Defense One | By: Amy Zegart | June 29, 2017:
It is hard to imagine more fitting names for code-gone-bad than WannaCry and Eternal Blue. Those are just some of the computer coding vulnerabilities pilfered from the National Security Agency’s super-secret stockpile that have been used in two separate global cyber attacks in recent weeks. An attack on Tuesday featuring Eternal Blue was the second of these to use stolen NSA cyber tools—disrupting everything from radiation monitoring at Chernobyl to shipping operations in India. Fort Meade’s trove of coding weaknesses is designed to give the NSA an edge. Instead, it’s giving the NSA heartburn. And it’s not going away any time soon.
As with most intelligence headlines, the story is complicated, filled with good intentions and unintended consequences.
Home to the nation’s codebreakers and cyber spies, the NSA is paid to intercept communications of foreign adversaries. One way is by hunting for hidden vulnerabilities in the computer code powering Microsoft Windows and and all sorts of other products and services that connect us to the digital world. It’s a rich hunting ground.
The rule of thumb is that one vulnerability can be found in about every 2,500 lines of code. Given that an Android phone uses 12 million lines of code, we’re talking a lot of vulnerabilities. Some are easy to find. Others are really hard.
Companies are so worried about vulnerabilities that many—including Facebook and Microsoft—pay “bug bounties” to anyone who finds one and tells the company about it before alerting the world. Bug bounties can stretch into the hundreds of thousands of dollars.
The NSA, which employs more mathematicians than any organization on Earth, has been collecting these vulnerabilities. The agency often shares the weaknesses they find with American manufacturers so they can be patched. But not always. As NSA Director Mike Rogers told a Stanford audience in 2014,“the default setting is if we become aware of a vulnerability, we share it,” but then added, “There are some instances where we are not going to do that.” Critics contend that’s tantamount to saying, “In most cases we administer our special snake bite anti-venom that saves the patient. But not always.”
In this case, a shadowy group called the Shadow Brokers (really, you can’t make these names up) posted part of the NSA’s collection online, and now it’s O.K. Corral time in cyberspace. Tuesday’s attacks are just the beginning. Once bad code is “in the wild,” it never really goes away. Generally speaking, the best approach is patching. But most of us are terrible about clicking on those updates, which means there are always victims—lots of them—for cyber bad guys to shoot at.
WannaCry and Eternal Blue must be how folks inside the NSA are feeling these days. America’s secret-keepers are struggling to keep their secrets. For the National Security Agency, this new reality must hit especially hard. For years, the agency was so cloaked in secrecy, officials refused to acknowledge its existence. People inside the Beltway joked that NSA stood for “No Such Agency.”
When I visited NSA headquarters shortly after the Snowden revelations, one public-affairs officer said the job used to entail watching the phones ring and not commenting to reporters. Now, the NSA finds itself confronting two wicked problems—one technical, the other human. The technical problem boils down to this: Is it ever possible to design technologies to be secure against everyone who wants to breach them except the good guys? Many government officials say yes, or at least “no, but…”
In this view, weakening security just a smidge to give law-enforcement and intelligence officials an edge is worth it. That’s the basic idea behind the NSA’s vulnerability collection: “If we found a vulnerability, and we alone can use it, we get the advantage.” Sounds good, except for the part about “we alone can use it,” which turns out to be, well, dead wrong.
To read full article – please click here.
