Skip to main content

Analysis | The Cybersecurity 202: Here’s why NSA rushed to expose a dangerous computer bug

By Ellen Nakashima 

A sign outside the National Security Agency campus in Fort Meade, Md. (AP Photo/Patrick Semansky, File)
The National Security Agency is known for keeping secrets. But a bug it recently discovered in Microsoft's operating system was so potentially catastrophic that it fast-tracked a lengthy decision-making process to alert the company and the public as quickly as possible.
The quick disclosure marks a big pivot for the agency, which has historically been eager to hold onto hackable computer bugs that it can use to spy on U.S. adversaries — at least temporarily — before sharing them with companies and has been loath to advertise its role in uncovering them.
It also underscores the havoc the Microsoft flaw could have caused if it was discovered and exploited by U.S. adversaries in Russia, Iran or elsewhere who could have compromised millions of computers for surveillance or sabotage.
“Internally the decision was clear” to disclose, said a government official, who like others interviewed spoke on the condition of anonymity to describe internal discussions. “It was a no-brainer.”
Officials across the government typically convene when they discover dangerous computer bugs to weigh whether it’s better to disclose or hold onto them — an exercise known as the “vulnerabilities equities process” or VEP. The meetings are chaired by the White House's senior director for cybersecurity policy, Grant Schneider.
Yet NSA officials in this case worried that if malicious hackers detected the bug, it could be turned into a weapon to use against Americans and others and wreak havoc before Microsoft had a chance to patch it. The longer they held it, the greater the danger it would be discovered by others. “That's not in anybody's interest,” the official said.
Agency officials notified Schneider of the urgent nature of the case, noting that the VEP charter has a specific exemption allowing an agency to expedite a decision to disclose a flaw in such circumstances without having to convene an interagency meeting. “Since the default position was to release there was no need to go through the whole interagency process and risk something going wrong,” the official said.
The White House agreed the immediate disclosure was the right thing to do.
Before alerting Microsoft, however, the agency conducted its own robust internal discussion in which some argued to keep news of the flaw secret so that NSA hackers could exploit it to gain intelligence overseas. All the agency's senior leaders, however, insisted the bug was too critical to withhold — even temporarily.
The NSA even took the rare step of publicly acknowledging its role in finding the bug and announcing its decision to disclose it — a move that won plaudits for the agency, which has struggled to present a positive face since former agency contractor Edward Snowden revealed in 2013 a broad surveillance program that scooped up Americans’ phone metadata logs.
NSA Cybersecurity Directorate Head Anne Neuberger last month gave two reasons for why the agency did it. “First, we recognized that our partnership is really built on trust,” she said, and “a part of building trust is sharing data.” Second, she said, “we knew we wanted to lean forward and raise awareness” so that Microsoft could devise a patch. NSA wanted to “ensure that we could be very transparent about that.”
The government has long said that it discloses the vast majority — more than 90 percent — of the vulnerabilities it uncovers. In recent years, that has amounted to more than 100 bugs per year, according to people familiar with the process. That tally includes a lot of bugs that simply aren’t useful for NSA hackers, though.
And NSA only shares some of the useful bugs with industry after agency hackers have already used them to spy on adversaries.
In the 1990s and through at least 2014, when the interagency VEP was formalized, the NSA had its own internal process to weigh whether to withhold or disclose. During those years, the agency “mostly gave away vulnerabilities — but never claimed public credit,” said Richard “Dickie” George, who as a former technical director of the NSA's information assurance directorate once ran the process. “We gave one company 1,500 of these things — they weren’t significant enough to go through the [agency’s vetting] process,” he said.
Yet another former NSA veteran with decades of experience had a different account of that time. “In my time, the bias would have been toward” withholding bugs, the former official said. “I just felt the weight of offense would normally win the day.”
Often, the NSA did not want to publicize its discovery of software flaws because it did not want to tip off adversaries to what software systems it was scrutinizing, George said. Also, “a lot of companies didn’t want the public to know they’re getting information from the NSA,” he said.
Neuberger is “trying to rebuild the reputation of NSA’s role in defense of the nation,’’ said George, who is now senior adviser for cybersecurity at Johns Hopkins University Applied Physics Laboratory. ​
“I think [the disclosure of the Microsoft bug] marks a deliberate shift,” said Tony Sager, a former NSA information assurance executive now with the Center for Internet Security. “It won’t happen every time. But this is not just for show. They’re trying to signal that cybersecurity is really important, and we have to find a way to protect the nation.”
Michael Daniel, President Barack Obama’s cybersecurity coordinator from 2012 to 2017, also applauded the move.
“If one of the major proponents” which has a vested interest in retaining the bug for its own use — usually the NSA, CIA or FBI — “is saying, ‘Dear Lord, we have to get this thing out now, then institutionally there’s no one that’s going to argue against that,” said Daniel, who now leads the Cyber Threat Alliance.
But whether the decision marks a long-term shift in how the agency does business is unclear. “Time will tell,” one U.S. official said.
You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.
Not a regular subscriber?


