[BreachExchange] The Cybersecurity 202: Security pros divided over NSA's responsibility for Baltimore hack

Tue May 28 10:06:17 EDT 2019

https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/05/28/the-cybersecurity-202-security-pros-divided-over-nsa-s-responsibility-for-baltimore-hack/5cec79771ad2e52231e8e80f/?noredirect=on&utm_term=.cc9143528be6

Critics and defenders of the National Security Agency faced off this
weekend over a New York Times report detailing how hackers who locked
up Baltimore’s computer networks for the past two weeks relied partly
on a leaked NSA hacking tool.

The tool, dubbed EternalBlue, has also been used to lock up city
networks in San Antonio and Allentown, Pa., the Times’s Nicole
Perlroth and Scott Shane reported.

Critics say the NSA is hellbent on developing dangerous hacking tools
to use against adversaries and isn’t adequately preparing for what
happens when those tools leak and are used against U.S. targets.

Frank Baitman, a former chief information officer at the Health and
Human Services Department, compared the situation to biological
weapons that make their way out of a U.S. government lab and infect
citizens. The federal government, he tweeted, should shoulder some of
the cost of Baltimore’s ransomware attack and other such breaches
using the leaked code.

Baltimore City Council President Brandon M. Scott echoed that call and
urged President Trump to declare a federal disaster, which could speed
federal funding.

“Given the new information and circumstances it’s even more clear that
the federal government needs to have a larger role in supporting the
city’s recovery,” he said in a statement.

Many security researchers, however, say the real problem isn’t with
the NSA. They say that hacking victims like Baltimore still haven't
taken sufficient measures against EternalBlue two years after it first
leaked -- and aren't using a software patch released by Microsoft to
to protect themselves

“If an organization has substantial numbers of Windows machines that
have gone 2 years without patches, then that's squarely the fault of
the organization, not Eternalblue,” security researcher Robert Graham
tweeted.

Robert M. Lee, a former NSA hacker who’s now CEO of the cybersecurity
company Dragos, said the NSA deserves some blame for EternalBlue being
stolen. But he added but  that culpability shifts as more time elapses
with victims not taking measures to protect themselves:

In the Baltimore case, EternalBlue wasn’t the main element of the
malware that permitted hackers to take control of the city’s networks.
But it allowed them to move more easily from system to system and to
broaden the scope of the attack, the Times reported.

And that’s enough to cause alarm among some traditional defenders of the NSA.

Sen. Chris Van Hollen (D-Md.) and Rep. Dutch Ruppersberger (D-Md.),
whose district includes Fort Meade and part of Baltimore, are asking
the NSA for a briefing on EternalBlue’s role in the Baltimore attack,
the Baltimore Sun’s Ian Duncan and Kevin Rector reported.

The Trump administration says it vets those computer bugs through a
governmentwide process called a "vulnerabilities equities review" and
alerts industry roughly 90 percent of the time. But critics point out
the bugs government holds onto are usually the most damaging.

The debate has grown fiercer in recent years as leaks and breaches
have exposed a trove of government hacking tools  used by foreign
intelligence agencies and criminal hackers.Those leaks have raised
serious questions about whether the government is capable of keeping
its covert hacking capabilities truly secret.

That includes the 2017 leak of NSA tools — including EternalBlue — by
a hacking group called Shadow Brokers and a leak of CIA tools dubbed
Vault 7 to WikiLeaks that same year. Officials have not publicly tied
Shadow Brokers to any foreign government or other organization. The
Justice Department charged a former CIA employee with the Vault 7 leak
in 2018.

EternalBlue was a component in the WannaCry ransomware that North
Korea used in 2017, affecting more than 230,000 computers in 150
countries, and in the NotPetya attack launched by Russia the same year
that wiped data from computers at banks, energy firms and government
agencies.

Thomas Drake, a former NSA official and early whistleblower about the
agency’s warrantless phone and email surveillance programs, accused
the NSA on Twitter of sacrificing the nation’s security because of an
“obsession with offensively owning the ‘net.’ ”

Some security researchers, however, say the NSA is being unfairly
blamed for a proliferation of dangerous hacking tools that would have
happened whether or not the agency's tools had leaked.

If those tools hadn't leaked, they say, hackers would just use other
ones that are equally damaging.

Here’s a take from Beau Woods, founder of I am the Cavalry, a group
that focuses on transparency and public safety in computer security: