Should spies use secret software vulnerabilities?

May 19, 2017 by Nir Kshetri, The Conversation
When is it okay for the government to keep a secret? Credit: sharpshutter via shutterstock.com

The recent WannaCry ransomware attack infected about 300,000 computers in 150 countries, and cost computer users thousands of dollars in ransom money and billions in lost productivity.

The attack took advantage of a in the Windows operating system that the federal government had been aware of for years but had chosen not to tell Microsoft about until just months before the WannaCry attack began. That history and the potential for more releases in the coming weeks have intensified the debate around how governments and should act when they discover weaknesses in computer software.

It's a choice of how best to protect the public: Exploit software vulnerabilities to collect intelligence information that may help keep people safe? Or disclose the flaw, letting the software company fix it and protect millions of regular computer users from malicious attacks by hackers?

Exposing WannaCry

For years, the U.S. National Security Agency used a flaw in the Windows operating system, nicknamed "EternalBlue," to spy on intelligence targets, gathering information from their files and electronic communications. But the NSA didn't tell Microsoft about the flaw in the company's software until early 2017. The company quickly issued a fix users could download and install. Many people didn't, though.

In April, a hacking group called the Shadow Brokers reported that it had breached the network of, and stolen information from, computers used by the Equation Group, which has not identified itself but is widely believed to be part of the NSA. The Shadow Brokers revealed information about extremely sophisticated digital tools for attacking military, political and economic targets worldwide. One of those tools was "EternalBlue."

In May, a hacker or hacking group released a piece of malicious software using "EternalBlue" to hijack computers, encrypt the data on them and charge victims a ransom to restore access to their information.

If the NSA had told Microsoft about the flaw five years ago, things could have unfolded differently. In particular, users could have had much more time to update their software – which would have substantially increased the number of people protected against the vulnerability.

Using 'zero days'

The most serious cyberattacks are those that use previously unknown vulnerabilities. They are called "zero day" exploits because the developers had no time to fix it before trouble began, and nobody is protected. The NSA may know of hundreds, or even thousands, of them. Spy agencies of other countries, including China, Russia, Iran and North Korea, are also working to find zero-day vulnerabilities.

Using these vulnerabilities can be effective. For instance, the NSA used four zero-day vulnerabilities as part of a series of cyberattacks on Iran's nuclear enrichment sites. That effort, officially code-named "Olympic Games," created the program known to the public as "Stuxnet," which damaged about 1,000 centrifuges and may have helped force Iran to negotiate with the U.S. about its nuclear program.

Should they keep the secret?

By not telling software companies about newly identified vulnerabilities, government agencies such as the NSA and CIA serve their own purposes of finding ways to gather intelligence undetected. But they also endanger critical systems of governments and regular users alike.

The U.S. does not have strong and clear policies with which to handle this problem. In January 2014, the Obama administration ordered spy agencies to disclose weaknesses they find – but with a significant loophole: If a flaw has "a clear or law enforcement" use, the government can keep the flaw secret and exploit it.

These are complex trade-offs involving many questions: What might spies learn by exploiting the vulnerability? How likely is it that adversaries could find it? What might happen if they use it? Can the secret be kept securely and reliably? Regardless of the ethics questions about how these agencies should best carry out their duty of protecting the public, the decision will likely end up as a political one, about how the government should use its power.

Explore further: Why installing software updates makes us WannaCry

Related Stories

Why installing software updates makes us WannaCry

May 16, 2017

The global ransomware attack called "WannaCry," which began last week and continues today, could have been avoided, or at least made much less serious, if people (and companies) kept their computer software up to date. The ...

Explainer: What is ransomware?

May 13, 2017

Computers across the world were locked up Friday and users' files held for ransom when dozens of countries were hit in a cyber-extortion attack that targeted hospitals, companies and government agencies.

Who's to blame for ransomware outbreak?

May 15, 2017

Questions are swirling over who is responsible for the security flaws exploited by hackers in the world's biggest ransomware attack to date, which crippled thousands of businesses and public organizations around the world. ...

Recommended for you

Cryptocurrency rivals snap at Bitcoin's heels

January 14, 2018

Bitcoin may be the most famous cryptocurrency but, despite a dizzying rise, it's not the most lucrative one and far from alone in a universe that counts 1,400 rivals, and counting.

Top takeaways from Consumers Electronics Show

January 13, 2018

The 2018 Consumer Electronics Show, which concluded Friday in Las Vegas, drew some 4,000 exhibitors from dozens of countries and more than 170,000 attendees, showcased some of the latest from the technology world.

Finnish firm detects new Intel security flaw

January 12, 2018

A new security flaw has been found in Intel hardware which could enable hackers to access corporate laptops remotely, Finnish cybersecurity specialist F-Secure said on Friday.

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.