The Iowa Democratic Party's caucus reporting app. (Charlie Neibergall/AP)
PINGED: New research shows that the buggy app that imploded during the Iowa caucuses was also at serious risk of a cyberattack, Jack Gillum and Jessica Huseman at Pro Publica report. There's no evidence the app was actually hacked, but the newly reported weaknesses add to the growing concerns about mobile technology in the voting process sparked by the app's disastrous performance on Monday.
Hackers could have used vulnerabilities in the IowaReporterApp to intercept or even change passwords, vote totals, and other sensitive information, officials at the security firm Veracode found in a review requested by ProPublica. Other researchers they cited described the vulnerabilities as “shocking.”
“With all the attention that’s supposed to be going into election security, it’s shocking that code with this problem made it into production,” said J. Alex Halderman, a University of Michigan computer science professor and election security expert. “It's total amateur hour.”
Researchers contacted by Motherboard also raised concerns about the application's security. “The app was clearly done by someone following a tutorial,” Android developer Kasra Rahjerdi told Motherboard. “It’s similar to projects I do with my mentees who are learning how to code.”
Iowa retains paper backups of all caucus results, so it's highly likely any change hackers made would have been caught in an audit. But if tainted information was reported on caucus night "it still would have cast doubt on the whole process in peoples’ minds,” Halderman says.
Gerard Niemira, Shadow’s CEO, defended the app in a statement to ProPublica. “Our app underwent multiple, rigorous tests by a third party, but we learned today that a researcher found a vulnerability in our app,” he said. “As with all software, sometimes vulnerabilities are discovered after they are released.”
The Democratic National Committee has been distancing itself from Shadow since the caucus night debacle. Yesterday, Democrats' Senate campaign wing announced it would cut ties with the company, the Daily Beast reported.

Sen. Ron Wyden (D-Ore.). (Samuel Corum/Getty Images)
PATCHED: Sen. Ron Wyden (D-Ore.) is urging election officials in his home state to reconsider using the mobile voting app Voatz to collect votes from military members and other Oregonians living abroad, citing concerns that the technology is vulnerable to hackers.
Two Oregon counties used Voatz last year for overseas voters and more are considering using it in 2020, according to Wyden's office. That’s despite widespread concerns about mobile and online voting. A number of cities and counties have also launched mobile voting pilots in the past two years.
“Russia’s 2016 campaign to meddle in our elections demonstrated the urgency of states doing everything in their power to secure Americans’ votes from hacking,” Wyden wrote to Oregon Secretary of State Bev Clarno in a letter shared exclusively with The Cybersecurity 202. “Continuing to permit the use of internet voting — against the advice of cybersecurity experts — is simply asking for trouble.”
Wyden asked to work with Oregon officials on safer alternatives for overseas voters including possibly sponsoring legislation to deliver more federal money to the problem.
He previously urged intelligence agencies to audit Voatz. The company says it has voluntarily agreed to an audit by the Department of Homeland Security but DHS and Voatz have not yet answered questions about the status of the audit.

The Iranian flag. (Leonhard Foeger/Reuters)
PWNED: An Iran-linked hacking group impersonated journalists in an effort to break into the email accounts of researchers critical of Iran, Raphael Satter and Christopher Bing at Reuters report.
The emails could be the work of the same group Microsoft alleged was behind an attempted hack of a presidential campaign -- which Reuters identified as the Trump campaign -- in the fall, three independent cybersecurity firms confirmed.
Cybersecurity firm ClearSky, which first spotted the hacking campaign, declined to give the specific number of people targeted, but Reuters identified multiple victims. In one instance, a hacker posed as Wall Street Journal reporter Farnaz Fassihi and asked a researcher to enter his Google password to access interview questions. Hackers also impersonated other journalists including a CNN national security analyst and a video journalist for Deutsche Welle. Victims, who are all critics of the Iranian regime, said they were immediately suspicious of the emails.
Homeland Security and FBI representatives declined to comment. Iran denies operating or supporting any hacking operations.


