The global ransomware attack that continues to spread around the world exposed the lack of a coordinated national system to decide when and how government agencies should alert others to critical security flaws they find.
The malware attack also exposed tension between tech companies that want to know about security vulnerabilities to protect their customers, and the government’s reliance on those flaws for counterterrorism and law enforcement.
Agencies such as the NSA and CIA hunt for software flaws to gain access to computers and systems, just like hackers.
“We could use a national cybersecurity policy,” said Gartner cybersecurity analyst Avivah Litan. “The federal government has really dropped the ball on cooperation between the tech companies and the government agencies.”
Thousands more infections were reported Monday, largely in Asia, striking computers that had been shut down before the malware first hit Europe early Friday.
Globally, the attack appeared to be waning, after infecting more than 200,000 computers in at least 150 countries, many of them still struggling to deal with the problem after being crippled by a ransomware attack that security experts said could be only the tip of the iceberg.
The “WannaCry” malware exploited a flaw, which was found and developed as a hacking tool by the U.S. National Security Agency, in Microsoft Windows. The vulnerability had been stolen from the NSA and then dumped onto the internet by a hacking group. Those behind the malware attack used the flaw to get into Windows systems.
Few people have paid the ransom — $300 in bitcoin digital currency, rising to $600 after a period of time — demanded by the malware, Europol spokesman Jan Op Gen Oorth told The Associated Press.
While authorities can and do use security flaws to gather intelligence, companies such as Microsoft want to be told about vulnerabilities so they can patch the holes in their security and protect their users from attacks such as WannaCry. Microsoft had recently issued a patch to fix the flaw, but many computers had not been updated.
John Cary Sims, a law professor at University of the Pacific’s McGeorge School of Law, says we should have a policy about a matter that puts us at grave risk every day.
Sims said, a national cybersecurity policy or regulations could resolve divergent interests of government agencies and tech firms when they are at odds, to determine when notifying companies about a flaw identified by the government becomes more important than secretly hanging onto it.
“There needs to be a structure that establishes the priorities and there also needs to be clear lines of authority as to who’s going to make the decisions,” Sims said.
The federal government has a policy called the “Vulnerabilities Equities Process” that addresses when agencies should tell companies about security flaws, but that policy has only been partially made public and its process remains opaque, cybersecurity experts said.
“There are some rules and some policy that can be introduced where everybody knows how the government is going to handle these certain situations,” said Greg Martin, CEO of San Francisco cybersecurity firm JASK and a former cybersecurity adviser to the FBI, Secret Service and NASA.
“The government can’t do this alone — they’re really going to have to reach out and work with Apple, with Microsoft and Google,” Martin said.
But policy making isn’t necessarily the only solution, said Casey Ellis, CEO of San Francisco cybersecurity company Bugcrowd.
“The problem with suggesting policy is the answer to problems like this is it suggests that there’s an easy answer,” Ellis said. “I don’t think there is one.”
Ellis favors a more transparent process for the government, and close cooperation with the cybersecurity community, which, like the British researcher lauded for helping stem the WannaCry attack, can offer tremendous knowledge and resources in the battle against cybercrime and national security threats, he said.
The Electronic Frontier Foundation also called for more visibility into the government’s use of security flaws, saying Wanna Cry “points to the need for transparency into and reform of how the government handles software vulnerabilities it retains.”
Connect with NJTODAY.NET
Join NJTODAY.NET's free Email List to receive occasional updates delivered right to your email address!