THE KEY

The National Security Agency took an exceptionally rare step last week when it disputed a New York Times report that one of its hacking tools was used in a ransomware attack that has crippled Baltimore city services for more than three weeks.

The organization once nicknamed “No Such Agency” typically stays tight-lipped about stories it believes are incorrect or misleading. The rare exception underscores that the NSA is trying to avoid a hit to its reputation – which has taken numerous blows in recent years — that would surely come if its tools were linked to the Baltimore attack.

The NSA has been facing intense scrutiny over whether it can keep its hacking tools out of adversaries’ hands. EternalBlue, the powerful tool the Times reported was used in the Baltimore attack, was stolen from the NSA and leaked online by a group called Shadow Brokers in 2016. It has since appeared in numerous hacking campaigns — including WannaCry, North Korea’s 2017 global ransomware operation.

But the impact of those attacks was spread over numerous international and domestic targets, whereas the optics of a U.S. government tool forcing offline a major American city in a single, high-visibility attack are especially bad, Jason Healey, a former White House cybersecurity official during the George W. Bush administration, told me in an email.

“This truly brings the pain home,” said Healey, who is now a senior research scholar at Columbia University's School for International and Public Affairs.

What's more, it could earn the attention of lawmakers. The global companies hit by EternalBlue "are not represented in Congress. Baltimore is,” Healey said. 

And the more the public learns about EternalBlue attacks the more the focus stays on the massive ShadowBrokers leak, which remains shrouded in mystery, Jake Williams, a former NSA hacker who founded the company Rendition InfoSec told me. 

"The biggest issue that NSA wants to avoid talking about is that they still don't know who the Shadow Brokers are or how the exploits were leaked," Williams said. "I think they know that those questions will follow from any EternalBlue discussion."

The agency’s pushback started Thursday when NSA Senior Adviser Rob Joyce swiped at the Times story during a speech at a cybersecurity conference. He suggested the NSA shouldn’t be held responsible for any EternalBlue hacks in 2019 because organizations have had two years to update their systems to protect against it.

"Focusing on a single exploit, especially one that has a patch that was issued years ago, is really short-sighted,” Joyce said.

From the Wall Street Journal's Dustin Volz:

Then on Friday, Rep. Dutch Ruppersberger (D-Md.) said NSA officials told him that there was no evidence EternalBlue was used in the Baltimore attack. Ruppersberger’s district includes the NSA and part of Baltimore.

Ruppersberger added, however, that he wasn’t letting the NSA off the hook for instances in which EternalBlue was used against U.S. targets.

“Our country needs cyber tools to counter our enemies, including terrorists, but we also have to protect these tools from leaks,” he said. “We can’t ignore the damage that past breaches have done to American companies and, possibly, American cities.”

Ruppersberger’s statement didn’t settle the matter for some cyber pros, however.

Some of them pointed out that saying that the NSA doesn’t have “any evidence” that EternalBlue was used leaves open the possibility that there is indeed a connection to be found -- but the NSA doesn’t have it. 

Here’s former NSA attorney and current executive editor of the Lawfare blog Susan Hennessey:

And security researcher Robert Graham:

It’s also possible EternalBlue was part of the attack but didn’t leave clear traces, Williams noted.

The Times, meanwhile, stood by its story. In a follow-up story, reporters Scott Shane and Nicole Perlroth said sources directly involved in the investigation had told them that four separate contractors working on restoring Baltimore’s IT services had discovered EternalBlue. The sources said the hackers used the tool to move rapidly across the city’s networks.

“This week, the contractors discovered an additional software tool, called a web shell, on Baltimore’s networks. They believe the web shell may have been used in conjunction with EternalBlue and another hacking technique known as ‘pass-the-hash,’ which uses stolen credentials, to spread the ransomware,” the Times reported.

That description worried some cyber pros, however, who thought the contractors might be confused. Here’s former NSA hacker Robert M. Lee, founder of the cybersecurity company Dragos.

PINGED, PATCHED, PWNED

PINGED: The Justice Department won’t charge WikiLeaks founder Julian Assange with a crime for publishing a trove of leaked CIA hacking tools dubbed Vault 7, Politico’s Natasha Bertrand reported.

“It’s a move that has surprised national security experts and some former officials, given prosecutors’ recent decision to aggressively go after the WikiLeaks founder on more controversial Espionage Act charges that some legal experts said would not hold up in court,” Bertrand reported.

The decision was partly sparked by concerns that a public trial on those charges would force the government to reveal even more secrets about CIA hacking operations, Bertrand reported. The CIA has never officially acknowledged the Vault 7 leak.