— Outgoing NSA general counsel Glenn S. Gerstell will join the Center for Strategic and International Studies as a nonresident senior adviser with the International Security Program, the think tank said.
— More cybersecurity news from the public sector:

A key lawmaker questioned whether the Justice Department’s position is at odds with the Defense Department’s.

The social network is facing criticism for how encryption can allow child exploitation to flourish undetected on its services.
The New York Times

An aggressive campaign by American authorities to root out Chinese espionage ope...

There are many interesting details about the FBI investigation into Joshua Schulte revealed by the details of how FBI obtained the Vault 7 files they submitted into evidence yesterday.
Empty Wheel


— Cybersecurity news from the private sector:

Five vulnerabilities in Cisco Discovery Protocol make it possible for a hacker to take over desk phones, routers, and more.

Philips has issued a patch for the worst part of the vuln.
The Verge

In an interview with CBS This Morning, Clearview AI's founder says it's his right to collect photos for the facial recognition app.

Yet another Electron implementation of a “secure” app turns out not to be.
Ars Technica


— Cybersecurity news from abroad:

AMSTERDAM (Reuters) - The University of Maastricht on Wednesday disclosed that it had paid hackers a ransom of 30 bitcoin — at the time worth 200,000 euros ($220,000) — to unblock its computer systems, including email and computers, after an attack that unfolded on Dec. 24.

Government told to halt use of AI to detect fraud in decision hailed by privacy campaigners 


Popular posts from this blog

Analysis | The Cybersecurity 202: How the shutdown could make it harder for the government to retain cybersecurity talent

By Joseph Marks 13-17 minutes THE KEY President Trump delivers an address about border security amid a partial government shutdown on Jan. 8. (Carolyn Kaster/AP) The partial government shutdown that's now in its 18th day is putting key cyber policy priorities on hold and leaving vital operations to a bare bones staff. But the far greater long-term danger may be the blow to government cyber defenders' morale, former officials warn. With the prospect of better pay and greater job security in the private sector, more government cyber operators are likely to decamp to industry, those former officials tell me, and the smartest cybersecurity graduates will look to industry rather than government to hone their skills. That’s especially dangerous, they say, considering the government’s struggle to recruit and retain skilled workers amid a nationwide shortage of cybersecurity talent. About 20 percent of staffers are furloughed at the De

Democrats call for investigation into Trump’s iPhone use after a report that China is listening:Analysis | The Daily 202 I The Washington Post. By James Hohmann _________________________________________________________________________________ President Trump and Chinese President Xi Jinping visit the Great Hall of the People in Beijing last November. (Andrew Harnik/AP) With Breanne Deppisch and Joanie Greve THE BIG IDEA: If Democrats win the House in two weeks, it’s a safe bet that one of the oversight hearings they schedule for early next year would focus on President Trump’s use of unsecured cellphones. The matter would not likely be pursued with anywhere near the gusto that congressional Republicans investigated Hillary Clinton’s use of a private email server during her time as secretary of state. Leaders of the minority party have higher priorities . But Democratic lawmakers made clear Thursday morning that they will not ignore a New York Times report that Trump has refused to stop using iPhones in the White House, despite repeated warnings from U.S. intelligence offici

RTTNews: Morning Market Briefing.-Weekly Jobless Claims Edge Down To 444,000. May 13th 2010

Morning Market Briefing Thu May 13 09:01 2010   Commentary May 13, 2010 Stocks Poised For Lackluster Open Amid Mixed Market Sentiment - U.S. Commentary Stocks are on pace for a mixed start to Thursday's session, as a mostly upbeat jobs report continued to relieve the markets while some consternation regarding the European debt crisis remained on traders' minds. The major index futures are little changed, with the Dow futures down by 4 points. Full Article Economic News May 13, 2010 Weekly Jobless Claims Edge Down To 444,000 First-time claims for unemployment benefits showed another modest decrease in the week ended May 8th, according to a report released by the Labor Department on Thursday, although the number of claims exceeded estimates due to an upward revision to the previous week's data. Full Article May 13, 2010 Malaysia's Decade High Growth Triggers Policy Tightening Malaysia's economy grew at the fastest pace in a decade in