Mediaboss Marketing

This article first appeared on the Council on Foreign Relations site.

When giving talks on cybersecurity, I often get asked what keeps me up at night.

My short and glib answer is my four-year-old (he really is a horrible sleeper). I certainly dont sit up at night worrying about a cyberattack on the power grid or the manipulation of the stock market by cybercriminals.

Subscribe to Newsweek from $1 per week

In fact, nothing I ever saw in classified channels about a cyber threat cost me a wink of sleep.

Other intelligence did, though, about planned terrorist attacks and nuclear proliferation and other horrors managed by other directorates. During the year I spent working on counterterrorism at DHS before I went to work on cybersecurity at the White House, I spent many nights wondering if we had made the right decisions to counter some very dangerous threats.

So when it comes to WannaCry, I dont discount the possibility that the closure of hospital ERs and the rescheduling of operations may have cost lives.

Many pundits in the field seem to agree with Edward Snowden, who told the Guardian that the NSA should have disclosed the vulnerability exploited by the malware when they found it, not when they lost it.

Yet, even Snowden hedges on whether disclosure would have prevented the attack. If the NSA had disclosed the vulnerability earlier, the attack may not have happened (emphasis added).

Snowden hedges because no amount of warning would have been enough to get Windows XP out of hospitals, or get hospitals to install the latest patches in a timely manner. If NSA had disclosed the vulnerability years ago, it would likely still remain exploitable today.

But I am also attuned to the reality that the intelligence collected by NSA through exploiting this vulnerability likely saved lives, possibly many.

Contrary to prevailing sentiments in the privacy community, NSA does not exploit vulnerabilities for its own amusement. I dont know what intelligence NSA collected using this exploit kit. What I do know is that it is difficult to overstate the importance of signals intelligence to our national security.

This picture taken on November 3, 2016 shows on a A viruses list at the LHS (High Security Laboratory) of the INRIA (National Institute for Research in Computer Science and Automation) in Rennes, France, November 3 2016. Robert K. Knake writes that the NSA deserves blame for losing the exploit kit but not for developing it in the first place. DAMIEN MEYER/AFP/Getty

That vulnerability may have been exploited to gather intelligence vital to negotiating the Iranian nuclear deal, slowing North Koreas program, or, yes, stopping a terrorist attack.

NSA deserves blame for losing the exploit kit, not for developing it in the first place. I am deeply disturbed that seven years after the Manning leaks, and four years after the Snowden leaks, we still dont have good protections against insider threats within the defense and intelligence community.

But NSA is a spy agency. More specifically, it is a signals intelligence agency. In the 21st century, that means it will, for certain missions, need to develop and exploit zero day vulnerabilities and not release them to the public.

Contrary to what Microsoft President Brad Smith has written, this incident doesnt show the dangers of stockpiling vulnerabilities. There is no evidence that NSA was hoarding hundreds or thousands of vulnerabilities it was not using (stockpiling). Instead, it shows they were actively exploiting a small number of very useful vulnerabilities.

Smith is right that this incident is comparable to the U.S. military having some of its Tomahawk missiles stolen. To continue the analogy, his solution suggests that the theft of a Tomahawk missile should mean that the U.S. government should remove them from its arsenal instead of tightening security controls around them.

We can blame NSA for poor operational security (though we should applaud them for getting information to Microsoft so a patch could be issued two months ago).

We can blame the criminals behind WannaCry for targeting hospitals.

And we can blame hospital administrators for wanting the benefits brought with the IT revolution without taking on the costs of securing or updating those systems.

But we cant blame the NSA for spying. Thats what they do.

Robert K. Knake is the Whitney Shepardson senior fellow at the Council on Foreign Relations.

Here is the original post:
Don't Blame NSA for Making the WannaCry Cyberattack Program - Newsweek

After last weeks massive ransomware attack shut down machines around the world, the NSA, which knew of the exploit before it was public, became a target for criticism. Microsoft patched the problem before the attack, but its still raised questions about how, and when, the NSA decides to hold on to software vulnerabilities.

The Protecting Our Ability to Counter Hacking Act of 2017

A new bill would help bring accountability to how the NSA deals with those vulnerabilities. Introduced by Sen. Brian Schatz, the Protecting Our Ability to Counter Hacking Act of 2017, or PATCH Act, would establish a legal framework for the process, requiring federal agencies to establish policies on when to share vulnerabilities and, if unclassified, to make those policies widely available.

The law would also legally establish a review board with high-ranking members of the federal government. The board would be chaired by the secretary of homeland security and include agency directors from the intelligence community as well as the secretary of commerce. The law would also require annual reports to Congress on the boards activities.

A version of the governments process, known as "vulnerabilities equities process," has been in place for some time, although its exact details are unclear. A version of the board already exists, but some have criticized the process as opaque, and a law would go some way toward binding the federal government to the system.

The NSA most famously faced criticism for its exploit process in 2014, when Bloomberg reported that the agency had exploited the Heartbleed bug, which exposed vulnerabilities in devices around the world. (The agency denied the report.) Microsoft obliquely criticized the US after the WannaCry ransomware attack last week, calling the incident a wake-up call about vulnerability hoarding.

See the article here:
After WannaCry, a new bill would force the NSA to justify its hacking tools - The Verge

The WannaCry ransomware never could have escalated as far as it did without the Shadow Brokers. And the hacker group has just resurfaced.

Themalware has ensnared up to 300,000 computers in more than 150 countries, locking up devices in hospitals, schools and businesses unless they pay up. It's been able to spread quickly by sneaking through an infected computer's network, using an exploit in a standard sharing tool called Server Message Block found in outdated Windows computers.

Play Video

Microsoft knew about the software vulnerability that was exploited by a massive cyberattack over the weekend, and had released a fix in March. Bu...

The exploit, codenamed EternalBlue, was first discovered by the NSA, butleaked to the world after the Shadow Brokers stole the agency's hacking arsenal. The group, quiet since August, returned Tuesday with a warning for the National Security Agency and the rest of the world: There are going to be more leaked tools.

"In June, TheShadowBrokers is announcing 'TheShadowBrokers Data Dump of the Month' service," the group wrote in itsopen letter on the Steemit website Tuesday. "Is being like wine of month club."

The hacker group claims that it still has 75 percent of the the US's cyber arsenal, and could release tools that exploit browser, router and phone vulnerabilities, as well as compromised network data from Russia, China, Iran and North Korea.

The Shadow Brokers originally triedselling off the stolen tools in an auction, but backed down after receiving no bidders. In the Tuesday letter, they said they weren't "interested in stealing grandmothers' retirement money," but wanted to send a message to the Equation Group, ahacking group linked to the NSA.

The Shadow Brokers said they'll release more details about their monthly data dump in June, including how interested subscribers could sign up. And after the massive success of WannaCry's ransomware breach, there's certainly much more demand.

Play Video

Cybersecurity experts say North Korea may be to blame for the unprecedented global "ransomware" attack. The hacking has crippled computer systems...

"They've proven that these are highly effective tools in their possession, so people are going to be very interested in purchasing this, especially other criminals," Sean Dillon, a senior security analyst at RiskSense said. "They still have the government's tools, and they want to make money off of it."

It's alreadyearned the hackers behind WannaCry more than $70,000 in just four days. The same EternalBlue exploit has also been used to infect computers withAydlkuzz, malware thatstealthily enslaves your PC to mine for cryptocurrency, according to researchers at Proofpoint.

Once somebody gets the data dump from the Shadow Brokers, Dillon said, the exploits would most likely become public. At the end of the letter, the hacker group hinted the NSA could make all these problems go away if the agency paid up for the tools.

When the Shadow Brokers first put theleaked tools up for sale, they demanded 1 million bitcoins, which then translated to $580 million. Currently, that amount is worth $1.76 billion.

"They can't pay anywhere close to the mark," Dillon said.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

Logging Out: Welcome to the crossroads of online life and the afterlife.

This article originally appeared on CNET.

2017 CBS Interactive Inc.. All Rights Reserved.

Go here to read the rest:
Shadow Brokers hacker group says more NSA leaks to come - CBS News

After the WannaCry cyberattack hit computer systems worldwide, Microsoft says governments should report software vulnerabilities instead of collecting them. Here, a ransom window announces the encryption of data on a transit display in eastern Germany on Friday. AFP/AFP/Getty Images hide caption

After the WannaCry cyberattack hit computer systems worldwide, Microsoft says governments should report software vulnerabilities instead of collecting them. Here, a ransom window announces the encryption of data on a transit display in eastern Germany on Friday.

When the National Security Agency lost control of the software behind the WannaCry cyberattack, it was like "the U.S. military having some of its Tomahawk missiles stolen," Microsoft President Brad Smith says, in a message about the malicious software that has created havoc on computer networks in more than 150 countries since Friday.

"This is an emerging pattern in 2017," Smith, who is also chief legal officer, says in a Microsoft company blog post. "We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage."

On affected computers, the WannaCry software encrypts files and displays a ransom message demanding $300 in bitcoin. It has attacked hundreds of thousands of computers, security experts say, from hospital systems in the U.K. and a telecom company in Spain to universities and large companies in Asia. And the software is already inspiring imitators, as the Bleeping Computer site reports.

The malware behind WannaCry (also called WannaCrypt, Wana Decryptor or WCry) was reported to have been stolen from the NSA in April. And while Microsoft said it had already released a security update to patch the vulnerability one month earlier, the sequence of events fed speculation that the NSA hadn't told the U.S. tech giant about the security risk until after it had been stolen.

With his new statement, Smith seems to be confirming that version of events.

Two months after Microsoft issued its security patch, thousands of computers remained vulnerable to the WannaCry attack. That prompted the company to issue another patch on Friday for older and unsupported operating systems such as Windows XP, allowing users to secure their systems without requiring an upgrade to the latest operating software.

Urging businesses and computer users to keep their systems current and updated, Smith says the WannaCry attack shows the importance of collective action to fight cybercrime.

But he aimed his sharpest criticisms at the U.S. and other nations.

The attack, Smith says, "represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today nation-state action and organized criminal action."

International standards should compel countries not to stockpile or exploit software vulnerabilities, Smith says. He adds that governments should report vulnerabilities like the one at the center of the WannaCry attack.

Governments "need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world," Smith says, urging agencies to "consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."

Smith's blog post did not address another factor in the ransomware's spread, one that hints at the difficulty of uniting against a hacking attack: Users of pirated Microsoft software are unable to download the security patch, forcing them to fend for themselves or rely on a third-party source for a solution.

Continue reading here:
is calling out the NSA

The particularly nasty computer program dubbed WannaCry that attacked hospitals, businesses and government agencies around the world this past weekend was like a cybercrime highlight reel, a compilation of by-now familiar elements conscience-free cybercriminals, an obscure vulnerability in Microsoft Windows, older and ill-maintained corporate computer networks and computer users tricked into opening booby-trapped email attachments that played out on an epic scale.

Whats different this time is that the hackers apparently had considerable help from the U.S. government. They used a stolen tool reportedly developed by the National Security Agency to exploit a hidden weakness in the Windows operating system and spread their ransomware far and wide. The tool was one of many linked to the NSA that were leaked online last year, then finally decrypted in April for use by anyone with the requisite coding skills.

Its tempting to howl at the NSA for not alerting companies like Microsoft when its researchers find vulnerabilities in their products. The reality, though, is that doing so would reduce the effectiveness of cybertools that have become an integral part of modern efforts by agencies like the NSA to fight terrorism, international criminal organizations and rogue states. Whats needed is a better effort to determine if and when a vulnerability discovered by the feds represents too great a threat to keep it secret from the potential victims. Thats a difficult balance to strike, and the decision shouldnt be made solely by the executive branch without the input of independent experts and, potentially, lawmakers.

The even more important lesson here is that years, even decades of warnings from security experts simply arent getting through to the public. WannaCry should not have reached disastrous proportions Microsoft released a patch that could close the vulnerability in March, well before the NSAs tool was decrypted. Yet tens of thousands of computers werent updated, allowing the malware the room it needed to spread.

The problem could easily get much, much worse as more routine devices become smart, Internet-connected ones. Evidently we need stronger incentives not just for companies to release more secure products, but also for users to keep them updated and protect their data with encryption and backups. Thats what the lawmakers and federal officials should be focusing on not on trying to discourage consumers from using encryption on their smartphones, or on building stockpiles of malware based on vulnerabilities they alone have found.

Follow the Opinion section on Twitter @latimesopinion and Facebook

Read the original post:
The 'WannaCry' malware: A public service announcement ...