It’s no secret that hackers the world over target Windows vulnerabilities in order to wreak havoc, hold up data and networks for ransom, pull off money-making scams, and disrupt elections and the workings of democracy. They target Windows for a simple reason: volume. The operating system is on the vast majority of desktop and laptop computers worldwide.
Over the years, the U.S. National Security Agency (NSA) has unwittingly helped hackers in some of the world’s most dangerous and notoriously successful attacks by developing tools to exploit Windows security holes, rather than alert Microsoft to those vulnerabilities. Some of the tools have been leaked to hackers and used in massive attacks, including the EternalBlue cyber-exploit, which was used in the WannaCry global ransomware attack that affected computers in more than 150 countries and is estimated to have caused billions of dollars in damage.
The NSA may be changing its ways, but perhaps not completely. In mid-January, the agency alerted Microsoft to a severe Windows security breach rather than develop tools to exploit it. Microsoft patched the hole, and the world — and your computer and data — is now safer.
That’s all to the good. But the NSA hasn’t gone nearly far enough in helping keep Windows safe from hackers. To understand why — and what the NSA ***should be doing — let’s start by looking back at EternalBlue and Microsoft’s very public spat with the NSA about its role in the attack.
In 2017, malicious Windows software developed by the NSA called EternalBlue was leaked by a group called the Shadow Brokers and used to launch WannaCry, the largest ransomware attack the world has ever seen. The software exploited the 30-year-old Windows networking protocol SMB1 that even Microsoft acknowledged at the time should no longer be used by anyone, anywhere, at any time.
The exploit lives on and has been used to launch successful ransomware attacks against the city of Baltimore and other municipalities. The New York Times noted in 2019: “Security experts say EternalBlue attacks have reached a high, and cybercriminals are zeroing in on vulnerable American towns and cities, from Pennsylvania to Texas, paralyzing local governments and driving up costs.”
When the WannaCry attack was first launched in 2017, Microsoft President Brad Smith wrote a blistering blog post about the NSA’s role in it. He noted that when the NSA finds security holes in Windows and other software, rather than alerting the appropriate vendors so they can quickly patch them, it instead stockpiles them and writes software to exploit them. He wrote: “This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. … Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”
He added, “The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
Finally, he concluded that a Digital Geneva Convention should be convened, “including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”
Since then, there’s only been radio silence from the NSA. Presumably, the agency has been continuing to uncover Windows security holes and write malware to exploit it.
However, in mid-January the NSA changed its approach — at least for a moment. It uncovered an exceedingly dangerous security hole in Microsoft’s CryptoAPI service, which Windows uses to determine whether software being installed is legitimate, and to establish secure internet connections with web sites.
Kenn White, security principal at MongoDB and director of the Open Crypto Audit Project, explained to Wired magazine just how dangerous the hole is: “This is a core, low-level piece of the Windows operating system and one that establishes trust between administrators, regular users, and other computers on both the local network and the internet. If the technology that ensures that trust is vulnerable, there could be catastrophic consequences.”
For once, the NSA did the right thing. Instead of hoarding the Windows vulnerability and writing malware to take advantage of it, the agency warned Microsoft about it. Microsoft quickly issued a patch. There’s no evidence that any hackers have been able to take advantage of the hole.
All that is to the good. But the NSA hasn’t said it will follow Smith’s recommendation to report all Windows and other vulnerabilities, rather than stockpile them and write malware to exploit them. The Times reports, “It was not clear how much of a strategic shift the agency’s announcement amounted to. The agency presumably is still hunting for vulnerabilities and flaws that could allow them to infiltrate Iranian computer systems, as well as those used by Russia, China and other adversarial countries.”
As we’ve seen, though, the NSA’s actions in doing that make the United States and the world a less safe place, not a safer one. Microsoft’s Smith is right. In the same way governments of the world recognized in the Geneva Convention that some weapons and ways of waging war should be outlawed, they need to ban countries from stockpiling cyber-vulnerabilities and writing Windows malware and other software to take advantage of them. What the NSA did in January was a good first step. But it should follow through and never again stockpile Windows and other vulnerabilities, and instead report them to software makers so they can plug them and keep us safe.
