The WannaCry Ransomware Pandemic: Implications for the Vulnerability Equities Process.

NSA is now believed to have warned Microsoft of the possibility that EternalBlue vulnerabilities were likely to be exploited in the wild. Indeed, NSA was right, as the arrival of WannaCry and now BlueDoom have shown. The agency has come in for considerable criticism internationally, more for what people are calling the "stockpiling" of vulnerabilities than for failure to secure those vulnerabilities. Disclosure of bugs NSA discovers is governed by the Vulnerability Equities Process. A bill introduced this week in the US Senate would take that process out of the Intelligence Community's hands, interposing an oversight body. What are the likely implications of the WannaCry pandemic for vulnerability disclosure?

Disclosure of EternalBlue

It's been widely reported this week that NSA warned Microsoft about the vulnerabilities connected with EternalBlue in February of this year. Microsoft took the unusual step of cancelling its regular patching that month to attend, as is now generally known, to exploitable vulnerabilities in Windows versions. Those patches were released in March to much suspicious industry speculation about the discovery of the flaws Redmond addressed. In April the ShadowBrokers dumped EternalBlue, and last week the threat actors behind WannaCry released their probably botched and unintentionally indiscriminate ransomware into the wild. 

However the decision to tell Microsoft about the bugs was actually reached, assuming established policies and procedure were followed, that decision would have been informed by the Vulnerability Equities Process.

The Vulnerability Equities Process

The US Intelligence Community discovers and uses software vulnerabilities in the course of its collection efforts. Obviously, when a vulnerability is publicly disclosed, the target of collection learns about it and can take steps to fix the flaw and deny collection. Thus agencies in the Intelligence Community, especially the National Security Agency, are thought to hold such discoveries closely so they can be exploited in pursuit of their foreign intelligence mission. 

Such discovery and use of bugs has been controversial, as many object to what they characterize as "hoarding" or "stockpiling" vulnerabilities. Some critics would prefer NSA tell software vendors at least, if not the public at large, about any zero-days it uncovers. The argument is that this would contribute to a kind of herd immunity, making cyberspace collectively more secure. The Intelligence Community is thus faced with a dilemma: either keep zero-days quiet (the better to exploit them), or disclose them (the better to enable users to patch and secure their systems).

The Intelligence Community has sought to resolve the dilemma by slipping between its horns, selectively disclosing the vulnerabilities it discovers. In 2008 with National Security Policy Directive 54 established the Comprehensive National Cybersecurity Initiative, and required various agencies to share vulnerabilities and in some cases disclose them. Agencies would decide to disclose or not through the Vulnerability Equities Process (VEP). It's worth noting that the VEP has been a matter of Administration policy, not something mandated by either law or executive order.

This process assumed more urgency and importance in the aftermath of the Snowden leaks. A general consensus emerged that the default position should be a presumption of disclosure (and indeed the stockpile of undisclosed zero-days appears to have been smaller than many NSA critics assumed and feared). That recommendation appeared among those the President’s Review Group on Intelligence and Communications Technologies offered as it looked into the Snowden affair and the US surveillance practices the leaks touched on. As a result of those recommendations, the Special Assistant to the President and Cyber Security Coordinator in the National Security Council was selected to oversee the process, NSA was designated the VEP's Executive Secretariat, and an Equities Review Board (ERB) was established to decide whether or not to keep vulnerabilities quiet. In general the ERB would proceed by balancing the value of a particular zero-day for intelligence collection against the danger and severity of that zero-day's possible exploitation in the wild.

Controversy surrounding the VEP

The VEP has been predictably controversial. Civil libertarians deplore any hoarding of zero-days, and more people in the security community than one might expect think the process itself dangerous and ill-conceived. Dave Aitel, of Immunity, Inc., is one of the latter. He offered a critique of the VEP in Lawfare that said "the US has confused a public relations strategy with a security strategy, to the detriment of the nation." While both sides of the controversy agree that vulnerabilities presenting an imminent danger to public safety should be disclosed to those best positioned to protect people, where that line should be drawn and to whom disclosure should be made remain matters of dispute.

