The “Wanna Cry” ransomware attack producing global shockwaves has renewed focus on the activities of the National Security Agency (NSA) and how the government decides to disclose cyber vulnerabilities to the private sector.
The ransomware campaign, which broke out on Friday and has spread to at least 150 countries and 300,000 machines, is widely believed to be based on an NSA hacking tool leaked to the public earlier this year that exploits a vulnerability in Microsoft’s Windows operating system.
Ransomware is a type of malware that blocks access to a target’s data until a ransom is paid, usually in a cryptocurrency such as bitcoins.
Microsoft president and chief legal officer Brad Smith took aim at the U.S. government over the ransomware campaign, describing it as a “wake-up call” for governments to stop “stockpiling” vulnerabilities for intelligence purposes.
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Smith wrote in a blog post on Sunday. “An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”
At issue is the so-called vulnerabilities equities process (VEP) by which the federal government decides whether to provide information about a software vulnerability to the product’s manufacturer. The interagency process was first disclosed by the Obama administration in 2014 and has stoked security and privacy concerns as a result of the few public details that have come out.
Rep. Ted Lieu (D-Calif.) seized on the “Wanna Cry” news Friday to push for legislation that would reform the process.
“Currently the Vulnerabilities Equities Process is not transparent and few people understand how the government makes these critical decisions,” Lieu said in a statement. “Today’s worldwide ransomware attack shows what can happen when the NSA or CIA write malware instead of disclosing the vulnerability to the software manufacturer.”
Microsoft issued a security update for its supported operating systems to patch the vulnerability in March, weeks before hacker group Shadow Brokers published the code of the alleged NSA tool.
But many computers remained vulnerable, either because consumers did not patch them or because the patch did not fit their older operating systems.
It is unclear whether the NSA ever tipped Microsoft off to the vulnerability, though Smith’s statement seemed to suggest it did not.
Either way, the issue has renewed focus on the disclosure of “zero-day” vulnerabilities — those unknown to the manufacturer and, as a result, for which no patch exists.
Michelle Richardson, deputy director for the freedom, security and technology project at the Center for Democracy and Technology, said the latest ransomware campaign underscores the need for more transparency surrounding the vulnerabilities equities process.
She noted that the government provides no metrics on how many zero-days are shared with industry versus those that are not shared.
“We the public need to know the general contour of how they make their decisions,” Richardson told The Hill. “We should know the factors they consider and we should know the scales weigh toward disclosure.”
“It would be deeply troubling if the NSA knew about this vulnerability but failed to disclose it to Microsoft until after it was stolen,” Patrick Toomey, a staff attorney with the American Civil Liberties Union, said in a statement. “It is past time for Congress to enhance cybersecurity by passing a law that requires the government to disclose vulnerabilities to companies in a timely manner.”