By Ellen Nakashima
A sign outside the National Security Agency campus in Fort Meade, Md. (AP Photo/Patrick Semansky, File)
The National Security Agency is known for keeping secrets. But a bug it recently discovered in Microsoft's operating system was so potentially catastrophic that it fast-tracked a lengthy decision-making process to alert the company and the public as quickly as possible.
The quick disclosure marks a big pivot for the agency, which has historically been eager to hold onto hackable computer bugs that it can use to spy on U.S. adversaries — at least temporarily — before sharing them with companies and has been loath to advertise its role in uncovering them.
It also underscores the havoc the Microsoft flaw could have caused if it was discovered and exploited by U.S. adversaries in Russia, Iran or elsewhere who could have compromised millions of computers for surveillance or sabotage.
“Internally the decision was clear” to disclose, said a government official, who like others interviewed spoke on the condition of anonymity to describe internal discussions. “It was a no-brainer.”
Officials across the government typically convene when they discover dangerous computer bugs to weigh whether it’s better to disclose or hold onto them — an exercise known as the “vulnerabilities equities process” or VEP. The meetings are chaired by the White House's senior director for cybersecurity policy, Grant Schneider.
Yet NSA officials in this case worried that if malicious hackers detected the bug, it could be turned into a weapon to use against Americans and others and wreak havoc before Microsoft had a chance to patch it. The longer they held it, the greater the danger it would be discovered by others. “That's not in anybody's interest,” the official said.
Agency officials notified Schneider of the urgent nature of the case, noting that the VEP charter has a specific exemption allowing an agency to expedite a decision to disclose a flaw in such circumstances without having to convene an interagency meeting. “Since the default position was to release there was no need to go through the whole interagency process and risk something going wrong,” the official said.
The White House agreed the immediate disclosure was the right thing to do.
Before alerting Microsoft, however, the agency conducted its own robust internal discussion in which some argued to keep news of the flaw secret so that NSA hackers could exploit it to gain intelligence overseas. All the agency's senior leaders, however, insisted the bug was too critical to withhold — even temporarily.
The NSA even took the rare step of publicly acknowledging its role in finding the bug and announcing its decision to disclose it — a move that won plaudits for the agency, which has struggled to present a positive face since former agency contractor Edward Snowden revealed in 2013 a broad surveillance program that scooped up Americans’ phone metadata logs.
NSA Cybersecurity Directorate Head Anne Neuberger last month gave two reasons for why the agency did it. “First, we recognized that our partnership is really built on trust,” she said, and “a part of building trust is sharing data.” Second, she said, “we knew we wanted to lean forward and raise awareness” so that Microsoft could devise a patch. NSA wanted to “ensure that we could be very transparent about that.”
The government has long said that it discloses the vast majority — more than 90 percent — of the vulnerabilities it uncovers. In recent years, that has amounted to more than 100 bugs per year, according to people familiar with the process. That tally includes a lot of bugs that simply aren’t useful for NSA hackers, though.
And NSA only shares some of the useful bugs with industry after agency hackers have already used them to spy on adversaries.
In the 1990s and through at least 2014, when the interagency VEP was formalized, the NSA had its own internal process to weigh whether to withhold or disclose. During those years, the agency “mostly gave away vulnerabilities — but never claimed public credit,” said Richard “Dickie” George, who as a former technical director of the NSA's information assurance directorate once ran the process. “We gave one company 1,500 of these things — they weren’t significant enough to go through the [agency’s vetting] process,” he said.
Yet another former NSA veteran with decades of experience had a different account of that time. “In my time, the bias would have been toward” withholding bugs, the former official said. “I just felt the weight of offense would normally win the day.”
Often, the NSA did not want to publicize its discovery of software flaws because it did not want to tip off adversaries to what software systems it was scrutinizing, George said. Also, “a lot of companies didn’t want the public to know they’re getting information from the NSA,” he said.
Neuberger is “trying to rebuild the reputation of NSA’s role in defense of the nation,’’ said George, who is now senior adviser for cybersecurity at Johns Hopkins University Applied Physics Laboratory.
