"WannaCry was an example of a [US NSA] state-developed cyber weapon turned against its creators. The core exploit, Eternal Blue, is believed to have been created by the US National Security Agency (NSA)."... May 16, 2017, “NSA officials worried about the day its potent hacking tool would get loose. Then it did." Washington Post,
9/18/2017, "Take Cybersecurity Away From Spies-For Everyone's Sake," Chathamhouse.org, Emily Taylor. ("Emily
Taylor is CEO of Oxford Information Labs and editor of the Journal of
Cyber Policy." Article first published at Wired UK)
"Our online intelligence services need freedom from the state."
"Until 1994, GCHQ, the British signals intelligence agency, didn't
officially exist. Now, it has emerged out of the shadows to take a very
public role at the heart of British cybersecurity.
Public accountability for intelligence services is crucial to any democracy but, as the recent WannaCry ransomware attack showed, there are inevitable conflicts of interest between the role of intelligence services and network safety.
The
past seven years have seen a dramatic change in profile for GCHQ. While
the number of police officers has been cut by 14 per cent since 2010,
GCHQ's staff numbers - according to the Home Office - have grown by more
than ten per cent in the same period.
At the same time, it has
been loaded with additional responsibilities, including the fight
against distribution of child-abuse images on the dark web, money laundering and financial fraud.
This was made official when, in February 2017, it assumed
responsibility for making the UK "the safest place to do business
online" through the National Cyber Security Centre (NCSC).
This
rapid increase in power is the result of GCHQ's own competence. A dearth
of expertise in government has led to a reliance on the intelligence
service to fill gaps.
However, one of the core roles of intelligence agencies is covert operations.
Weaving public-safety responsibility into a secret and secretive
operation is always likely to cause conflicts of interest.
WannaCry
was an example of a [US NSA] state-developed cyber weapon turned against its
creators.
The core exploit, Eternal Blue, is believed to have been
created by the US National Security Agency (NSA), who presumably
intended to keep it secret. Then, in April 2017, it was leaked, along
with a suite of hacking tools targeting Windows PCs.
The same leak
contains powerful exploits that could be weaponised by state
adversaries, organised crime or by anyone possessing basic technical
knowledge - as we saw with the Petya ransomware attack in Eastern
Europe.
Had the NSA chosen to inform Microsoft of the vulnerability, there would
have been no Eternal Blue, and no WannaCry. But intelligence agencies
have a different motivation: they want to keep such "zero-day"
vulnerabilities secret for potential development into a cyber weapon.
This is the challenge the [UK] National Cyber Security Centre faces. By its
own description, the NCSC was set up "to help protect our critical
services from cyber attacks, managing major incidents and improve the
underlying security of the UK internet".
Even the best intelligence agencies are not invulnerable
Part
of that would include informing suppliers such as Microsoft of the
discovery of major vulnerabilities. But the NCSC cannot do that if it's
also hoarding vulnerabilities for its boss, GCHQ.
If security services could keep their secrets safe, perhaps none of this
would be a problem. But the NSA's leaks show that even the best intelligence agencies are not invulnerable to hacking.
Eternal Blue was
published online by the mysterious group of hackers known as the Shadow
Brokers, which began releasing secrets in 2015. Their drop followed a
release by WikiLeaks of nearly 9,000 documents exposing hacks developed
by the CIA.
We do not know how these details were released, but it's easy to see
how leaks could develop. Security professionals such as those at the
NCSC believe strongly in their work combating threats to the safety of
the network, so the practice of hoarding zero-day vulnerabilities would
be troubling to them.
Within intelligence agencies such as GCHQ, it can be difficult to raise concerns internally, increasing the
potential security threat from insiders. If an employee's legitimate
worries aren't being heard, it could lead to whistle-blowing - with a
disastrous impact on national security.
Loading responsibility for public cyber-safety on to the intelligence
services is bad for both public safety and national security. It also
risks diverting resources and energies away from national security and
covert operations.
The WannaCry attack should provide an
opportunity to separate two key roles: clandestine signals intelligence
and the cyber security of...critical national infrastructure.
The best way to start: make the
National Cyber Security Centre (UK) independent from GCHQ (UK)."
"This article was originally published by Wired Magazine [UK]"
........................
Added: NSA failed to secure its own specially created hacking tools causing them to be published on the internet, thus available to state adversaries, organized crime, and ordinary hackers, to be used against the US:
12/19/2017, "Hold North Korea Accountable for WannaCry-And the NSA, Too," Wired, Greenberg
"Root Cause"
"WannaCry's origins stretch back to April [2017], when a group of mysterious hackers calling themselves the Shadow Brokers publicly released a trove of stolen NSA code. The tools included an until-then-secret hacking technique known as EternalBlue, which exploits flaws in a Windows protocol known as Server Message Block to remotely take over any vulnerable computer.
While the NSA had warned Microsoft about EternalBlue after it was stolen, and Microsoft had responded with a patch in March, hundreds of thousands of computers around the world hadn't yet been updated. When WannaCry appeared the next month, it used the leaked exploit to worm through that massive collection of vulnerable machines, taking full advantage of the NSA's work.
Exactly how the Shadow Brokers obtained the NSA's highly protected arsenal of digital penetration methods remains a conundrum....
........................................................
......................
..................
............
No comments:
Post a Comment