National Journal: Ransomware Hearing Skirts Issue of NSA’s Cyber-Vulnerabilities Program
One month after the global “WannaCry” ransomware attack hit computer systems in over 150 countries and temporarily crippled the British health care system, cybersecurity experts warned lawmakers that business and government networks in that United States only narrowly avoided a similar fate.
“I view WannaCry as a slow-pitch softball, whereas the next one may be a high and tight fastball coming in. We need to be ready,” Greg Touhill, the former federal chief information-security officer in the Obama White House, told a House Science, Space, and Technology subcommittee meeting Thursday concerning the “lessons learned” from the massive cyberattack.
But while representatives and panelists debated the merits of a federal cybersecurity framework administered by the National Institute of Standards and Technology and discussed the possible complicity of the North Korean government in the attack, they largely ignored the elephant in the room. Only one lawmaker, Rep. Gary Palmer of Alabama, asked the panelists about the theft of the WannaCry exploit from the National Security Agency by hackers, and how to possibly prevent the spread of similar weaponized vulnerabilities that could one day be turned against the United States.
Touhill—who addressed Palmer’s question by decrying the “leakage of information” as “very serious” and “unacceptable”—attributed the lack of discussion on the NSA’s role in the attack as a reluctance to address the issue in a public forum. “In an open hearing it probably would be awkward to have that kind of discussion,” he told reporters after the hearing.
The disinterest likely underscores a broader reluctance to challenge the U.S. intelligence community on the process through which they determine whether to reveal network and software vulnerabilities they discover to the affected companies. Bipartisan legislation was introduced in the House and Senate in the wake of the WannaCry attack that would codify those deliberations—known as the “vulnerabilities-equities process”—and provide greater transparency on when and why the NSA holds on to potent cyberweapons.
That bill—also known as the PATCH Act—does not appear to be gaining traction among House lawmakers. Darin LaHood, chairman of the House Science, Space, and Technology subcommittee on oversight and the co-chair of Thursday’s WannaCry hearing, told National Journal that he hasn’t taken a close-enough look at the bill to form an opinion.
“Encouraging our national security apparatus, as it relates to cybersecurity, to have contact with our corporations has to be an important part of what we look at from a public-policy standpoint,” LaHood said.
The WannaCry exploit utilized last month by the ransomware attackers to break into Microsoft operating systems worldwide is believed to have been developed by the NSA and later stolen by a mysterious hacking group called “The Shadow Brokers.” The hackers first hinted they had stolen the exploit in January, giving the NSA time to contact Microsoft and Microsoft the time to create patches for its vulnerable operating systems. Those patches were released two months before the WannaCry attack, and institutions running the updated systems were largely unaffected by the ransomware.
“Regardless of the NSA exploit that got disclosed—frankly, there were mitigation mechanisms that were in place prior to that attack,” Touhill said after the hearing. “Even though there were widespread alerts from information-sharing organizations—this was labelled by Microsoft as a critical patch, the highest level – why weren’t organizations paying attention and doing their proper patching?”
While he believes that intelligence officials who don’t follow the correct processes in disclosing system vulnerabilities should be held “accountable,” Touhill doesn’t think that the vulnerabilities-equities process should be codified or otherwise be made more transparent. “The actual mechanisms of deliberation and all of that, I think needs to be very closely held, because when we get into those meetings we are talking about the nation’s most sensitive capabilities,” he said.
The PATCH Act was initially sponsored in the House by Reps. Ted Lieu and Blake Farenthold, who so far remain the bill’s only backers. Lieu spokesman Marc Cevasco said the congressman was working on channeling bipartisan congressional interest following the WannaCry attack into hearings on the PATCH Act and the vulnerabilities-equities process.
“Cybersecurity requires a holistic approach—there is no silver bullet,” Cevasco wrote in an email after the hearing. “We need to be thinking about all aspects of the equation, from the companies who make products to consumers that use them, and that often begins with how our government treats vulnerabilities we discover.”
While the origin of the WannaCry exploit was largely ignored, lawmakers did inquire about ways to nudge vulnerable institutions to patch systems in a timely manner. Panelists said companies should be encouraged to invest in training for their employees on the importance of patching immediately, and to conduct real-world training exercises to prepare for the inevitability of an eventual attack.
The lawmakers also discussed whether it made sense to create a national “triage” system to rank the severity of an ongoing cyberattack and encourage a rapid response. “A significant response failure with the WannaCry incident was that there was no real guidance or course of action that was well communicated,” said Salim Neino, CEO of Kryptos Logic, the cybersecurity company that found a “kill switch” embedded in the ransomware.
Neino argued that without such a system, “this incident could have resulted in a complete breakdown of processes had this been an unpatched ‘zero day’ vulnerability and there was no luxury of a ‘kill switch.’” He called for the creation of a scale that would rank the danger of an ongoing attack in a way similar to how the Richter scale measures the intensity of an earthquake.
LaHood agreed with Neino’s characterization, suggesting after the hearing that the United States may have gotten “lucky” through the prior promotion of patches and the mysterious existence of a “kill switch.”
“I think we kind of dodged a bullet with WannaCry,” LaHood said.