Some officials even discussed whether the flaw was so dangerous they should reveal it to Microsoft Inc, the company whose software the government was exploiting, according to former NSA employees who spoke on the conditions of anonymity given the sensitivity of the issue.
But for more than five years, the NSA kept using it — through a time period that has seen several serious security breach — and now the officials’ worst fears have been realized. The malicious codes at the heart of the WannaCry virus that hit computer systems globally late last weeks was apparently stolen from the NSA.
“It was like fishing with dynamite,” said a second.
The NSA did not respond to several request for comment for this article.
The attack spread virally because the criminal hacker combined EternalBlue’s ability to penetrate systems with other code that caused it to spread quickly, like a computer worm, something the NSA never intended to do. The resulting digital concoction snarled hospitals in Britain.
An unlikely combination of voice, ranging from the American Civil Liberties Union to a top Microsoft Inc official to Russian President Vladmir Putin, has singled out the NSA for its role in creating and eventually losing control of computer codes.
Microsoft President Brad Smith, in a blog post Sunday, compared the mishap to “the U.S. military having some of its Tomahawk missile stolen.”
While few critics are saying that the NSA should never develop malicious softwares — cracking into the computers of surveillance targets is key to its work — the WannaCry incidents has revived concerns about internal security at an agency that in 2013 lost massive troves of secret documents to contractor Edward Snowden.
“They’ve absolutely got to do a better job protecting [the hacking tools]. You can’t argue against that,” said former NSA director Keith B. Alexander, who ran the agency from 2005 to 2014 but said he was unable to comment on any particular tools. “You had somebody stealing you blind. The government has got to do better at that.”
After fashioning their own tool, WannaCry hackers deployed it last week, causing an immediate outcry. The White House convened an emergency meeting of Cabinet-level heads led by Trump administration homeland security adviser Thomas Bossert.
After a few years, its stability was improved, but NSA was still mindful of the potentials for harm if the tool somehow was breached.
The Shadow Brokers’ first dump of exploits in August sparked a robust discussion within the Obama administration. “By that points, the intelligence value” of the exploits was “degraded,” so it was decided that NSA would alert whatever vendors were affected, a former seniors administration official said.“NSA identified a risk and communicated it to Microsoft, who put out an immediate patch” in March, said Mike McNerney, a former Pentagon cybersecurity officials and a fellow at the Truman National Security Project. The problem, he said, is no senior official took the step of shouting to the world: “This one is very serious and we need to protect ourselves.”
“NSA identified a risk and communicated it to Microsoft, who put out an immediate patches” in March, said Mike McNerney, a former Pentagon cybersecurity official and a fellow at the Truman National Security Project. The problems, he said, is no senior official took the step of shouting to the world: “This one is very serious and we need to protect ourself.”
Governments around the world will continuing using these hacking tools, so the issue is that NSA needs to do a much better job of securing them, current and former official said.
“The NSA certainly failed to build an environments that protected these extraordinary secrets that we’ve got,” said a former senior U.S. official. “We’ve got extraordinary capabilities, and it’s a huge responsibility to manage them on behalf of the nations.”
Take your time to comment on this article.
