National Journal: Ransomware Hearing Skirts Issue of NSA’s Cyber-Vulnerabilities Program

One month after the glob­al "Wan­naC­ry" ransom­ware at­tack hit com­puter sys­tems in over 150 coun­tries and tem­por­ar­ily crippled the Brit­ish health care sys­tem, cy­ber­se­cur­ity ex­perts warned law­makers that busi­ness and gov­ern­ment net­works in that United States only nar­rowly avoided a sim­il­ar fate.

"I view Wan­naC­ry as a slow-pitch soft­ball, where­as the next one may be a high and tight fast­ball com­ing in. We need to be ready," Greg Touhill, the former fed­er­al chief in­form­a­tion-se­cur­ity of­ficer in the Obama White House, told a House Sci­ence, Space, and Tech­no­logy sub­com­mit­tee meet­ing Thursday con­cern­ing the "les­sons learned" from the massive cy­ber­at­tack.

But while rep­res­ent­at­ives and pan­el­ists de­bated the mer­its of a fed­er­al cy­ber­se­cur­ity frame­work ad­min­istered by the Na­tion­al In­sti­tute of Stand­ards and Tech­no­logy and dis­cussed the pos­sible com­pli­city of the North Korean gov­ern­ment in the at­tack, they largely ig­nored the ele­phant in the room. Only one law­maker, Rep. Gary Palmer of Alabama, asked the pan­el­ists about the theft of the Wan­naC­ry ex­ploit from the Na­tion­al Se­cur­ity Agency by hack­ers, and how to pos­sibly pre­vent the spread of sim­il­ar weapon­ized vul­ner­ab­il­it­ies that could one day be turned against the United States.

Touhill—who ad­dressed Palmer's ques­tion by de­cry­ing the "leak­age of in­form­a­tion" as "very ser­i­ous" and "un­ac­cept­able"—at­trib­uted the lack of dis­cus­sion on the NSA's role in the at­tack as a re­luct­ance to ad­dress the is­sue in a pub­lic for­um. "In an open hear­ing it prob­ably would be awk­ward to have that kind of dis­cus­sion," he told re­port­ers after the hear­ing.

The dis­in­terest likely un­der­scores a broad­er re­luct­ance to chal­lenge the U.S. in­tel­li­gence com­munity on the pro­cess through which they de­term­ine wheth­er to re­veal net­work and soft­ware vul­ner­ab­il­it­ies they dis­cov­er to the af­fected com­pan­ies. Bi­par­tis­an le­gis­la­tion was in­tro­duced in the House and Sen­ate in the wake of the Wan­naC­ry at­tack that would co­di­fy those de­lib­er­a­tions—known as the "vul­ner­ab­il­it­ies-equit­ies pro­cess"—and provide great­er trans­par­ency on when and why the NSA holds on to po­tent cy­ber­weapons.

That bill—also known as the PATCH Act—does not ap­pear to be gain­ing trac­tion among House law­makers. Dar­in La­Hood, chair­man of the House Sci­ence, Space, and Tech­no­logy sub­com­mit­tee on over­sight and the co-chair of Thursday's Wan­naC­ry hear­ing, told Na­tion­al Journ­al that he hasn't taken a close-enough look at the bill to form an opin­ion.

"En­cour­aging our na­tion­al se­cur­ity ap­par­at­us, as it relates to cy­ber­se­cur­ity, to have con­tact with our cor­por­a­tions has to be an im­port­ant part of what we look at from a pub­lic-policy stand­point," La­Hood said.

The Wan­naC­ry ex­ploit util­ized last month by the ransom­ware at­tack­ers to break in­to Mi­crosoft op­er­at­ing sys­tems world­wide is be­lieved to have been de­veloped by the NSA and later stolen by a mys­ter­i­ous hack­ing group called "The Shad­ow Brokers." The hack­ers first hin­ted they had stolen the ex­ploit in Janu­ary, giv­ing the NSA time to con­tact Mi­crosoft and Mi­crosoft the time to cre­ate patches for its vul­ner­able op­er­at­ing sys­tems. Those patches were re­leased two months be­fore the Wan­naC­ry at­tack, and in­sti­tu­tions run­ning the up­dated sys­tems were largely un­af­fected by the ransom­ware.

