AMERICAN TAXPAYERS may be funding attacks on themselves. A report in the New York Times tracks the fallout from a two-year-old leak of a cache of National Security Agency hacking tools — designed to target U.S. adversaries but harnessed by cybercriminals to attack people, businesses and governments all over the globe.
The Times connects the NSA’s loss of control over malware called EternalBlue to the virtual kneecapping of Baltimore. Hackers are demanding roughly $100,000 in bitcoin to restore access to thousands of computers and bring back essential services to civilians. Some information security experts dispute the connection in this case, but the striking reality remains: The NSA built something that bad actors have used to cause billions of dollars in damage, and there are still no answers on how it happened or who was responsible.
The NSA routinely searches for security vulnerabilities in popular software. The question, when it finds one, is whether to inform the manufacturer of the flaw so that it may fix it — or keep the problem quiet and exploit it. EternalBlue harnessed a bug in Microsoft’s software, but the company did not learn about it until more than five years after the NSA uncovered it, after the agency’s systems had been breached and the hacking tool stolen.
It’s certainly true that malicious states, hacking collectives and individuals are hunting for vulnerabilities as rigorously as the NSA is, and it is possible that one of them would have found the problem if the U.S. government had not. It’s also true that institutions that have failed to install the patch that Microsoft provided to fix the flaw, two years later, bear some responsibility for remaining at risk. Even more important, especially when it comes to critical infrastructure, companies and cities alike should try to ensure their systems are dependable before depending on them — setting them up to be robust against attack rather than just to work.
But the NSA has a great responsibility, too. Weaponized computer code can be a crucial tool in counterterrorism and counterintelligence investigations, and in the case of EternalBlue, it was. Yet this code can also be crucial to enemies. The NSA has a process in place for evaluating when to disclose vulnerabilities, but the guidelines dictating tool development, disclosure and protection deserve outside input and scrutiny. The country still needs answers on how these tools fell into the wrong hands in the first place. It also needs mechanisms in place to keep them in the right ones going forward.