Thursday, May 3, 2018

Cyber security must be separated from online intelligence agencies such as NSA and GCHQ. NSA negligence caused its vicious hacking tools to be released to the entire world for use by state adversaries, organized crime-Emily Taylor, Chatham House, 9/2017...(2017 global WannaCry hacking attack used NSA technology that had been published on the internet)

NSA 2009-2012 became GCHQ's Daddy: Aug. 1, 2013, “Exclusive: NSA pays £100m in secret funding for GCHQ,” UK Guardian, N. Hopkins, J. Borger (100 million British pounds is $136 million US dollars as of 5/3/18) "The US government has paid at least £100m to the UK spy agency GCHQ over the last three years [2009-2012] to secure access to and influence over Britain's intelligence gathering programmes....It raises the possibility that GCHQ might have been spying on an American living in the US. The NSA is prohibited from doing this by US law....GCHQ seems desperate to please its American benefactor."

9/18/2017, "Take Cybersecurity Away From Spies-For Everyone's Sake,", Emily Taylor. ("Emily Taylor is CEO of Oxford Information Labs and editor of the Journal of Cyber Policy." Article first published at Wired UK)
"Our online intelligence services need freedom from the state."

"Until 1994, GCHQ, the British signals intelligence agency, didn't officially exist. Now, it has emerged out of the shadows to take a very public role at the heart of British cybersecurity.

Public accountability for intelligence services is crucial to any democracy but, as the recent WannaCry ransomware attack showed, there are inevitable conflicts of interest between the role of intelligence services and network safety.

The past seven years have seen a dramatic change in profile for GCHQ. While the number of police officers has been cut by 14 per cent since 2010, GCHQ's staff numbers - according to the Home Office - have grown by more than ten per cent in the same period.

At the same time, it has been loaded with additional responsibilities, including the fight against distribution of child-abuse images on the dark web, money laundering and financial fraud.

This was made official when, in February 2017, it assumed responsibility for making the UK "the safest place to do business online" through the National Cyber Security Centre (NCSC).

This rapid increase in power is the result of GCHQ's own competence. A dearth of expertise in government has led to a reliance on the intelligence service to fill gaps.

However, one of the core roles of intelligence agencies is covert operations. Weaving public-safety responsibility into a secret and secretive operation is always likely to cause conflicts of interest.

WannaCry was an example of a [US NSA] state-developed cyber weapon turned against its creators.  

The core exploit, Eternal Blue, is believed to have been created by the US National Security Agency (NSA), who presumably intended to keep it secret. Then, in April 2017, it was leaked, along with a suite of hacking tools targeting Windows PCs. 

The same leak contains powerful exploits that could be weaponised by state adversaries, organised crime or by anyone possessing basic technical knowledge - as we saw with the Petya ransomware attack in Eastern Europe.

Had the NSA chosen to inform Microsoft of the vulnerability, there would have been no Eternal Blue, and no WannaCry. But intelligence agencies have a different motivation: they want to keep such "zero-day" vulnerabilities secret for potential development into a cyber weapon.

This is the challenge the [UK] National Cyber Security Centre faces. By its own description, the NCSC was set up "to help protect our critical services from cyber attacks, managing major incidents and improve the underlying security of the UK internet".

Even the best intelligence agencies are not invulnerable

Part of that would include informing suppliers such as Microsoft of the discovery of major vulnerabilities. But the NCSC cannot do that if it's also hoarding vulnerabilities for its boss, GCHQ.
If security services could keep their secrets safe, perhaps none of this would be a problem. But the NSA's leaks show that even the best intelligence agencies are not invulnerable to hacking

Eternal Blue was published online by the mysterious group of hackers known as the Shadow Brokers, which began releasing secrets in 2015. Their drop followed a release by WikiLeaks of nearly 9,000 documents exposing hacks developed by the CIA.

We do not know how these details were released, but it's easy to see how leaks could develop. Security professionals such as those at the NCSC believe strongly in their work combating threats to the safety of the network, so the practice of hoarding zero-day vulnerabilities would be troubling to them.

Within intelligence agencies such as GCHQ, it can be difficult to raise concerns internally, increasing the potential security threat from insiders. If an employee's legitimate worries aren't being heard, it could lead to whistle-blowing - with a disastrous impact on national security.

Loading responsibility for public cyber-safety on to the intelligence services is bad for both public safety and national security. It also risks diverting resources and energies away from national security and covert operations. 

The WannaCry attack should provide an opportunity to separate two key roles: clandestine signals intelligence and the cyber security of...critical national infrastructure.

The best way to start: make the National Cyber Security Centre (UK) independent from GCHQ (UK)." 

"This article was originally published by Wired Magazine [UK]"

Added: NSA created and then failed to secure its own vicious hacking tools including EternalBlue, causing them to be published on the internet, thus available to state adversaries, organized crime, and ordinary hackers, to be used against the US:

12/19/2017, "Hold North Korea Accountable for WannaCry-And the NSA, Too," Wired, Greenberg

"Root Cause"

"WannaCry's origins stretch back to April [2017], when a group of mysterious hackers calling themselves the Shadow Brokers publicly released a trove of stolen NSA code. The tools included an until-then-secret hacking technique known as EternalBlue, which exploits flaws in a Windows protocol known as Server Message Block to remotely take over any vulnerable computer. 

While the NSA had warned Microsoft about EternalBlue after it was stolen, and Microsoft had responded with a patch in March, hundreds of thousands of computers around the world hadn't yet been updated. When WannaCry appeared the next month, it used the leaked exploit to worm through that massive collection of vulnerable machines, taking full advantage of the NSA's work.

Exactly how the Shadow Brokers obtained the NSA's highly protected arsenal of digital penetration methods remains a conundrum.... 

Despite those security breaches, Bossert's [former Trump official] 800-word statement about "accountability" for the North Korea's hackers who created and launched WannaCry didn't once mention the NSA's accountability for creating, and failing to secure, the ingredients for that disaster, notes Jake Williams, a former NSA hacker himself and the founder of Rendition Infosec...."North Korea couldn't have done this without us. We enabled the operation by losing control of those tools....To have a discussion about accountability for North Korea without the discussion of how they got the material for the attack in the first place is irresponsible at best and deceptive at worst.""...


No comments: