Less than a month after much of the United States' digital arsenal was leaked, the vulnerabilities are resurfacing as malware. This could—and should—have been stopped.
Starting Friday, a ransomware attack known as "WannaCry" has infected computers in over 99 countries, targeting both critical infrastructure and standard home-use PCs. Among those affected by the attack is the British National Health Service and the German rail system. The attack is not politically charged—it has distributed itself relatively homogeneously among nations and political parties—but its scale cannot be understated. Within 24 hours, the attack is estimated to have infected over 75,000 computers—and this number is expected to grow exponentially. The cyberattack operates by exploiting a vulnerability in SMB, allowing the virus to gain full access to the host system in order to silently encrypt its files.
A photo of a computer infected with WannaCry. Courtesy of First Look Media.
WannaCry explits EternalBlue, a vulnerability in the Windows operating system first discovered by the NSA and leaked by the Shadow Brokers in mid-April. At the time, experts feared that the exploits would end up in the hands of profit driven or political hackers. WannaCry proves them correct.
There was—and still is—a simple solution.
The prevailing narrative in the intelligence community is to develop and stockpile software and hardware vulnerabilities. These exploits are used by the intelligence community to infiltrate foreign and domestic computer networks, most often for the purpose of espionage. More often than not, however, the exploits discovered by the likes of the NSA and CIA are vulnerabilities in software used by millions of people worldwide.
A screenshot of a command-line interface of the EternalBlue exploit.
Take, for example, the vulnerability around which WannaCry was built. Targeting a security flaw in the Windows operating system, the exploit allowed for the NSA to bypass 'sand-boxing' and gain full control of a remote system. Such an exploit is not applicable only to foreign leaders and terrorists–instead, it affects the public as a whole. Instead of notifying Microsoft of the security hole in their operating system, the NSA chose to keep the vulnerability secret.
Had the NSA contacted Microsoft, they would have quickly patched Windows and have distributed an update within hours, rendering the exploit effective only on outdated systems. That was not the course of action that the NSA chose to take, however. Rather, the NSA opted to add the SMB exploit to their arsenal of cyberweapons.
Circulating within the United States government is a policy known as "Vulnerability Equities Process" (VEP), which dictates when government agencies must reveal software vulnerabilities to manufacturers for fixing and when to keep the vulnerabilities undisclosed. The general guideline is that when a vulnerability could prove valuable to the intelligence community, it is saved. In cases where it is in the public interest to fix a vulnerability and the vulnerability holds little value to the intelligence community, it is disclosed.
A declassified section of the VEP mandate. Courtesy of the Electronic Frontier Foundation.
However, the VEP is not law. Instead, it is merely a policy instituted and enforced by the Executive branch. Under the Obama administration, VEP was selectively enforced, and, in the Trump administration, may not even be enforced at all.
Because the panels which decide whether to disclose or stockpile a vulnerability consist almost exclusively of members of the intelligence community, they nearly always rule in favor of nondisclosure. They do so in the name of United States national security, but their refusal to disclose vulnerabilities almost without exception leave the United States more vulnerable.
Ideally, the WannaCry attack would ignite a global conversation around responsible disclosure, the idea that the NSA and its sister agencies have a responsibility to disclose vulnerabilities they discover to software manufacturers and maintainers for fixing. WannaCry demonstrates that these vulnerabilities can cause immense damage if in the wrong hands. WannaCry also demonstrates that these vulnerabilities will almost inevitably end up in the wrong hands.
The United States intelligence community has a responsibility to the very same national security interest that it protects to disclose the vulnerabilities that it discovers. Indeed, by choosing not to disclose vulnerabilities, the US intelligence community weakens the global cyber infrastructure and makes the United States more vulnerable to attack.
As the WannaCry ransomware attack demonstrates, there is no guarantee that the exploits discovered will remain within the agency. Nowadays, it seems almost inevitable that they will find their way out.
Furthermore, there is no guarantee that a hostile agent—be it North Korea, Russia, or "some man who weighs 400 pounds"—will not discover the vulnerability independently. Often the vulnerabilities are discovered in popular open source software, and there is no reason to assume that a hostile agent could not discover the same vulnerability on their own.
As a result, by not disclosing the vulnerabilities it discovers to the appropriate software manufacturers or maintainers, the United States intelligence community is knowingly leaving itself and the American people defenseless against attacks from foreign adversaries.
Additionally, often the vulnerabilities which put the public at the greatest risk offer little to no value to the intelligence community itself. While Stuxnet, the US-Israel led cyberattack against the Iranian nuclear program, was built off of extremely targeted exploits which were ineffective or inapplicable to the global cyber infrastructure, the vulnerabilities behind WannaCry were far less targeted. Still, despite the scope of the vulnerability, the NSA opted to knowingly keep the vulnerability undisclosed.
Had the NSA chosen to disclose the vulnerability behind WannaCry, Friday's cyberattacks would not have taken place. The NHS would still be functioning smoothly, Germany's trains would remain punctual, and Russia's interior ministries wouldn't have to substitute email for pen and paper. But because the NSA chose to stockpile a vulnerability, the global cyber infrastructure has ended up in the perilous state it is in.
We have yet to see if WannaCry will have far-reaching implications for the United States' national infrastructure. While WannaCry and the exploit behind it has already had a profound impact on Great Britain, Russia, and Germany, only time will tell if the NSA's exploit will return home to wreak havoc on the very same systems the NSA was designed to protect.