Cyber security experts alike across 150 countries have been driven to their wit’s end since last Friday when the ransomware called WannaCry held gullible Internet users to ransom. In the wake of these attacks, cyber security experts are scrambling to figure out the details and take preventive measures against further propagation of the virus. Given the extensive nature of the attacks and the enormous number of variables and unknowns, security experts and companies are still far from identifying the culprit. The United States’ National Security Agency (NSA) is among the suspects.
Whoever it was, the methodology belies a highly professional organisation that employs some very talented hackers. Fingers are already beginning to point in the direction of North Korea, one of the usual suspects. Clues that link the attack to the Sony hacks and the attack on a bank in Bangladesh, both of which are believed to have originated from North Korea, strengthen the theory. However, it is still too early to discuss the potential source of the attack with any certainty.
The attack has brought up many questions and points of debate. Why did the NSA withhold a critical vulnerability from Microsoft? One thing is clear: the danger is far from being behind us. The trove of advanced cyber weapons stolen from the NSA and leaked by a group calling themselves the Shadow Brokers is still ripe for exploitation. In a blog post, president of Microsoft Brad Smith said,
“The governments of the world should treat this attack as a wake-up call. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.“
“An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen.“
It’s an apt comparison. The US government agencies invest millions of dollars in cyber weapons that exploit vulnerabilities in operating systems like Windows, and these weapons are kept under lock and key precisely because they are so dangerous.
The NSA’s cyber arsenal is now out in the open. These can fall into the hands of absolutely anyone with a computer and Internet access. In the face of the many unknown threats waiting on the horizon, which might be unleashed in future by cyber criminals, the moot question is, when The NSA knew that their exploits were stolen, why they did not inform the concerned organisations to get it neutralised then and there.
In the backdrop of this, Senator Brian Schatz is introducing a new Bill, Protecting Our Ability to Counter Hacking Act of 2017, or the PATCH Act, which would establish a legal framework for the process, requiring federal agencies to establish policies on when to share vulnerabilities and, if unclassified, to make those policies widely available.
The law would also legally establish a review board with high-ranking members of the federal government. The board would be chaired by the secretary of homeland security. It will include agency directors from the intelligence community as well as the secretary of commerce. The law would also require annual reports to the Congress on the board’s activities.
A version of the government’s process, known as “vulnerabilities equities process”, has been in place for some time, although its exact details are unclear. A version of the board already exists. Some have criticised the process as opaque, and a law would go some way toward binding the federal government to the system.
The NSA most famously faced criticism for its exploit process in 2014 when Bloomberg reported that the agency had exploited the Heartbleed bug, which exposed vulnerabilities in devices around the world [the agency denied the report]. Microsoft obliquely criticised the US government after the WannaCry ransomware attack last week, calling the incident a “wake-up call” about vulnerability “hoarding”.
But Credit Suisse says WannaCry will spur investors to buy Microsoft shares because users will now want to upgrade to the company’s latest operating system that is less vulnerable to the ransomware attack, as सिर्फ़ News‘ previous posts about the virus explain. Cyber security software makers will do a brisk business in the wake of the attack, too. Software coming from places other than the US offer limited solutions. The odds are very much in favour of companies based in the cronyist United States.
The NSA should come clean and report other vulnerabilities, too, if they are also being stolen from them. Else, it will be a Pandora’s Box that will keep throwing surprises, coming up as epidemic as real viruses.
Reproduced from the site of Panda Security with inputs from the author