Pending Congressional action

The US Senate is considering legislation that would take the Vulnerability Equities Process out of the hands of the Intelligence Community and formalize it as a matter of law. The pending bill, the PATCH Act (the "Protecting our Ability to Counter Hacking Act of 2017," as the forced acronym is unpacked) defines "vulnerability" and establishes a mechanism by which disclosures would be made. 

The bill defines ‘‘vulnerability’’ as "a design, configuration, or implementation weakness in a technology, product, system, service, or application that can be exploited or triggered to cause unexpected or unintended behavior." It places responsibility for overseeing disclosure of these in a "Vulnerability Equities Review Board" to be chaired by the Secretary of Homeland Security. Its standing members would include the Directors of the FBI, National Intelligence, CIA, and NSA. The Secretaries of Commerce, State, Treasury, and Energy would serve on the Board when matters falling under their jurisdiction were considered, as would the chair of the Federal Trade Commission. The President could approve participation on an ad hoc basis by members of the National Security Council.

The Board would set disclosure policy, and the draft bill expresses an expectation that the default position would be public disclosure (with the very large and flexible exception of vulnerabilities deemed to affect national security). Interestingly, the bill specifically authorizes any Federal agency to disclose a vulnerability without the Board's permission if the agency determines that the bug is "presumptively shareable or releasable."

Security issues involving stockpiling and disclosure

Microsoft has publicly said the leaked EternalBlue exploits were obtained from NSA. Assuming that's correct (and essentially all observers think it is) the unanswered question remains, how did the ShadowBrokers obtain their material. Former NSA and CIA Director Michael Hayden, who led NSA from 1999 to 2005, has long defended his former agency. But this episode he finds deeply disturbing. As he told the New York Times, “But I cannot defend an agency having powerful tools if it cannot protect the tools and keep them in its own hands.” Such leaks, he thinks, pose "a very serious threat to the future of the agency.” 

Other notes on WannaCry and EternalBlue

We spoke with Stu Sjouwerman, CEO of KnowBe4, about the ongoing ransomware pandemic. He noted that when you see code pinging at random the way the WannaCry worm does, soon you'll see countrywide effects "in no time." He compared the incident to the propagation of an IoT botnet in its speed and spread.

We also received an email from Dana Simberkoff, chief compliance and risk officer at AvePoint, who sees the incident as another warning of the importance of sound digital hygiene. "Security and data protection is not just the job of your CISO and CPO," Simberkoff told the CyberWire. "It is everyone’s responsibility every day. Your employees may not be responsible for updating their corporate laptops and company issued devices, but if they are connecting to your corporate networks with personal devices, or home computers, they must be responsibly applying patches and updates to their own systems. Good cyber hygiene requires that you patch and update your operating systems regularly and as often as necessary. Operating systems that were properly patched were protected from this vulnerability by default." On the enterprise level, Simberkoff strongly recommends continuous training and close attention to patching.

There have been reports of other malware working against the same general set of vulnerabilities being exploited by WannaCry. Proofpoint has described "Adylkuzz," a malicious cryptocurrency miner that began quietly circulating in the wild weeks before WannaCry appeared. Its masters are using infected machines to accumulate coin.

Michael Patterson, CEO of Plixer told us in an email that, “The use of another person’s computing resources without them knowing it is still a form of theft. The concern with Adylkuzz could be that because it doesn’t lock up a computer, organizations might be less fearful of it.  The problem is that slow computers can lead to less productivity which can add up quickly to significant money. IT security teams should monitor network traffic patterns enterprise wide to try and uncover reductions in SMB traffic. This is why maintaining baselines of applications using technologies like NetFlow and IPFIX can mean the difference between finding the infection in a few days versus after several months."

Finally, Heimdal Security warns of the discovery of what they're calling "BlueDoom," and this one is disturbing. It's more sophisticated in execution by far than WannaCry. As Heimdal puts it on their blog, "BlueDoom is different from WannaCry because it shows a long-term intent to make use of vulnerabilities stemming from virtually all Shadow Brokers leaks containing Windows exploits. BlueDoom disguises [itself] as WannaCry, but it’s a completely different type of worm that does not drop ransomware." In fact, BlueDoom appears to aim at quietly establishing persistence in victim networks, presumably with a view to activation later for future attack campaigns.