May 30, 2019

NSA's rogue hacking tool sparks debate

Illustration: Sarah Grillo/Axios

Security experts are drawing differing lessons from the latest report of the alleged use of secret NSA hacking tools by a criminal group. Some argue the NSA needs more oversight, while others say that organizations need to be more vigilant about updating the systems the NSA tools target.

The big picture: These two remedies aren't mutually exclusive. But neither is easy to achieve. 

Driving the news: The debate flared after the New York Times reported that attackers responsible for Baltimore's recent ransomware incident used a program believed to be created by the NSA.

  • The same program was at the center of WannaCry, a landmark global malware disaster in 2017.
  • All it takes to stop that program's line of attack is to update Windows.

Background: The NSA code, known as EternalBlue, leaked in 2017 as part of a year-long dump of agency files online by a cryptic hacker group called the Shadow Brokers.

  • EternalBlue can be used to turn Windows malware into worms — malicious code that spreads by itself from machine to machine.
  • By the time of the WannaCry outbreak, Microsoft had already released a patch that protects Windows systems from EternalBlue.

Between the lines: Whether the NSA needs more oversight in developing tools has no bearing on whether people should patch, and vice versa. And fully achieving either solution alone might not be possible.

  • While there are a ton of bad reasons organizations delay patching systems, there are good reasons, too. Installing untested updates can create chaos for niche software and hardware.
  • And there's already more oversight in place for agencies than most people realize.

Details: The executive branch does have an oversight structure in place, known as the vulnerabilities equities process. Any time agencies want to keep a vulnerability they discover secret so it can be used for surveillance, they have to make their case in front of a special interagency panel.

  • "The VEP is meant to be a risk minimizing process, but that doesn't mean there is no risk," said Michael Daniel, current president and CEO of the Cyber Threat Alliance and the former cybersecurity coordinator at the Obama White House when the VEP was created.
  • The process takes into account the possibility that a vulnerability might be leaked, stolen or discovered, but that will always be a risk, since there's always a chance a target will intercept a tool.
  • Nonetheless, Daniel argues, most Americans wouldn't want to place severe limits on the use of such tools that the intelligence community couldn't do its job.

Where it stands: After WannaCry, it's likely that the VEP has already adopted a stricter approach toward approving "wormable" tools.

  • We know from WannaCry and subsequent attacks that organizations are slow to apply patches. That's a consideration in the process.
  • When the Trump administration posted the criteria for the VEP in 2017, one of them read: "Will enough [U.S. systems] actually install [a] patch to offset the harm to security caused by [adversaries using a] vulnerability?"
  • Daniel notes that even pre-WannaCry, wormable tools don't mesh well with the U.S. intelligence philosophy. Security researchers outside the government often comment on the relative restraint observed by modern U.S. government-built malware to avoid hitting unintended targets.

The bottom line: Ultimately, there may be less room to build out oversight than critics hope and a ceiling to how much applying updates can improve security.

Go deeper

Public transit's death spiral

Illustration: Eniola Odetunde/Axios

Public transit systems across the country are experiencing a painful trifecta: Ridership has collapsed, funding streams are squeezed, and mass transit won't bounce back from the pandemic nearly as fast as other modes of transportation.

Why it matters: Transit agencies could see an annual shortfall of as much as $38 billion due to the coronavirus pandemic, according to TransitCenter. At the same time, they're more important than ever, with more than 36% of essential workers relying on public transportation to get to work.

Go deeperArrow11 mins ago - Health

World coronavirus updates: London mayor says U.K. nowhere near lockdown lifting

Data: The Center for Systems Science and Engineering at Johns Hopkins; Map: Andrew Witherspoon/Axios

Prime Minister Jacinda Ardern offered hope in the fight against the novel coronavirus, saying she believes New Zealand has "turned a corner" after two weeks of strict lockdown measures. But London Mayor Sadiq Khan has said the U.K. is "nowhere near" lifting restrictions.

The big picture: COVID-19 has killed over 82,000 people and infected 1.4 million others globally as of early Wednesday, per Johns Hopkins data. Global recoveries have surpassed 301,000. Spain has reported the most cases outside the U.S. (more than 141,000) and Italy the most deaths (over 17,000). Half the planet's population is on lockdown.

Go deeperArrowUpdated 35 mins ago - Health

Wisconsin may be the start of the 2020 election wars

Illustration: Aïda Amer/Axios

Wisconsin voters braving lines in face masks — after a last-minute Supreme Court ruling against extending the absentee deadline — could foreshadow a nationwide legal struggle over how to conduct elections during the coronavirus outbreak, election experts say.

Why it matters: "It's a harbinger of what's to come in the next skirmishes in the voting wars" from now through November, Richard Hasen, a professor and national election law expert at the University of California, Irvine, told Axios.