Ransomware assault brings calls for national cybersecurity policy amid government hoarding of attack tools
The massive ransomware attack that continued to spread Monday into Asia highlights a key issue for the United States: the lack of a coordinated national system to decide when and how government agencies should alert others to critical security flaws they find.
The “WannaCry” malware attack highlights the tension between tech companies that want to know about security vulnerabilities to protect their customers, and the government’s reliance on those flaws for counterterrorism and law enforcement. Like hackers, agencies such as the NSA and CIA hunt for software flaws to gain access to computers and systems, leaked government data has suggested.
“We could use a national cybersecurity policy,” said Gartner cybersecurity analyst Avivah Litan. “The federal government has really dropped the ball on cooperation between the tech companies and the government agencies.”
Thousands more infections were reported Monday, largely in Asia, striking computers that had been shut down before the malware first hit Europe early Friday. Globally, the attack appeared to be waning, after affecting more than 200,000 victims in at least 150 countries, many of them still struggling to deal with the problem.
The “WannaCry” malware exploited a flaw, which was found and developed as a hacking tool by the U.S. National Security Agency, in Microsoft Windows. The vulnerability had been stolen from the NSA and then dumped onto the internet by a hacking group. Those behind the malware attack used the flaw to get into Windows systems.
Few people have paid the ransom — $300 in bitcoin digital currency, rising to $600 after a period of time — demanded by the malware, Europol spokesman Jan Op Gen Oorth told The Associated Press.
While authorities can and do use security flaws to gather intelligence, companies such as Microsoft want to be told about vulnerabilities so they can patch the holes in their security and protect their users from attacks such as WannaCry. Microsoft had recently issued a patch to fix the flaw, but many computers had not been updated.
“Should we have a policy about a matter that puts us at grave risk every day?” asked John Cary Sims, a law professor at University of the Pacific’s McGeorge School of Law. “Yeah, we ought to.”
With the interests of government agencies and tech firms often at odds, Sims said, a national cybersecurity policy or regulations are needed to set out when notifying companies about a government-identified flaw becomes more important than secretly hanging onto it.
“There needs to be a structure that establishes the priorities and there also needs to be clear lines of authority as to who’s going to make the decisions,” Sims said.
The federal government has a policy called the “Vulnerabilities Equities Process” that addresses when agencies should tell companies about security flaws, but that policy has only been partially made public and its process remains opaque, cybersecurity experts said.
“There are some rules and some policy that can be introduced where everybody knows how the government is going to handle these certain situations,” said Greg Martin, CEO of San Francisco cybersecurity firm JASK and a former cybersecurity adviser to the FBI, Secret Service and NASA.
“The government can’t do this alone — they’re really going to have to reach out and work with Apple, with Microsoft and Google,” Martin said.
But policy making isn’t necessarily the only solution, said Casey Ellis, CEO of San Francisco cybersecurity company Bugcrowd.
“The problem with suggesting policy is the answer to problems like this is it suggests that there’s an easy answer,” Ellis said. “I don’t think there is one.”
Ellis favors a more transparent process for the government, and close cooperation with the cybersecurity community, which, like the British researcher lauded for helping stem the WannaCry attack, can offer tremendous knowledge and resources in the battle against cybercrime and national security threats, he said.
The Electronic Frontier Foundation also called for more visibility into the government’s use of security flaws, saying Wanna Cry “points to the need for transparency into and reform of how the government handles software vulnerabilities it retains.”