Monday, July 30, 2018

US intelligence agencies must be separated from cybersecurity. CIA and NSA priorities conflict with public safety as exemplified by their losing control of elite, US taxpayer funded hacking tools now available to the entire world including organized crime and state adversaries-Wired UK, Chathamhouse, Sept. 2017

9/14/2017, “Take cybersecurity away from spies…for everyone’s sake,”,, Emily Taylor

Our online intelligence services need freedom from the state.”

GCHQ is UK version of US NSA

9/18/2017, Take Cybersecurity Away From Spies-For Everyone’s Sake,, Emily Taylor. (Article first published at Wired UK) 

Our online intelligence services need freedom from the state.”

 “Until 1994, GCHQ, the British signals intelligence agency, didn’t officially exist. Now, it has emerged out of the shadows to take a very public role at the heart of British cybersecurity.

Public accountability for intelligence services is crucial to any democracy but, as the recent WannaCry ransomware attack showed, there are inevitable conflicts of interest between the role of intelligence services and network safety. 

The past seven years have seen a dramatic change in profile for GCHQ. While the number of police officers has been cut by 14 per cent since 2010, GCHQ’s staff numbers – according to the Home Office – have grown by more than ten per cent in the same period.

At the same time, it has been loaded with additional responsibilities, including the fight against distribution of child-abuse images on the dark web, money laundering and financial fraud. 

This was made official when, in February 2017, it assumed responsibility for making the UK “the safest place to do business online” through the National Cyber Security Centre (NCSC).

This rapid increase in power is the result of GCHQ’s own competence. A dearth of expertise in government has led to a reliance on the intelligence service to fill gaps.

However, one of the core roles of intelligence agencies is covert operations. Weaving public-safety responsibility into a secret and secretive operation is always likely to cause conflicts of interest. 

WannaCry was an example of a [US NSA] state-developed cyber weapon turned against its creators.

The core exploit, Eternal Blue, is believed to have been created by the US National Security Agency (NSA), who presumably intended to keep it secret. Then, in April 2017, it was leaked, along with a suite of hacking tools targeting Windows PCs. 

The same leak contains powerful exploits that could be weaponised by state adversaries, organised crime or by anyone possessing basic technical knowledge – as we saw with the Petya ransomware attack in Eastern Europe. 

Had the NSA chosen to inform Microsoft of the vulnerability, there would have been no Eternal Blue, and no WannaCry. But intelligence agencies have a different motivation: they want to keep such “zero-day” vulnerabilities secret for potential development into a cyber weapon. 

This is the challenge the [UK] National Cyber Security Centre faces. By its own description, the NCSC was set up “to help protect our critical services from cyber attacks, managing major incidents and improve the underlying security of the UK internet”. 

Even the best intelligence agencies are not invulnerable.

Part of that would include informing suppliers such as Microsoft of the discovery of major vulnerabilities. But the NCSC cannot do that if it’s also hoarding vulnerabilities for its boss, GCHQ. 

If security services could keep their secrets safe, perhaps none of this would be a problem. But the NSA’s leaks show that even the best intelligence agencies are not invulnerable to hacking.

Eternal Blue was published online by the mysterious group of hackers known as the Shadow Brokers, which began releasing secrets in 2015. Their drop followed a release by WikiLeaks of nearly 9,000 documents exposing hacks developed by the CIA.

We do not know how these details were released, but it’s easy to see how leaks could develop. Security professionals such as those at the NCSC believe strongly in their work combating threats to the safety of the network, so the practice of hoarding zero-day vulnerabilities would be troubling to them.

Within intelligence agencies such as GCHQ, it can be difficult to raise concerns internally, increasing the potential security threat from insiders. If an employee’s legitimate worries aren’t being heard, it could lead to whistle-blowing with a disastrous impact on national security. 

Loading responsibility for public cyber-safety on to the intelligence services is bad for both public safety and national security. It also risks diverting resources and energies away from national security and covert operations. 

The WannaCry attack should provide an opportunity to separate two key roles: clandestine signals intelligence and the cyber security of…critical national infrastructure.

The best way to start: make the National Cyber Security Centre (UK) independent from GCHQ (UK).”

“This article was originally published by Wired Magazine [UK]”

From article linked above: 

5/22/2017, “WannaCry ransomware: what is it and how to protect yourself,”, Victoria Woollaston 

“Researchers from various security firms including Avast, Proofpoint and Symantec said WannaCry most likely spread via an exploit used by the Equation Group – a group widely suspected of being tied to the NSA. 

How is the NSA involved? 

For several months, the Shadow Brokers hacking group, which obtained files from the NSA, has been releasing parts of the agency’s hacking tools. 

As well as the WannaCry ransomware being seen in the UK, it has appeared in hundreds of countries around the world. CCN-CERT, the Spanish computer emergency response organisation, issued an alert saying it had seen a “massive attack of ransomware” from WannaCry. 

The vulnerability (MS17-010) is linked to Microsoft machines and can affect Windows Vista, 7, 8, 10, XP and versions of the Windows Server software. Microsoft initially announced the vulnerability on March 14 and recommended users patch their devices. 

Has Microsoft fixed the latest problem?

Microsoft fixed MS17-010 in its March release but it is likely organisations affected did not patch their devices before the spread of the malware…. 

In a statement, Microsoft’s president and chief legal officer Brad Smith said this attack “provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem.”

“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world, he continued.

“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. This most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organised criminal action.”… 

The safest way to protect yourself is to avoid clicking links from unknown sources. Security experts have strongly recommended all Windows users fully update their system with the latest available patches.”…5/22/2017


Author’s Biography 

“Emily Taylor is an associate fellow of Chatham House and is editor of the Journal of Cyber Policy. She is CEO of Oxford Information Labs. Emily’s research publications include The Internet in the Gulf (Chatham House); ‘ICANN: Bridging the Trust Gap’ and ‘Privatisation of Human Rights’ for the Global Commission; annual World Report on Internationalised Domain Names (lead author); and reports for the UK regulator, Ofcom, and a review of ICANN’s policy development process. 

She chaired the independent WHOIS Review Team for ICANN, and served on the Internet Governance Forum’s Multistakeholder Advisory Group, and as part of the Global Commission on Internet Governance Research Network. From 2000-09, she was at Nominet as director of legal and policy. She has written for the Guardian, Ars Technica, and the New Statesman, and has appeared on the BBC Now Show.

Areas of expertise

  • Internet governance and ICANN
  • Internet protocol and domain names
  • Online multilingualism
  • Privacy, freedom of expression and internet law”

No comments: