Last week in the The Washington Post Monkey Cage blog, Henry Farrell examined the role of NSA secrets and software 'patches' in enabling the ransomware attack affecting businesses, hospitals, and governments around the world. Farrell notes that the attack was made possible by a 'zero-day exploit' – "a previously unknown flaw in Windows software that makes it easy to take control of vulnerable systems." The exploit was made known last month as part of a leak of National Security Agency data by the Shadow Brokers hacking group.
In the post, Farrell describes how zero-day exploits create a difficult choice for the NSA, which has the dual role of both acting upon such exploits to improve intelligence gathering efforts and ensuring that citizens and businesses in the United States are protected from cyber attacks. As a result, the NSA must choose whether to inform firms that an exploit is present, enabling them to release software patches to address the vulnerability, or to keep the details of the exploit secret.
Farrell argues that the issue at hand is not whether the NSA should have informed Microsoft of the zero-day exploit present in the Windows system, but the lack of a clear, coordinated system for governing this realm:
"The bigger problem is that no one is in charge. Responsible software producers will issue patches to protect against vulnerabilities (although they may not be obliged to under the law), but there is no way to ensure that everyone implements them. Unfortunately, the problem is getting worse rather than better over time. As Bruce Schneier points out, many of the devices on the Internet these days are not computers or phones. They are DVD players, TVs, webcams and, maybe soon, even salt shakers. The companies building such devices are not always careful about looking for or keeping track of vulnerabilities, so that hackers can target huge numbers of poorly secured devices (and use these devices to attack other Internet users). While experts have identified the importance of the problem, it isn’t clear that there is any plausible solution without radical changes to the ways we build technologies and shape incentives for businesses and users to keep these technologies secure."