The whole WannaCry episode has understandably resurrected the question of NSA’s role in identifying and then exploiting or patching cyber vulnerabilities.
To remind, the National Security Agency is one of the few organizations in the world to have both an offensive and defensive mission. It’s charged with intercepting communications for legitimate foreign intelligence purposes while also defending American communications from similar attempts by foreign actors.
The processes have cohabited for 65 years at NSA because both of them revolve around the concept of vulnerability. With a vulnerability in hand, you can exploit. Similarly, with a vulnerability in hand, you can patch and defend.
Makes sense, but it also has required NSA to make what it calls the equities decision, deciding to exploit or defend.
This has always been a serious process but clearly the context within which that decision is made has been changing rapidly. Far more often now the vulnerability in question is residing on a device that is in general use (including by Constitutionally protected US persons) than on an isolated adversary network.
Also eroded is a comfort zone that NSA used to label as NOBUS–nobody but us…as in, this vulnerability is so hard to detect and so hard to exploit that nobody but us (a massive, technological powerful, resource rich, nation state security service) could take advantage of it. That playing field is being leveled, not just by competing nation states but also by powerful private sector enterprises. The NOBUS comfort zone is considerably smaller than it once was.
Both of these developments have affected where NSA places the fulcrum in its balancing of offensive and defensive equities. Both offense and defense contribute in their own way to American security, it should be noted, but the reflex response is shifting in the direction of expose and patch rather than hide and exploit.
Former NSA Director Keith Alexander recently estimated that well over 90% of equities decisions now go to the defense.
Since the Snowden revelations, national level offices beyond NSA have also become more involved in these decisions, providing a level of oversight that ensures that privacy and commercial concerns are not discounted. In fact, a decision by NSA to preserve and exploit a vulnerability has to be reviewed by a National Security Council led Equities Review Board.
In the recent WannaCry case, the system may well have worked just as envisaged. Microsoft issued a patch for the WannaCry vulnerability in March. One suspects (but cannot confirm) that that may have been prompted by a warning from the process outlined above. If it was, that stands as the kind of mutually supportive relationship that should exist between government and industry and the kind of relationship that The Chertoff Group works to foster.
Of course, the NSA in possession of such powerful tools must be able to protect those same tools and keep them within their own hands. In addition, these warnings and subsequent patches are of little value if they are not applied by end users — suggesting yet another task for those who would work to foster cyber security.
Michael V. Hayden, a Principal at the Chertoff Group and visiting professor at George Mason University’s Schar School of Policy and Government, was director of the National Security Agency from 1999 to 2005 and the Central Intelligence Agency from 2006 to 2009.