Assange — who spent seven years avoiding U.S. charges by holing up in the Ecuadoran Embassy in London — was initially charged with computer hacking for offering to help Chelsea Manning crack the password on a Defense Department network. The Espionage Act charges — which First Amendment activists say come dangerously close to criminalizing journalism — were added later.

“DOJ has charged one person in the Vault 7 theft,” Bertrand reported. “A former CIA employee, Joshua Schulte, was indicted for transmitting the Vault 7 documents to WikiLeaks. He has pleaded not guilty and his trial is set for November.”

PATCHED: As the clock ticks down to 2020, the Department of Homeland Security is still falling short on efforts to secure state and local election infrastructure, the department’s internal watchdog says.

The department hasn’t completed all the necessary plans to identify and mitigate digital election threats or established metrics to gauge whether its election security efforts are successful, the department’s inspector general said in a semiannual report to Congress released last week.  

The report cited “senior leadership turnover and a lack of guidance and administrative staff” as the main hindrances, as well as long lag time to give new employees security clearances.

“Additional staff could enhance DHS’ ability to provide technical assistance and outreach to state and local election officials during elections,” the report states.

Here’s more on the report from FCW’s Mark Rockwell.

PWNED: Secretary of State Mike Pompeo warned German officials Friday that the United States may withhold intelligence from them if they allow the Chinese telecom Huawei to build any portion of their next-generation 5G wireless networks, Reuters's David Brunnstrom reported.

Trump administration leaders have made similar threats in the past, but rarely so directly.

“(There is) a risk we will have to change our behavior in light of the fact that we can’t permit data on private citizens or data on national security to go across networks that we don’t have confidence (in),” Pompeo told a news conference after meeting with German Foreign Minister Heiko Maas.

Pompeo also said that the United States' European allies “will take their own sovereign decisions, (but we) will speak to them openly about the risks . . . and in the case of Huawei the concern is it is not possible to mitigate those anywhere inside of a 5G network,” Reuters reported.

PUBLIC KEY

Cybersecurity news from the public sector:

The indictment of a former researcher at Los Alamos National Laboratory appears to signal a new front in the government’s crackdown on China’s efforts to get access to sensitive U.S. scientific research.
Yahoo News
As the department starts monitoring activity on unclassified networks, officials need to update policies and procedures to keep the program effective and constitutional.
Nextgov
Yevgeniy Nikulin is headed back to court. The Russian accused of hacking a number of sites, including LinkedIn and Dropbox, was ruled fit to stand trial in a May 29 decision by U.S. District Judge William Alsup.
Cyberscoop
National
Military prosecutors downplay effort to track emails of lawyers defending Navy SEAL charged with murder
Julie Watson and Brian Melley | AP
ALEXANDRIA, Va. (AP) — Lawyers for former Army intelligence analyst Chelsea Manning are renewing efforts to get her released from a northern Virginia jail. Manning's lawyers filed court...
Associated Press
PRIVATE KEY

-- Reuters reporter Joseph Menn’s book "Cult of the Dead Cow" — focused on one of the earliest hacking collectives, which counted a teenage Beto O’Rourke among its members — will be coming out this week. Check out this excerpt courtesy of Wired — focused on the early cybersecurity firm @Stake whose employees included many of today’s top cybersecurity researchers and executives.

More cybersecurity news from the private sector:

Huawei Technologies Co. has spent 15 years and billions of dollars building an advanced semiconductor maker, with the goal of making the Chinese telecom giant self-sufficient. A U.S. blacklisting stands to set it back years in that goal.
Wall Street Journal
Facebook Inc. lost its bid to have Irish courts rehear a challenge to its EU-to-U.S. cross-border data transfer methods, setting the stage for a battle before the European Union’s top court.
Bloomberg Law
Checkers Drive-In Restaurants says hackers compromised payment machines at more than 100 of the fast-food company’s locations, providing the latest example of how buying a drive-through cheeseburger can come with the risk of a data breach.
Cyberscoop
Microsoft has issued its second advisory this month urging users to update their systems to prevent a re-run of attacks similar to WannaCry.
An 18-year-old security researcher made headlines earlier this year with KeySteal, a macOS hack. Now he's showing the world how it worked.
Wired
THE NEW WILD WEST

Cybersecurity news from abroad:

China is set to establish an “unreliable entity list” of foreign companies and individuals that “seriously damage” Chinese enterprises, a spokesperson for China’s Commerce Ministry announced Friday.
The Hill