The National Security Agency (NSA) is supposed to protect American citizens from high-tech threats. But who will protect Americans from their screw-ups?
Last week, countries around the world reeled as a virulent piece of ransomware (which forcibly encrypted local data, then demanded payment in bitcoins to release the files) spread through tens of thousands of computer systems, including in banks and hospitals. Russia was worst hit, but the U.K. suffered serious damage as well, with its National Health Service suffering serious disruptions to medical services.
The story got much more infuriating when experts figured out that the computer worm was a slightly modified version of an exploit built by the NSA — one stolen by the "Shadow Brokers" and leaked over the internet. Luckily, a 22-year-old British researcher accidentally tripped the worm's off switch, containing the damage — at least for now. Different versions have already cropped up without that off-switch, though none as yet has spread to the same degree.
It's time for American security agencies to actually start securing the safety of American computer networks — and the first step is to stop building and stockpiling computer security exploits.
As Charles Stross explains, neither the worm nor the ransomware adaptation of it were exactly masterpieces of cyber crime. The worm only worked on older Windows computers which hadn't disabled legacy file-sharing. What's more, when the Shadow Brokers leaked all the NSA tools, Microsoft had actually already released updates to patch most of its vulnerabilities (suggesting someone had tipped them off about what had been hacked).
Additionally, the ransomware's off-switch was simply a long gobbledygook domain name that was hard-coded into the program. It turned out the worm checked to see if the domain was active before it delivered its payload, so when the security researcher stumbled across it and registered it out of curiosity, he accidentally stopped the spread of the worm.
However, it turns out there are tons and tons of computers still running outdated version of Windows, and tons and tons of people who procrastinate about annoying software updates — or don't even know how to do them. Even a poorly designed, weak piece of malware can do terrible damage when directed at the most outdated computer networks.
This brings me back to the NSA. If you ask why they are building and stockpiling security exploits for the most common operating systems, they will say it's for espionage operations against foreign enemies.
But the actual benefits of such things are highly questionable. Probably the most successful one ever was the fearsome Stuxnet worm, which did moderate damage to Iranian uranium enrichment facilities back in 2009. But the damage was quickly repaired, and did not do nearly as much to control the Iranian nuclear program as the diplomatic agreement signed under President Obama.
Conversely, as we are seeing today, the damage from building and piling up malware is potentially catastrophic. The NSA obviously cannot secure its own networks, and so any such weapon is one misstep away from falling into the hands of foreign governments, gangsters, or terrorists. And again, this worm was rather amateurish, and built from known materials — thus giving Microsoft a bit of a head start for patches. But suppose some real professionals secretly hacked unknown NSA zero-day exploits, and built a worm designed to attack American financial systems or critical infrastructure?
If we had any sense, we would be dedicating at least the majority of our computer security spending to, you know, security: investigating, upgrading, and maintaining American computer systems to defend them against attack. (In reality, it's roughly 90 percent offense, 10 percent defense.) The NSA could probe commercial software for vulnerabilities, and then quietly inform the developer so they could be patched, as Microsoft President Brad Smith argues. Second, instead of trying to coerce tech companies to build back doors into their devices and software, the government could help them with security, particularly user-friendly end-to-end encryption. They could help support open-source software ecosystems, which are part of many pieces of critical internet infrastructure.
Perhaps most importantly, the government could help keep older operating systems secure (like Windows XP, which Microsoft was forced to update this week after abandoning it three years ago), and help people upgrade their equipment and software.
Of course, the NSA will do nothing of the sort. They helplessly define "national security" in a way that excludes their own failures enabling crime and terrorism. But if we had a lick of sense, we'd just abolish the NSA and start a new agency with a more sensible definition.