5 June 2017

Ex-Obama cyber czar defends government rules for hacking tools

BY JOE UCHILL

Former President Barack Obama’s cyber czar is defending rules governing the hoarding of hacking techniques following the global ransomware attack — in which it’s possible a National Security Agency cyber tool was used against targets like hospitals and governments. 

Michael Daniel, a top adviser to Obama on cybersecurity from mid-2012 to the end of the Obama administration, said U.S. intelligence agencies have to arm themselves for a cyber war and that critics who argue for a disarmament are not living in a realistic world.

He also argued the rules ultimately make the U.S. safer.

“It is naive to believe that in the 21st century, intelligence agencies, law enforcement agencies are not going to have the need to discover software vulnerabilities and exploit them for intelligence purposes,” Daniel told The Hill in an interview.

“In fact, it’s what we want them to do. It’s part of the way we catch terrorists, it's part of how we discover the intentions of those who plan to do us harm. As a society, we want those decisions to occur.”

Congress is beginning a debate over whether to change federal rules on when the NSA and other agencies must disclose security holes in software. Agencies such as the NSA can now hold on to some of these vulnerabilities so that they can potentially take advantage of them.

The Wanna Cry ransomware attack renewed criticism of this system. In the attack, hackers used tools believed to have leaked from the NSA to launch a global attack on users of Microsoft Windows. The attack caused a global panic as hospitals in Great Britain were forced to turn away patients. Some government systems in Russia are reportedly still not back online.

Ransomware is a type of malware that encrypts a target's data, with the attacker only providing the decryption key after receiving payment.

The current U.S. process for determining whether an agency must tell a software or hardware manufacturer that it has a vulnerability is known as the Vulnerabilities Equities Process.

Under that system, the NSA and other agencies must report vulnerabilities it wants to keep to an executive branch panel, which then determines whether the manufacturer needs to be notified.

Microsoft, NSA leaker Edward Snowden and the American Civil Liberties Union are among the figures who say manufacturers should always be told about vulnerabilities. They argue this would make the world safer from hackers.

“We can be more transparent, but I don't think the government can ever be as transparent as some people would like,” he said.

“If the government came out and said we had a stockpile of eight vulnerabilities, and the Russian or Chinese intelligence services knew they had figured out seven of the vulnerabilities the U.S. continued to use, they could entirely block the U.S. intelligence agencies.”

Daniel suggests that the best the government may be able to do is release percentages of how many vulnerabilities were disclosed in a given period. It would, at a minimum, clarify that a process was working. 

The PATCH Act, introduced in March by Sens. Brian Schatz (D-Hawaii), Ron Johnson (R-Wis.) and Cory Gardner (R-Colo.) and Reps. Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas), wouldn’t require U.S. agencies to reveal vulnerabilities.

It would, however, codify the current system and introduce a multi-agency review process. 

Daniel, who is now the president of the Cyber Threat Alliance, a group of cybersecurity companies that share threat information, says he sees the bill as a net positive but is critical of taking too much authority away from the executive branch.

“I’m very skeptical about Congress codifying processes,” he said. 

“It would not be bad for Congress to say there has to be some kind of process and it has to meet the following criteria, but leave the specific details to the executive branch.

No comments: