Weighing A Stockpile Of Computer Threats
Last week, some computer users booted up their machines to encounter not their normal desktop, but a ransom note. The ransomware program, called WannaCry, spread rapidly by making use of an old flaw in the Windows operating system. It encrypted files on affected computers and threatened that the data would remain encrypted forever—unless the owners paid a ransom in the online currency BitCoin. The perpetrators behind the hack are still unknown, although some cybersecurity experts have said that clues point in the direction of North Korea. Some of the technology used in the hack, however, was apparently developed by, then stolen from, the U.S. government.
This isn’t the only hack in the government cyber arsenal. When it comes to vulnerabilities that could affect millions, what is the government’s responsibility to help those flaws get fixed? How does it decide which flaws to report, and which to stockpile? Jason Healey, a senior research scholar at Columbia University’s School of International and Public Affairs, says that the Vulnerability Equities Process, or VEP, is the route that government officials are supposed to take in deciding whether to report or conceal a previously undisclosed vulnerability—but that system may not always work as it’s supposed to.
Jason Healey is a Senior Research Scholar at Columbia University’s School of International and Public Affairs in New York, New York.
IRA FLATOW: This is “Science Friday.” I’m Ira Flatow. Last week, some computer users booted up their machines to encounter not their normal desktop but a ransom note. The corrupt program called Wanna Cry spread rapidly, making use of an old flaw in the Windows operating system. It encrypted files on the infected computers. It threatened that the files would stay encrypted forever, unless the owners paid a ransom in the online currency Bitcoin. The perpetrators are still unknown, though some fingers have been pointing in the direction of North Korea.
At the core, some of the technology used in the hack was apparently developed by and stolen from the US government. This isn’t the only hack in the government computer arsenal but when it comes to flaws that could affect millions, what’s the government’s responsibility to help get those flaws fixed? How does it decide which flaws to report and which to stockpile?
Joining me now to talk about those questions is Jason Healey. He is a senior research scholar at Columbia University School of International and Public Affairs in New York, and he’s here in our studios. Welcome back.
JASON HEALEY: Great, thank you for having me.
IRA FLATOW: First, let’s talk about the Wanna Cry case. This was originally something that came from the NSA?
JASON HEALEY: Yeah, so the vulnerability had been found within the NSA and was discovered and released by, apparently, cyberspies back in the fall and was released to the entire internet.
IRA FLATOW: And to be clear, only this vulnerability was disclosed. Microsoft issued a patch for it, right?
JASON HEALEY: They did, a few months ago.
IRA FLATOW: And it seems like a lot of people didn’t put the patch into effect.
JASON HEALEY: And that’s what comes into this, that once Microsoft found out about this, it seems they were told by NSA once NSA realized this was in the wild. Microsoft did a patch but not everyone applied it. And this is one of the lessons for our readers, wherever they are. Patch your system. Protect yourself from these.
IRA FLATOW: And it would be safe to assume that there are more of these worms still waiting to be released.
JASON HEALEY: Of course. One of the interesting thing about these computer vulnerabilities that makes it different from what we normally think about, for example, weapons, is that for a country or a group to have a lot of weapons, you’ve gotta build them. You’ve gotta buy them.
Computer vulnerability– it’s like a treasure hunt. You have this big software and the vulnerabilities are in there waiting to be discovered. And the software vendors will find some themselves. Security researchers will be out there like Indiana Jones, and they’ll find some of these others. But you’ve got governments of the United States, the Russians, the Chinese, that are out and they’re out having this industrial operation to find these vulnerabilities. And once they find the vulnerabilities, they turn them into weapons or spying tools.
IRA FLATOW: So they don’t tell us about that they have found these things. They just stockpile the vulnerabilities.
JASON HEALEY: Well, in the other countries, that is certainly the case. I mean with Russia or China, we don’t know that they’ve got a specific process for this. Within the United States government, there’s a process right now. It’s run by the White House, that says when you find one of these, we need to tell, for example, the Department of Commerce, the Department of Treasury, others, that we’ve got this and then, they will decide whether they’re going to keep it or not.
IRA FLATOW: And so what happened with this one? It told us. We did not take action. We could have patched it. Is it the government’s responsibility, then, when it stores and finds or creates all these hacks to let us know about them. Because you can see, I can see someone saying, well, you know, if we tell you about it, we can’t use it as a weapon anymore, right?
JASON HEALEY: Absolutely, and it’s something to think about in this is that the adversaries that we expect our government keep us safe from, terrorists, foreign adversaries, foreign militaries, they’re using IT to communicate to the level that we are. And so if we want to figure out what they’re doing to keep us safe, we need to keep these kinds of vulnerabilities, the NSA, the CIA, others, have to keep these vulnerabilities. What we really want the government to do is to keep them secret, right? If they figure these out, especially one like this that was very dangerous, to, at least, not let it get stolen and snuck out.
IRA FLATOW: Well, I can’t ask how it got stolen because no one knows or do they know?
JASON HEALEY: It’s a confusing story. It looked, when last we talked, and that was November, that maybe one of the operators at NSA had left his toolkit behind him, that he had left it in some foreign computer server when he was doing his black bag job and then someone came by and took it. But I don’t think we’re fully convinced that that’s the whole story right now. It might be that someone broke into NSA, which would, I think, be a really significant incident.
IRA FLATOW: So where is the decision made in the government level, at what level, to say you know, we’re gonna tell you about this?
JASON HEALEY: It’s meant to be done– it used to be NSA got to decide themselves, which obviously, has some issues that the guy that needs this to spy, also gets to decide whether or not this is better used for defense. Now, it’s being done within the White House.
There is some exceptions, and it might be that more of the vulnerabilities are being kept in some of these loopholes, like happened with Apple/FBI, right? That was a loophole, where FBI kept the vulnerability to unlock the iPhone middle of last year.
IRA FLATOW: Well, I’m never convinced that they actually unlocked it because they never presented any proof that they did.
JASON HEALEY: Yeah, true.
IRA FLATOW: You know, they could have said they did. I left my code– I had something. I mean, we need facts. We need evidence since we do journalism.
So what should we be doing differently? How should we handle all of these vulnerabilities differently?
JASON HEALEY: Well, the process right now is relatively balanced, right? It is putting the White House in place. Congress is proposing a law. It’s called the Patch Act, where they will not just allow this to be the executive branch but they are laying in, here are some laws on what we think might happen.
The question number one is, does divulging these to the company actually make us safer? There’s a strong case to be made by some of my colleagues like Dave [? Itell ?] and Matt Tate that say, look, there’s so many bugs out there. There’s so many vulnerabilities, that disclosing these to the vendor really don’t make us any safer. Remember, this is all treasure. There’s plenty of other treasure out there and just taking a few of these off don’t really make that big of a difference.
Secondly is that the process we have does this one bug at a time. Rather than saying, well, how is the balance that we’ve set, this balance between the United States government, our citizens, and our IT companies– do we have that balance about right? And right now, we don’t really have a– there’s not a cyberstrategy. We don’t have a good way for the President to have laid out those priorities and see how we’re doing. All we’re doing is this one bug at a time. So I hope that in the new Administration, that we’re able to do a better job of trying to find that balance.
IRA FLATOW: Should we be angry at the NSA for their actions here?
JASON HEALEY: Certainly for letting it get loose, regardless of whether you think the process was about right or not, certainly, if we’re giving this kind of trust to our government institutions, if we’re allowing them to keep these bugs to spy on our behalf, then at least they have to be able to keep them secret.
IRA FLATOW: Now, but if we have this process of oversight, like you say we do, and the other countries don’t, it’s sort of the same kind of weapons argument we have about, you know, if we don’t do something, then the other countries are gonna do it.
JASON HEALEY: Right, and many of my colleagues say, well, why should we unilaterally disarm? If we don’t do these vulnerabilities, then the Russians, the Chinese, we’re leaving it to them. And and there’s a case to that, but it’s forgetting that that’s not the only relationship. These are the software and hardware that all of us are using. This isn’t just cyberspace as a new battlefield. This is the most transformational technology since Gutenberg, that we’re relying on to become more truer individuals for our prosperity, for our innovation to build better communities. And so when we’re only reducing it to whether or not how we’re disarming with regards to our adversaries, we’re really missing the sublime wonder that we’ve got here.
IRA FLATOW: Is there any way to protect ourselves, our lay people, you know, from these worms? What can we do?
JASON HEALEY: Certainly, patching your computer is the first, second, and the third thing that we ought to be doing, is to make sure that we’re taking care of that. If you’re part of a large company, your IT team needs to be making sure that they’re cutting these ways that these things can spread. Keeping strong passwords and password wallet wouldn’t have necessarily helped you with this, but it would certainly help in a lot of other ways.
IRA FLATOW: Jay, thank you very much for coming down today.
JASON HEALEY: Thank you.
IRA FLATOW: Jay Healey, Senior Research Scholar at Columbia’s School of International and Public Affairs in New York.