The Legitimacy Problem with NSA’s Silence on WannaCry

Over at Matt Suiche’s website, he chronicles the discovery of a way to work around WannaCry’s ransomware. First a guy named Adrien Guinet figured out how the find the prime numbers that had computed the key locking a computer’s files. Then a guy named Benjamin Delpy recreated the effort and tested it against versions up to Windows 7. This is not a cure-all, but it may be a way to restore files encrypted by the attackers.

This of course comes after Suiche and before him Malware Tech set up sinkholes to divert the malware attack. Other security researchers have released tools to prevent the encryption of files after infection.

And all the while, NSA — which made the exploit that made this worm so damaging, EternalBlue — has remained utterly silent. At this point, Lauri Love, who faces 99 years of prison time for alleged hacking in the US, has done more in public to respond to this global ransomware attack than the NSA has.

The most public comment from NSA has come in the form of this WaPo article, which describes “current and former” officials defending the use of EternalBlue and sort of confirming that NSA told Microsoft of the vulnerability. It also revealed the White House called an emergency cabinet meeting to deal with the attack. Department of Homeland Security released a pretty useless statement last Friday. On Monday, Homeland Security Czar Tom Bossert answered questions at the press briefing (sometimes inaccurately, I think), emphasizing that the US is not responsible for the attack.

I’d like to instead point out that this was a vulnerability exploit as one part of a much larger tool that was put together by the culpable parties and not by the U.S. government.

So this was not a tool developed by the NSA to hold ransom data.

That’s it. That’s what we’ve seen of our government’s response to a malware attack that it had a role in creating.

(For what it’s worth, people in the UK have said their cybersecurity organization, the National Cyber Security Centre, has been very helpful.)

Don’t get me wrong. I’m sure folks at NSA have been working frantically to understand and undercut this attack. Surely they’ve been coordinating with the private sector, including Microsoft and more visible victims like FedEx. NSA intervention may even explain why there have been fewer infections in the US than in Europe. There may even be some cooperation between the security people who’ve offered public solutions and the NSA. But if those things have happened, it remains totally secret.

And I understand why NSA would want to remain silent. After all, companies and countries are going to want some accountability for this, and while the hackers deserve the primary blame, NSA’s own practices have already come in for criticism in Europe.

Plus, I’m sure whatever NSA is doing to counter this attack is even more interesting — and therefore more important to keep secret from the attackers — than the really awesome sinkholes and prime number workarounds the security researchers have come up with. It’s worth noting that the attackers and aspiring copy-catters are undoubtedly watching the public discussions in the security community to figure out how to improve the attack (though the WannaCry attackers didn’t seem to want or be able to use the information on sinkholes to their advantage, as the release that fixed that problem is corrupted).

But, in my opinion, NSA’s silence creates a legitimacy problem. This is the premier SIGINT agency in the world, tasked to keep the US (and more directly, DOD networks) safe from such attacks. And it has remained silent while a bunch of researchers and consultants collaborating together have appeared to be the primary defense against the weaponization of an NSA tool.

If 22 year olds fueled by pizza are the best line of defense against global attacks, then it suggests (I’m not endorsing this view, mind you) that we don’t need the NSA.

Update: On Twitter, Jake Williams asked whether NSA would have had a better response if the defensive Information Assurance Directorate hadn’t been disbanded last year by Mike Rogers. I hadn’t thought of that, but it’s a good question.

Santa’s Elves Just Got Fired

Remember the “good” jobs report last week? As Dean Baker explained, many of the new jobs were actually the “couriers” who delivered your holiday presents.

The sharp drop in the unemployment rate over the last four months (from 9.1 percent to 8.5 percent) is not consistent with the job growth reported in the establishment survey. The survey reported 200,000 jobs in December; however, this figure is skewed by the 42,200 job gain reported for couriers. There was a similar gain in this category reported for last December, which was completely reversed the next month. Clearly this is a problem of seasonal adjustment, not an issue of real job growth. Pulling out these jobs, the economy created 158,000 jobs in December, in line with expectations.

Pulling out the courier jobs, growth has averaged 145,000 per month over the last four months. This is somewhat better than the 90,000-100,000 a month needed to keep pace with the growth of the labor force, but certainly not rapid enough to explain a 0.6 percentage point drop in unemployment. At this pace, we would not get back to pre-recession levels of unemployment until 2027. [my emphasis]

Now Baker’s predicted reversal in those jobs has started to appear, with initial jobless claims up 24,000 this week.

More Americans than forecast filed applications for unemployment benefits last week, raising the possibility that a greater-than-usual increase in temporary holiday hiring boosted December payrolls.

Jobless claims climbed by 24,000 to 399,000 in the week ended Jan. 7, Labor Department figures showed today in Washington. The median forecast of 46 economists in a Bloomberg News survey projected 375,000. The number of people on unemployment benefit rolls rose, while those receiving extended payments decreased.

Hiring by package delivery companies and retailers during the holidays to meet demand for gifts may now be giving way to an increase in dismissals.

These words–“couriers” and “package delivery companies”–are very cold. What we’re really talking about are Santa’s Elves, the wondrous people who make your holidays magical, particularly given how they help you avoid crowded malls by allowing you to shop online. In all the cartoon Christmas specials, those elves spend the off-season making more toys for the next Christmas. Not so our “modern” economy. Now, we benefit from their services, enjoy our holidays, and then <<BAM!!>> the Elves are on the street again, looking for work.

Merry Christmas!