Preventing terrorism and protecting cyberspace, in constant tension
The effects of this month’s global ransomware attack seem to be fading, fortunately. But a crucial question the incident raised is only getting more urgent. When it comes to online security, the U.S. government’s priorities — preventing terrorism and protecting cyberspace — are in permanent tension. Is there a way to resolve it?
The National Security Agency routinely seeks out flaws in common software and builds tools, known as exploits, to take advantage of them. Doing so is an essential part of the agency’s mission of spying on terrorists and foreign adversaries, yet it comes with grave risks.
The latest attack — still evolving — is an example. Researchers say it takes advantage of a stolen NSA tool to exploit a flaw in some versions of Windows. Microsoft Corp. has suggested that the NSA knew of the flaw for some time, yet didn’t disclose it until the theft.
That may sound unnerving. Windows is ubiquitous, and governments are generally expected to respect online security, not undermine it. Microsoft is understandably unhappy. Worse, the initial attack crippled everything from banks to hospitals. It’s fair to say that lives were at risk.
So why keep such a harmful vulnerability secret? Simple: Exploiting it proved hugely effective in swooping up intelligence — “like fishing with dynamite,” as one former NSA employee put it.
Deciding whether such intelligence is worth the risk is a fraught and secretive process. would continue exploiting When a significant new such flaws to their advantage. flaw is found by a federal To echo a Cold War locution, agency, it’s shared among it would amount to experts from the intelligence, unilateral disarmament. defense and cybersecurity Likewise, Microsoft has bureaucracies proposed a “digital Geneva (among others), who debate Convention,” or a global whether to disclose or exploit agreement to disclose flaws. it, according to nine criteria. But the worst actors online A review board then — thieves, gangsters, North makes a final decision. In almost Korea — would hardly feel all cases involving a constrained by such a protocol, product made or used in the while the restraints put U.S. — more than 90 percent, in place could well eliminate according to the NSA — the crucial methods of tracking flaws are disclosed. them.
Although it’s an imperfect A better approach is to improve process, a better way isn’t the current system. obvious. Simply disclosing One problem is that the secrecy all vulnerabilities, as some required makes it activists demand, would be hard to know how well the nuts. Intelligence would dry stated criteria for retaining up, investigations would be vulnerabilities are being followed. hobbled, and the Pentagon Reporting the total would lose crucial insight number found and disclosed into foreign militaries, for each year might offer some starters. Other countries reassurance to tech companies and the public, without divulging anything sensitive. Periodic audits of those that have been retained could help ensure that agencies aren’t hoarding dangerous stuff that’s no longer useful. Most important, though, is to better secure these flaws — and the tools meant to exploit them — while having a strategy to mitigate the risks if they’re once again leaked.
Failing that, the public may quickly lose confidence in this process. And that may be the biggest risk of all.