Thursday, June 29, 2017

NSA Cyberweapons gone Feral

Today's worry is all the havoc being wreaked around the world by massive cyberattacks that rely on techniques stolen from the NSA:
Two weeks ago, the United States — through the Department of Homeland Security — said it had evidence North Korea was responsible for a wave of attacks in May using ransomware called WannaCry that shut down hospitals, rail traffic and production lines. The attacks on Tuesday against targets in Ukraine, which spread worldwide, appeared more likely to be the work of Russian hackers, though no culprit has been formally identified.

In both cases, the attackers used hacking tools that exploited vulnerabilities in Microsoft software. The tools were stolen from the N.S.A., and a group called the Shadow Brokers made them public in April. The group first started offering N.S.A. weapons for sale in August, and recently even offered to provide N.S.A. exploits to paid monthly subscribers. . . .

For the American spy agency, which has invested billions of dollars developing an arsenal of weapons that have been used against the Iranian nuclear program, North Korea’s missile launches and Islamic State militants, what is unfolding across the world amounts to a digital nightmare. It was as if the Air Force lost some of its most sophisticated missiles and discovered an adversary was launching them against American allies — yet refused to respond, or even to acknowledge that the missiles were built for American use.
Here is the basic dilemma: the NSA employs programmers and code-breakers who look for vulnerabilities in computer systems, so they can exploit them to attack those systems or spy on their users. So when they find such a vulnerability, they don't tell anybody; if they did, the problems would be fixed. And if computer systems worked perfectly, the NSA wouldn't be able to hack them. Microsoft and other tech companies have cried foul over this, arguing that the government has a responsibility to let them know about any vulnerabilities it uncovers so that they can fix them. When you consider all the harm done by attacks like the WannaCry disaster, I think they have a point. What have we gained from spying that balances out the harm done by malicious hackers exploiting flaws the NSA has identified?

One of the pitfalls of power, at least since the Renaissance, has been the overvaluing of secret information and secret deeds. It is such a vast thrill to know secrets and to manipulate events from behind the scenes that leaders constantly fall into this trap. The U.S. spends gigantic sums on espionage and counter-espionage, and I for one think we don't come close to getting our money's worth. Every intelligence coup has to be balanced against the long-term damage done to our reputation across the world, and to our own democracy, by secret manipulations. Consider the generations of damage done to our relationship with Iran by the 1953 CIA-backed coup.

The situation at home is just as bad. Americans don't trust our government, I think one of the biggest reasons is the reality of our vast secret operations, a shadow realm bigger than the whole government was in 1900. People think the government is lying to them, and hiding things from them, because to keep its secrets the government lies and hides every day. I am no kind of conspiracy fanatic, but I am sure that I read some government lie or piece of misinformation every single day. Plus, every time we increase spending on secret operations to address some new threat we have to hire more people, and recent events have shown that numerous NSA employees and contractors are not at all on board with the agency's agenda. This is simply inevitable when you have 50,000 employees with Top Secret clearances.

I understand that spying and secrets have always been the coin of international relations, so I don't think we are going to shutter the CIA or the NSA. But our politicians need to set aside the thrill of being privileged insiders who know the real score and measure secret actions against real-world concerns like protecting ordinary citizens from cyberattacks.


leif said...

you indicate that upon witnessing widespread damage, there's a point to opposing the NSA's approach. i'm not trying to put words in your mouth, but a corollary of this point suggests that lacking repercussions that affect the world, the NSA can do as it pleases. i'm not certain this is what you intended, but that point (even if it's not yours exactly) is what the cybersecurity industry has long opposed. it's a bit like genetically constructing dinosaurs with the lysine contingency, idiotically assuming that they and their microbiome cannot evolve a workaround. the NSA rashly believing that they, the über-hackers, are immune, was and still is ludicrous. we're simply seeing some of the worst and most recent effects of this hubris. we can be certain it won't be the last.

