“We are the government; you can trust us.” At least that’s what they told us when the National Security Agency (NSA) demanded ‘back door’ holes in computer security software.
With these holes in security, our nation’s spies planned on hacking into ISIS computer networks and even into foreign countries.
While civil libertarians worried this was an assault on personal privacy, the computer industry was more worried about hackers figuring out the holes NSA had built into the software.
And when the NSA discovered a gaping hole in Microsoft’s Windows operating system, even the NSA worried its potent hacking tool would get out, but they never alerted Microsoft about it.
Unfortunately, the hack was discovered, creating the most disruptive cyberattack in history.
The Washington Post reported:
“When the National Security Agency began using a new hacking tool called EternalBlue, those entrusted with deploying it marveled at both its uncommon power and the widespread havoc it could wreak if it ever got loose.
Some officials even discussed whether the flaw was so dangerous they should reveal it to Microsoft, the company whose software the government was exploiting, according to former NSA employees who spoke on the condition of anonymity given the sensitivity of the issue.
But for more than five years, the NSA kept using it — through a time period that has seen several serious security breaches — and now the officials’ worst fears have been realized.
The malicious code at the heart of the WannaCry virus that hit computer systems globally late last week was apparently stolen from the NSA, repackaged by cybercriminals and unleashed on the world for a cyberattack that now ranks as among the most disruptive in history.
The failure to keep EternalBlue out of the hands of criminals and other adversaries casts the NSA’s decisions in a harsh new light, prompting critics to question anew whether the agency can be trusted to develop and protect such potent hacking tools.
Current and former officials defended the agency’s handling of EternalBlue, saying that the NSA must use such volatile tools to fulfill its mission of gathering foreign intelligence.
In the case of EternalBlue, the intelligence haul was “unreal,” said one former employee.“It was like fishing with dynamite,” said a second.
This is the hard part — you have a tool that is highly effective at getting into the computers of our enemies and others we have interest in finding more about, but in the hands of criminals this technology is dangerous.
The consequences of the NSA’s decision to keep the flaw secret, combined with its failure to keep the tool secure, became clear Friday when reports began spreading of a massive cyberattack in which the WannaCry software encrypted data on hundreds of thousands of computers and demanded a ransom to decrypt it.
The resulting digital concoction snarled hospitals in Britain, the Interior Ministry in Russia and tax offices in Brazil.
The attack caused Britain’s NHS to cancel surgeries, a wide array of Russian and Chinese private and public institutions to be crippled most of the day, and over 300,000 computers were held hostage. The demand? Pay $300 in bitcoin per computer and they would release your computer.
What made this attack so dangerous is you didn’t even have to click on anything to get the virus — it snuck around and found computers that didn’t have the Microsoft patch to block the attack.
An unlikely combination of voices, ranging from the American Civil Liberties Union to a top Microsoft official to Russian President Vladmir Putin, has singled out the NSA for its role in creating and eventually losing control of computer code.
“If one of our targets discovered we were using this particular exploit and turned it against the United States, the entire Department of Defense would be vulnerable,” the second employee said. “You just have to have a foothold inside the network and you can compromise everything.”