Greater than Zero: Ransomware and the NSA

Grant Haver
Aug 8, 2017 · 4 min read

With all the news breaking every day about healthcare, transgender soldiers, and North Korea, it is easy to forget large stories that happened a few weeks ago. WannaCry and Peyta were cyber attacks that were felt across the globe. These attacks, which have been linked to North Korea and Russia, were based, at least partially, on the NSA tools leaked by the Shadow Brokers. In order to prevent attacks like this in the future, the NSA has to change its relationship with the market for cyber weapons.

One of the key exploits disclosed by the Shadow Brokers was a series of zero-days. Zero-days refer to a weakness in the code of some program that has yet to be discovered. Thus the security officials who work on the program have “zero-days” notice. This would be similar to finding a door into your house that you had never noticed before and that had been unlocked the whole time. These weaknesses are central to the strategy of private hackers and state’s the world over. Due to such a high demand, a black market has been created to supply would-be hackers with tools. These range from ready-made attack sequences to botnets (computers already under the control of a hacker) to zero-day exploits of Windows and IOS and America, just like any other operator in cyberspace buys them.

Although the US denies that it has created a stockpile of these weapons and exploits, it is clear from the Shadow Broker’s leak, that there is at least some of this going on. A few issues arise from hoarding these exploits. The first is that they are tempting targets for foreign intelligence agencies and internal leakers. If the Shadow Brokers had been more interested in money than transparency, they could have sold their exploits for up to $1.5 million each. A second issue is that the government can sometimes pay twice for these exploits. Due to the secretive nature of these purchases and their contents, different government agencies could be bidding up the price or even purchasing the same exploit. This brings up a third issue which is non-exclusivity. Zero-days work well but only once. Once the attack has been discovered, the company behind the software should patch the problem. Which is why updating your devices is vital to staying secure. Single-use weapons thus become worthless if another state/group uses the exploit and gets caught. The final problem is that hoarding zero-days makes the average citizen no more safe. When these security failures aren’t disclosed, companies cannot patch them and our own citizens are left vulnerable.

There are a few steps government can use to protect their citizens and change zero-day markets. New America published a fantastic report on this a year ago. Two of the policy suggestions are worth more attention. The first suggestion is that there should be a better delineation between what the government will and won’t disclose about zero-days it purchases or discovers. This idea should be pushed a little further. Not only should the government make the disclosure rules more clear but it should disclose much more than it does not. The benefits of such an approach are two-fold. Not only would this make Americans safer but it would also disrupt the market for these exploits. By revealing them immediately after purchase, merchants could not resell the same exploits and could make the market worth less overall.

The second suggestion from the New America report is that Bug Bounty programs should be implemented by more companies and that they should be looked at in a more creative way. A bug bounty program is basically a positive zero-day market. Instead of a hacker selling her wares to another hacker, she would instead sell them to the company whose code she had exploited. This helps companies keep their software safe while also positively reinforcing security researchers to scrutinize their products. Instead of the government supporting these markets by giving “small grants” as suggested by the authors of the report, the US could create a national bug bounty program where they purchase the bugs and charge companies as a penalty based on a sliding scale. This comes from a more environmental approach to cyber security. Just as we fine companies that pollute or have unsafe mining practices and inspect them periodically, the tech industry could be monitored and maintained in a similar way. In order to implement a program like this however, it would be necessary to create a reasonable set of penalties and rules for businesses because putting too much pressure could stifle small companies.

A third way governments can protect their citizens is by building in rules and regulations around cyber hygiene. Cyber hygiene is the cluster of practices which, when done regularly, will keep the average person safe most of the time. Some of these practices include making backups of important information, not using the same username and password combination for every service, and patching software and devices regularly. The Senate and the House, recently introduced separate bills to promote cyber hygiene by publishing a list of best practices. Although this is only a first step in the right direction, by publishing a list of best practices, this can create some standards which insurance can use to better price their policies.

In a world where the internet has become increasingly important to every aspect of our lives, it is important for the government to promote the security of the internet as a whole and not just to exploit it for the national interest. By developing better rules around the zero-day market and by promoting cyber hygiene, the government can accomplish this goal and protect itself from groups like the Shadow Brokers.

Grant Haver

Written by

Master of Political Science. GMU Alum. Cyber policy wonk