Skip to main content

CNN: Attack sparks debate on when spy agencies should disclose cyber holes

May 14, 2017

The massive cyberattack ricocheting around the globe has reignited a debate: When should spy agencies disclose security vulnerabilities in companies' software?

The ransomware attack carried out Friday has hit some 200,000 hospitals, companies and government offices in more than 150 countries.

The attack was spread through a vulnerability that was leaked last month in a trove of hacking tools believed to belong to the NSA.

The NSA and other spy agencies look for software vulnerabilities and then build tools to target and exploit them. Under current laws, they don't have to report the flaws to the company at risk. Instead, they can use them for intelligence gathering or law enforcement.

The leaked hacking tools publicized a vulnerability in Windows, Microsoft's ubiquitous computer operating system.

Microsoft released a patch in March, but computers and networks that hadn't updated their systems were still at risk.

The ransomware, called WannaCry, locked down all the files on an infected computer and asked the computer's administrator to pay in order to regain control of them.

Late Friday, Representative Ted Lieu announced he is working on legislation to reform the Vulnerabilities Equities Process, which is how the government decides when to disclose vulnerabilities. Lieu said it is "deeply disturbing" the NSA likely wrote the original malware used to ransom computers.

"[The] worldwide ransomware attack shows what can happen when the NSA or CIA write malware instead of disclosing the vulnerability to the software manufacturer," Lieu said in a statement.

Microsoft issued a patch one month before it was leaked publicly, but it's unclear when or if the NSA told the company about the vulnerability. Lieu said the current disclosure process is not transparent, and often misunderstood.

Neema Singh Guliani, legislative counsel at the ACLU, said the ransomware attack raises questions about agencies stockpiling vulnerabilities instead of responsibly disclosing them.

"It's particularly concerning when you're talking about widely-available software, when the impact on the people is going to be the public at large, not the handful of targets an agency might have," Singh Guliani told CNNTech.

Some privacy advocates say that if the NSA had disclosed the vulnerability when it was first discovered, the outbreak may have been prevented

Edward Snowden, the whistleblower who exposed the broad scope of NSA surveillance in 2013, tweeted, "If @NSAGov had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened."

However, security researchers say firms that fail to keep their software up-to-date are also responsible for the ransomware outbreak. Organizations had two months to update their Microsoft products, which would have protected their systems.

"You can't force businesses to patch critical Windows vulnerabilities," said Adrian Sanabria, founder of security firm Savage Security. "No matter how this was disclosed or when it was disclosed, some percentage of businesses would not have applied."

UK hospitals were among the organizations affected by the ransomware outbreak. They were forced to reschedule patients, and people were warned to stay away from emergency rooms if possible.

In 2016, Motherboard reported hospitals across the UK run old, outdated Windows systems -- legacy technology that no longer receives updates. Those facilities are not unique. In the U.S., for instance, the federal government relies on legacy systems, spending $60 billion each year to maintain old technology, while spending just $20 billion on modernization.

Organizations running older Windows software couldn't patch immediately because there was no patch available. However, in an unusual move, Microsoft released updates on Friday for some versions it no longer supports.

Consumers and businesses who have updated to the most recent Microsoft Windows software are protected from WannaCry.

Researchers say this type of ransomware will continue. While this particular ransomware was inadvertently stopped, hackers could modify the code and try again.

Mark Mager, senior researcher at security firm Endgame, said it's the most prevalent and effective example of ransomware worming through networks around the world.

"Ransomware developers and attackers tend to borrow, copy and steal techniques and software from each other," he said. "Since this WannaCry attack has been so effective thus far, it is quite likely that this is the first of many ransomware attacks that leverage exploits to effectively spread their payloads throughout the Internet."