Finger-pointing over the recent WannaCry ransomware attack has begun in earnest, and it doesn’t lack for culprits, though North Korea is the main focus. But in the blame-game, other candidates for criticism have emerged – none other than the NSA and Microsoft.
Leading the parade of pundits, polls and executives in casting their gaze at the NSA and its ilk is Microsoft’s president, Brad Smith (as you might expect, given that it was Windows computers that were hit in the attack – more on that later).
The NSA’s “collect it all” offensive, fueled by its voracious appetite for information, led to it “stockpiling” software weaknesses. It then lost control over its “weapons,” much to the chagrin of Smith and others. Likening the situation to security over military weaponry, which is carefully guarded, Smith opined:
“This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.”
He makes a point, but that doesn’t exonerate Microsoft in this mess. At the root of the problem is the secretive stockpiling of weaknesses in companies’ systems by the government agencies, usually without alerting the companies in question to these flaws. If they had, then Microsoft (in this case), could have rewritten its software to correct the problem.
This is not by happenstance, it should be noted. No, it is a dedicated, concerted effort to withhold valuable information from private companies (and thus the public) in the name of national security. This initiative has a name – the Vulnerable Equity Process (VEP).
The VEP is meant to balance the advantages gained by keeping a given software vulnerability secret, versus the potential risks to the world at large. This, by the way, seems to be a mirror image of less formal programs, whereby the government has refused to pursue convictions – and let the perpetrators walk – rather than reveal details of its secretive dealings (most notably in the Stingray cases). In those instances, the government would not divulge information about the systems, at the behest of manufacturer, Harris Corporation.
VEP is more dangerous, and the problem more widespread, than in the case of Stingray prosecutors dropping charges. When agencies amass such troves of information, they are tempting fate. It is like a ticking time-bomb before the info leaks to bad actors. Washington, it appears, is now rife with leaks – maybe more so than ever.
This may explain the WannaCry ransomware attack. Our nation’s secret-keepers have not been able to keep their weapons safe from the likes of Shadow Brokers and Wikileaks.
California congressman Ted Lieu (D-CA),calling for legislation to address the VEP situation said,
“Today’s worldwide ransomware attack shows what can happen when the NSA or CIA write malware instead of disclosing the vulnerability to the software manufacturer.”
This is because the agencies’ tools have not only been breached and co-opted, but they have been weaponized against important institutions globally, including hospitals, universities, and corporations.
There’s blame enough in this debacle to go around. The NSA is culpable for going about discovering vulnerabilities in various versions of Windows, and writing programs that allow American spies to penetrate computers running Microsoft’s operating system. One such program, code named ETERNALBLUE, allowed WannaCry to spread as quickly and uncontrollably as it did last week. No, the NSA didn’t create WannaCry, but its negligence allowed it to percolate.
Next, Microsoft is guilty, for allowing millions of users to use outdated software (some to the tune of 15 years), and not indicating that these users of old software would be vulnerable to the new realities. Finally, we can’t find ourselves (computer owners and IT administrators) blameless, for not keeping software current.
Of course, given Microsoft’s shoddy operating systems, its writing of insecure codes, and its dropping of support for older versions of Windows still widely used, our negligence is understandable. And so goes the blame game.
It is almost a stalemate, insofar as law enforcement and spy types want to continue to develop weapons in the shadows, and companies such as Microsoft want to sell products, which means onward and upward, without paying much attention to what went before. Call it militarism versus profit maximization.
What’s your opinion? Where do you stand? Do you think that the NSA over-prioritizes developing means to deter adversaries over the privacy and safety of the ordinary citizen? Or do you think that the pendulum has swung too far toward national security at all costs? Another important question to consider: Just where does the average citizen stand in what appears to be a never-ending race to the bottom?