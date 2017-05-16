(In 18th paragraph, fixes word in quote to read "and that
By Dustin Volz
WASHINGTON May 15 An unprecedented global cyber
attack that infected computers in at least 150 countries
beginning on Friday has unleashed a new wave of criticism of the
U.S. National Security Agency.
The attack was made possible by a flaw in Microsoft's
Windows software that the NSA used to build a hacking tool for
its own use - only to have that tool and others end up in the
hands of a mysterious group called the Shadow Brokers, which
then published them online.
Microsoft Corp President Brad Smith sharply
criticized the U.S. government on Sunday for "stockpiling"
software flaws that it often cannot protect, citing recent leaks
of both NSA and CIA hacking tools.
"Repeatedly, exploits in the hands of governments have
leaked into the public domain and caused widespread damage,"
Smith wrote in a blog post. "An equivalent scenario with
conventional weapons would be the U.S. military having some of
its Tomahawk missiles stolen."
Some major technology companies, including Alphabet Inc's
Google and Facebook Inc, declined comment on
the Microsoft statement.
But some other technology industry executives said privately
that it reflected a widely held view in Silicon Valley that the
U.S. government is too willing to jeopardize internet security
in order to preserve offensive cyber capabilities.
The NSA did not respond to requests for comment.
The NSA and other intelligence services generally aim to
balance disclosing software flaws they unearth against keeping
them secret for espionage and cyber warfare purposes.
On Monday, senior administration officials defended the
government's handling of software flaws, without confirming the
NSA link to WannaCry, the tool used in the global ransomware
attack.
"The United States, more than probably any other country, is
extremely careful with their processes about how they handle any
vulnerabilities that they're aware of," Tom Bossert, the White
House homeland security adviser, said at a press briefing on
Monday.
Other tools from the presumed NSA toolkit published by the
Shadow Brokers have also been repurposed by criminals and are
being sold on underground forums, researchers said. But they
appear to be less damaging than WannaCry. It is not known who is
behind the Shadow Brokers.
Derek Manky, global security strategist at cyber security
firm Fortinet, said he thinks WannaCry is probably the worst
that will come from the Shadow Brokers’ publicly dumped toolkit,
though the group may have held back from public revealing
everything it obtained
“Out of that batch, it is probably a high-water mark,” Manky
said.
"WE KNEW IT COULD BE A PROBLEM"
Security experts said the NSA had engaged in responsible
disclosure by informing Microsoft of the flaw at some point
after learning it had been stolen and a month before the tools
leaked online.
Users who do not patch their systems and the Shadow Brokers
were more directly responsible for the attack than NSA, they
said.
The Department of Homeland Security began an "aggressive
awareness campaign" to alert industry partners to the importance
of installing the Microsoft patch shortly after it was released
in March, an agency official working on the attack said.
"This one, we knew it could be a problem,” the official told
Reuters.
"NSA should be embarrassed – they’ve had a lot of damaging
leaks," said James Lewis, a former U.S. official who is now a
cyber expert at the Center for Strategic and International
Studies. Still, he said, "Microsoft needs to admit that the 20th
century is over, it's a much more hostile environment, and that
hobbling the NSA won’t make us any safer."
Under former President Barack Obama, the U.S. government
created an inter-agency review, known as the Vulnerability
Equities Process, to determine whether flaws should be shared or
kept secret.
White House cyber security coordinator Rob Joyce, who
previously worked in the NSA's elite hacking squad, told a
Reuters reporter in April that the Trump administration was
considering how to "optimize" the Vulnerability Equities
Process, but he did not elaborate.
The White House did not respond to a request for comment
about the status of the review process. A source familiar with
the matter said equities meetings still take place but less
frequently than they did under the Obama administration.
In Congress, Republican Senator Ron Johnson and Democratic
Senator Brian Schatz are working on legislation that would
codify the review process.
"We have reached a turning point where it is not sustainable
for governments to think they can retain vulnerabilities for
very long," said Ari Schwartz, who oversaw technology security
issues at the National Security Council during the Obama
administration.