“I think [the disclosure of the Microsoft bug] marks a deliberate shift,” said Tony Sager, a former NSA information assurance executive now with the Center for Internet Security. “It won’t happen every time. But this is not just for show. They’re trying to signal that cybersecurity is really important, and we have to find a way to protect the nation.”
Michael Daniel, President Barack Obama’s cybersecurity coordinator from 2012 to 2017, also applauded the move.
“If one of the major proponents” which has a vested interest in retaining the bug for its own use — usually the NSA, CIA or FBI — “is saying, ‘Dear Lord, we have to get this thing out now, then institutionally there’s no one that’s going to argue against that,” said Daniel, who now leads the Cyber Threat Alliance.
But whether the decision marks a long-term shift in how the agency does business is unclear. “Time will tell,” one U.S. official said.
PINGED, PATCHED, PWNED
The Iowa Democratic Party's caucus reporting app. (Charlie Neibergall/AP)
Hackers could have used vulnerabilities in the IowaReporterApp to intercept or even change passwords, vote totals, and other sensitive information, officials at the security firm Veracode found in a review requested by ProPublica. Other researchers they cited described the vulnerabilities as “shocking.”
“With all the attention that’s supposed to be going into election security, it’s shocking that code with this problem made it into production,” said J. Alex Halderman, a University of Michigan computer science professor and election security expert. “It's total amateur hour.”
Researchers contacted by Motherboard also raised concerns about the application's security. “The app was clearly done by someone following a tutorial,” Android developer Kasra Rahjerdi told Motherboard. “It’s similar to projects I do with my mentees who are learning how to code.”
Iowa retains paper backups of all caucus results, so it's highly likely any change hackers made would have been caught in an audit. But if tainted information was reported on caucus night "it still would have cast doubt on the whole process in peoples’ minds,” Halderman says.
Gerard Niemira, Shadow’s CEO, defended the app in a statement to ProPublica. “Our app underwent multiple, rigorous tests by a third party, but we learned today that a researcher found a vulnerability in our app,” he said. “As with all software, sometimes vulnerabilities are discovered after they are released.”
The Democratic National Committee has been distancing itself from Shadow since the caucus night debacle. Yesterday, Democrats' Senate campaign wing announced it would cut ties with the company, the Daily Beast reported.
Sen. Ron Wyden (D-Ore.). (Samuel Corum/Getty Images)
Two Oregon counties used Voatz last year for overseas voters and more are considering using it in 2020, according to Wyden's office. That’s despite widespread concerns about mobile and online voting. A number of cities and counties have also launched mobile voting pilots in the past two years.
“Russia’s 2016 campaign to meddle in our elections demonstrated the urgency of states doing everything in their power to secure Americans’ votes from hacking,” Wyden wrote to Oregon Secretary of State Bev Clarno in a letter shared exclusively with The Cybersecurity 202. “Continuing to permit the use of internet voting — against the advice of cybersecurity experts — is simply asking for trouble.”
Wyden asked to work with Oregon officials on safer alternatives for overseas voters including possibly sponsoring legislation to deliver more federal money to the problem.
He previously urged intelligence agencies to audit Voatz. The company says it has voluntarily agreed to an audit by the Department of Homeland Security but DHS and Voatz have not yet answered questions about the status of the audit.
The Iranian flag. (Leonhard Foeger/Reuters)
The emails could be the work of the same group Microsoft alleged was behind an attempted hack of a presidential campaign -- which Reuters identified as the Trump campaign -- in the fall, three independent cybersecurity firms confirmed.
Cybersecurity firm ClearSky, which first spotted the hacking campaign, declined to give the specific number of people targeted, but Reuters identified multiple victims. In one instance, a hacker posed as Wall Street Journal reporter Farnaz Fassihi and asked a researcher to enter his Google password to access interview questions. Hackers also impersonated other journalists including a CNN national security analyst and a video journalist for Deutsche Welle. Victims, who are all critics of the Iranian regime, said they were immediately suspicious of the emails.
Homeland Security and FBI representatives declined to comment. Iran denies operating or supporting any hacking operations.
PUBLIC KEY— Outgoing NSA general counsel Glenn S. Gerstell will join the Center for Strategic and International Studies as a nonresident senior adviser with the International Security Program, the think tank said.
— More cybersecurity news from the public sector: