12 July 2017

WannaCry, NotPetya: Worm Me Once, Shame on You; Worm Me Twice…

JASON HEALEY

The newest ransomware attack called NotPetya has re-ignited the debate ongoing since the earlier WannaCry attack. Cybersecurity experts, policymakers, and citizens affected have all asked: who is to blame for these attacks?

The underlying vulnerability in both these attacks is based on a Microsoft vulnerability, which was discovered and extensively used by the National Security Agency, before being lost or stolen, and subsequently publicly released by the Shadow Brokers, a group thought to the connected to Russia.

In that sense, this is undeniably NSA’s fault. If not for their finding the bug and developing this exploit, none of this would have happened in this way. But is this important?

My colleagues in the cybersecurity community generally touch on six different and often overlapping centers of blame.

One group blames companies for not patching the original NSA vulnerability, and they’re certainly not wrong. Enterprise IT teams have had months since the Microsoft patch, and on top of that, the scare from WannaCry to take care of this. No doubt, companies that focus on the basics like patching are less likely to be victims.

Other colleagues might accept this generally but stress we shouldn’t blame the victim, and anyhow, this NotPetya spread by other means, not just the NSA vulnerability. And yes, both of these have some truth as well.

A third group pins the blame on Microsoft, which continues to have vulnerabilities in their code and can be complex to update: “By leaving security holes that have to be patched, it’s analogous to putting a car on the market with a defective fuel system,” Michael Rustad, a law professor at Suffolk University Law School in Boston, told the LA Times. But this was a stronger argument weeks ago after WannaCry hit which should have prompted a rush of emergency patching. Worm me once, shame on you; worm me twice…

Anyhow, Microsoft software is much more secure than it used to be, and the company seems to have developed the patch with alacrity once informed by the government. Other colleagues focus on the response to the malware itself. To them, blame (and attribution) can be a distraction from this new and dangerous kind of malware. Usually this group of hard-core computer security experts want to stay focused on better protection, detection, and response. A few, though, might be considered “offensively minded” and don’t want any potential blame to NSA to slow down important espionage, military, and law enforcement efforts: “exploits save lives” when in the hands of the U.S. government.

A fifth group is very, very ready to blame the culprit who really wrote the worm, with early evidence pointing to Russia for NotPetya and North Korea for WannaCry. Before any confirmation, expect a lot of assessment both about whether this was meant to be disruption or extortion, and who was behind it.

Finally, there are those who reserve important blame for NSA, who found the vulnerability, developed the tool, and then lost it. A stinging article in the New York Times emphasized the NSA role as did Microsoft’s leadership

Cybersecurity, especially when nations are involved, is a hideously complex issue, and complexity usually means that fault is distributed widely through the system.

All these perspectives have validity, and each in its own way suggests different but useful solutions.

Hopefully these attacks spark progress across the entire range: attention from board directors on patching quickly and more money to do so; more secure code and maybe liability to hold vendors accountable; grants from the Department of Homeland Security to speed response and improve malware analysis; sanctions and other punishments on North Korea and Russia; and, yes, more accountability for NSA.

More accountability for NSA needs to be more than just tweaks to the current Vulnerabilities Equities Process currently used by the White House to decide when to keep vulnerabilities to itself.

In a democracy, we are being asked to allow our militaries and agencies to conduct not just secret operations, but ones that are based on vulnerabilities in products in which modern society and commerce depend.

In the face of our dependence and trust, they need to exercise exceptional care and diligence and have intrusive oversight. They have not shown that, and for that, there needs to be consequences.

No comments: