The “Wanna Cry” ransomware attack producing global shockwaves has renewed focus on the activities of the National Security Agency (NSA) and how the government decides to disclose cyber vulnerabilities to the private sector.
The ransomware campaign, which broke out on Friday and has spread to at least 150 countries and 300,000 machines, is widely believed to be based on an NSA hacking tool leaked to the public earlier this year that exploits a vulnerability in Microsoft’s Windows operating system.
{mosads}Ransomware is a type of malware that blocks access to a target’s data until a ransom is paid, usually in a cryptocurrency such as bitcoins.
Microsoft president and chief legal officer Brad Smith took aim at the U.S. government over the ransomware campaign, describing it as a “wake-up call” for governments to stop “stockpiling” vulnerabilities for intelligence purposes.
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Smith wrote in a blog post on Sunday. “An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”
At issue is the so-called vulnerabilities equities process (VEP) by which the federal government decides whether to provide information about a software vulnerability to the product’s manufacturer. The interagency process was first disclosed by the Obama administration in 2014 and has stoked security and privacy concerns as a result of the few public details that have come out.
Rep. Ted Lieu (D-Calif.) seized on the “Wanna Cry” news Friday to push for legislation that would reform the process.
“Currently the Vulnerabilities Equities Process is not transparent and few people understand how the government makes these critical decisions,” Lieu said in a statement. “Today’s worldwide ransomware attack shows what can happen when the NSA or CIA write malware instead of disclosing the vulnerability to the software manufacturer.”
Microsoft issued a security update for its supported operating systems to patch the vulnerability in March, weeks before hacker group Shadow Brokers published the code of the alleged NSA tool.
But many computers remained vulnerable, either because consumers did not patch them or because the patch did not fit their older operating systems.
It is unclear whether the NSA ever tipped Microsoft off to the vulnerability, though Smith’s statement seemed to suggest it did not.
Either way, the issue has renewed focus on the disclosure of “zero-day” vulnerabilities — those unknown to the manufacturer and, as a result, for which no patch exists.
Michelle Richardson, deputy director for the freedom, security and technology project at the Center for Democracy and Technology, said the latest ransomware campaign underscores the need for more transparency surrounding the vulnerabilities equities process.
She noted that the government provides no metrics on how many zero-days are shared with industry versus those that are not shared.
“We the public need to know the general contour of how they make their decisions,” Richardson told The Hill. “We should know the factors they consider and we should know the scales weigh toward disclosure.”
“It would be deeply troubling if the NSA knew about this vulnerability but failed to disclose it to Microsoft until after it was stolen,” Patrick Toomey, a staff attorney with the American Civil Liberties Union, said in a statement. “It is past time for Congress to enhance cybersecurity by passing a law that requires the government to disclose vulnerabilities to companies in a timely manner.”
Some, like Richardson, favor codifying the vulnerabilities equities process into law, an idea that has gained traction in the Senate.
A bipartisan pair of senators is preparing to introduce a bill that would do just that. The legislation will be offered by Sens. Brian Schatz (D-Hawaii) and Ron Johnson (R-Wis.) and is expected to add some transparency to the process by designating who is on the VEP review board, CyberScoop reported earlier this year.
The legislation is expected as early as this Wednesday, an aide told The Hill.
Disclosures of intelligence tools used by the U.S. government have periodically contributed to the debate about reforming the vulnerabilities equities process. WikiLeaks, for instance, has been leaking purported CIA hacking tools in recent months, drawing ire from agency Director Mike Pompeo.
When it comes to the ransomware attack, some observe that criticism of the NSA is misplaced, given that Microsoft had patched the vulnerability prior to its disclosure.
Ryan Kalember, an executive at Silicon Valley cyber firm Proofpoint, said the bigger issue is that people didn’t patch their systems even though a patch was offered — and that Microsoft did not offer a free patch for old, unsupported systems until Saturday, after the ransomware started to spread.
“I would actually argue that this was so dangerous that [Microsoft] should have released the patch even to their unsupported systems,” Kalember said. “The only thing the NSA did wrong in this case is to lose the tool in the first place.”
Thus far, the culprit in the ransomware attack is unknown, though researchers have found evidence of a connection between the code in “Wanna Cry” and that used by a North Korean state hacking group known as Lazarus.
On Monday, White House Homeland Security and Counterterrorism Adviser Tom Bossert placed the blame squarely on the hackers. He also knocked down any notion that the tool was “developed by the NSA to hold ransom data.”
Bossert would not say whether he was worried that other leaked hacking tools could similarly be used by cyber criminals.
“The United States more than probably any other country is extremely careful with their processes, about how they handle any vulnerabilities that they’re aware of,” Bossert said.
“That’s something that we do when we know of the vulnerability — not when we’ve lost the vulnerability.”