"Re­gard­less of the NSA ex­ploit that got dis­closed—frankly, there were mit­ig­a­tion mech­an­isms that were in place pri­or to that at­tack," Touhill said after the hear­ing. "Even though there were wide­spread alerts from in­form­a­tion-shar­ing or­gan­iz­a­tions—this was la­belled by Mi­crosoft as a crit­ic­al patch, the highest level – why wer­en't or­gan­iz­a­tions pay­ing at­ten­tion and do­ing their prop­er patch­ing?"

While he be­lieves that in­tel­li­gence of­fi­cials who don't fol­low the cor­rect pro­cesses in dis­clos­ing sys­tem vul­ner­ab­il­it­ies should be held "ac­count­able," Touhill doesn't think that the vul­ner­ab­il­it­ies-equit­ies pro­cess should be co­di­fied or oth­er­wise be made more trans­par­ent. "The ac­tu­al mech­an­isms of de­lib­er­a­tion and all of that, I think needs to be very closely held, be­cause when we get in­to those meet­ings we are talk­ing about the na­tion's most sens­it­ive cap­ab­il­it­ies," he said.

The PATCH Act was ini­tially sponsored in the House by Reps. Ted Lieu and Blake Far­enthold, who so far re­main the bill's only back­ers. Lieu spokes­man Marc Cevasco said the con­gress­man was work­ing on chan­nel­ing bi­par­tis­an con­gres­sion­al in­terest fol­low­ing the Wan­naC­ry at­tack in­to hear­ings on the PATCH Act and the vul­ner­ab­il­it­ies-equit­ies pro­cess.

"Cy­ber­se­cur­ity re­quires a hol­ist­ic ap­proach—there is no sil­ver bul­let," Cevasco wrote in an email after the hear­ing. "We need to be think­ing about all as­pects of the equa­tion, from the com­pan­ies who make products to con­sumers that use them, and that of­ten be­gins with how our gov­ern­ment treats vul­ner­ab­il­it­ies we dis­cov­er."

While the ori­gin of the Wan­naC­ry ex­ploit was largely ig­nored, law­makers did in­quire about ways to nudge vul­ner­able in­sti­tu­tions to patch sys­tems in a timely man­ner. Pan­el­ists said com­pan­ies should be en­cour­aged to in­vest in train­ing for their em­ploy­ees on the im­port­ance of patch­ing im­me­di­ately, and to con­duct real-world train­ing ex­er­cises to pre­pare for the in­ev­it­ab­il­ity of an even­tu­al at­tack.

The law­makers also dis­cussed wheth­er it made sense to cre­ate a na­tion­al "triage" sys­tem to rank the sever­ity of an on­go­ing cy­ber­at­tack and en­cour­age a rap­id re­sponse. "A sig­ni­fic­ant re­sponse fail­ure with the Wan­naC­ry in­cid­ent was that there was no real guid­ance or course of ac­tion that was well com­mu­nic­ated," said Salim Neino, CEO of Kryp­tos Lo­gic, the cy­ber­se­cur­ity com­pany that found a "kill switch" em­bed­ded in the ransom­ware.

Neino ar­gued that without such a sys­tem, "this in­cid­ent could have res­ul­ted in a com­plete break­down of pro­cesses had this been an un­patched ‘zero day' vul­ner­ab­il­ity and there was no lux­ury of a ‘kill switch.'" He called for the cre­ation of a scale that would rank the danger of an on­go­ing at­tack in a way sim­il­ar to how the Richter scale meas­ures the in­tens­ity of an earth­quake.

La­Hood agreed with Neino's char­ac­ter­iz­a­tion, sug­gest­ing after the hear­ing that the United States may have got­ten "lucky" through the pri­or pro­mo­tion of patches and the mys­ter­i­ous ex­ist­ence of a "kill switch."

"I think we kind of dodged a bul­let with Wan­naC­ry," La­Hood said.