Global cyberattack shows why phone makers won’t create ‘back doors’ for US spy agencies
The attack that temporarily crippled the NHS in Britain and dozens of other institutions across Europe and Russia reveals the failure of the US government’s protocols for warning software developers and the private sector about system vulnerabilities, cybersecurity experts say.
The only way to keep a secret is for three people to know it and two of them to be dead
The incident is also an example of why technology companies such as Microsoft, Google and Apple are so defensive about the idea of creating ‘back doors’ into their services and devices for the benefit of law enforcers.
Earlier this year, a hacking group calling itself Shadow Brokers published online what it described as stolen NSA documents. They were filled with information that hacking experts said could be used to secretly take over and pluck data from laptops, smartphones and even smart TVs.
The companies have repeatedly pointed out that there’s no safe way to build an entry point just for trusted government organisations.
“It goes back to the mafia expression,” said John Bambenek, threat research manager at Fidelis Cybersecurity. “The only way to keep a secret is for three people to know it and two of them to be dead.”
Bambenek and other researchers have called for the US government to be more forthcoming with its hacking methods.
Under the US government’s vulnerability equities process (VEP), intelligence agencies are supposed to collectively determine whether to disclose a vulnerability they have obtained or discovered.
“The NSA is supposed to lead the vulnerability equities process with all the other government agencies gathered round to discuss their interests in the vulnerability, and to weigh the offensive capabilities against defensive concerns for the private sector and US interests,” said Adam Segal, the director of the digital and cyberspace policy programme at the Council on Foreign Relations.
When flaws threaten businesses and consumers, government agencies should be forced to help secure systems, according to Bambenek.
“Intelligence agencies like hoarding secrets, but at some point, their mission isn’t hoarding secrets. It’s protecting national security,” he said.
Microsoft issued a fix for the vulnerability that hackers exploited on Friday before the leak of NSA tools by the Shadow Brokers.
But, said Segal, the Shadow Brokers leak and Wikileaks’ recent ‘Vault 7’ release of CIA hacking tools may have forced the NSA’s hand.
“They knew the vulnerability was online ... so they went to Microsoft and warned the company they needed to patch it,” he said.
One of the theories is that the attack is an attempt to embarrass the NSA and the intelligence community and to put more stress on the relationship between the government agencies and the private sector and the vulnerability equities process.
Still, the attack will discomfort the Trump administration, coming just days after the president signed an executive order to strengthen cybersecurity on federal networks and critical infrastructure.
However, Segal said, this will also raise concerns about the government’s inability to secure vulnerabilities. “That opens a lot of questions about back doors and access to encryption that the government argues it needs from the private sector for security.”
Even if not all of the vulnerable computers were hit on Friday, many workers could fall victim to similar attacks when they return to their office today and turn on their computers, unwittingly exposing their machines to the Windows update vulnerability. The supposed NSA leaks included four other infection methods.
As recently as last week, about 1.7 million computers connected to the internet were susceptible to such an attack, said Sean Dillon, senior security analyst at security software startup RiskSense.
“This obviously was a well-planned and well-coordinated attack,” Dillon said. “This probably is just the beginning.”
Additional reporting by The Guardian
