICO. “It actually is a problem that the NSA can’t or won’t claim credit for properly notifying Microsoft. The NSA did the right thing, and they aren’t getting the credit for it they deserve.”
Is this a new controversy for the NSA?
No. But the crisis that began on Friday is giving it prominence like never before.
Privacy advocates and tech companies have long criticized the U.S. spy agencies for keeping knowledge of security flaws a secret and building hacking tools to exploit them. And they say it’s especially bad when the government can’t keep its secret exploits out of the hands of cyber criminals.
“When [a] U.S. nuclear weapon is stolen, it’s called an ‘empty quiver,’” tweeted Snowden, whose 2013 leaks exposed the vast underbelly of the government’s spying capacity. “This weekend, [the NSA’s] tools attacked hospitals.”
Microsoft President Brad Smith also denounced the NSA’s inability to secure its tools. “An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” he wrote in a weekend blog post.
Putin later picked up that theme, telling reporters in Beijing that U.S. intelligence agencies were clearly “the initial source of the virus.”
“Once they’re let out of the lamp, genies of this kind, especially those created by intelligence services, can later do damage to their authors and creators,” the Russian leader said.
But former national security officials say the government needs to build hacking tools to keep the U.S. safe. And White House homeland security adviser Tom Bossert downplayed the possible origin of the code Monday.
“Regardless of the provenance of the exploit here used,” he told ABC, “who is culpable are the criminals that distributed it and the criminals that weaponized it, added additional details to it, and turned this into something that is holding ransom data but also putting at risk lives and hospitals.”
What’s Congress doing?
The government uses a system called the “Vulnerability Equities Process” to determine whether and when agencies must tell companies about code flaws they discover. Following recent spy agency leaks, former government officials, cyber experts and tech companies have proposed changes to the VEP that would limit the intelligence community’s ability to hoard vulnerabilities.
Some are calling for Congress to act.
Those include Rep. Ted Lieu, a California Democrat with a computer science degree, who has led the charge to reform the VEP.
Lieu, a leading congressional voice on cybersecurity, called the process “not transparent” in a statement Friday, saying “few people understand how the government makes these critical decisions.” The ransomware campaign, he added, “shows what can happen when the NSA or CIA write malware instead of disclosing the vulnerability to the software manufacturer.”
But Lieu’s bill is unlikely to become law. Not only does the intelligence community have numerous defenders in Congress, but politicians simply aren’t paying much attention to the issue. Lawmakers haven’t rushed to join Lieu in calling for VEP changes. There have only been a few hearings on ransomware in recent years, and no pending legislation mentions either ransomware or the VEP.
Martin Matishak contributed to this report.