14 DAY TRIAL // Microsoft has taken it upon itself to tell the US intelligence agencies to stop stockpiling vulnerabilities. The problem with it is that this isn't the first time the NSA or the CIA have done this and it's not even the first time that the tech community has rallied against the two agencies asking them to share zero-day vulnerabilities.
As you may already know already, WannaCry is the result of multiple problems. It started with the NSA finding the Windows vulnerability and not sharing it with Microsoft. It continued with the agency building EternalBlue to exploit this bug. The next step was Shadow Brokers hacker group somehow getting its hands on classified documents and dumping them online as if they were nothing more than restaurant menus. The last step was cyber criminals taking it upon themselves to create the WannaCry malware, which mixes ransomware features with worm capabilities, and unleashing it upon the world.
Therefore, at the base of it all sits the NSA's desire to have as many undiscovered vulnerabilities on hand as possible. This has been an issue for many years, but it became evident back in 2014 when Edward Snowden was making headlines left and right with his NSA files. Of course, back then, the classified documents were redacted and nothing that could damage US national security was shared, despite the many programs the leaks put under the spotlight.
"Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today - nation-state action and organized criminal action," Microsoft wrote in a blog post this weekend.
The company then urges world governments to adhere in cyberspace to the same rules applied to weapons in the physical world and consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.
A history of shady behavior
Back in 2014, when the OpenSSL critical vulnerability Heartbleed was exposed, it came to light that the NSA was holding on to some zero-day vulnerabilities. Despite denying knowing about Heartbleed per se, the NSA did admit being privy to other similarly important bugs. A report at the time indicated that former President Barack Obama decided that the NSA must reveal major flaws in Internet security, unless it was a matter of national security.
Google went as far as to launch Project Zero, using hackers' talents to hopefully discover and fix zero-day bugs ahead of intelligence agencies. “You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications,” Google wrote at the time, an obvious jibe at the NSA.
Then, a year later, in November 2015, a report indicated that the NSA was disclosing 91% of the zero-day bugs it discovered to manufacturers and affected companies. It wasn't any secret, at that point, that the NSA would try to keep its zero-days as hidden as possible. The agency is actually involved in a lawsuit with the EFF for the right to keep these secrets for as long as they consider right.
Under these circumstances, it's quite possible the NSA will shrug off Microsoft's call for sharing, much as it has done in the past. We'll probably see other tech giants joining in, although the result will likely be the same. The truth is we won't be able to reign in the NSA's or the CIA's tendency to hoard vulnerabilities without proper legislation that limits their powers. The reality is that we're quite unlikely to see this happen under Trump's administration.