Vulnerabilities and ransomware: The policy debate
There are a number of questions that the UK Government should answer in the aftermath of the WannaCry/Crypt ransomware events of the 12th May onwards.
Now is a good time to debate the polices that balance two seemingly contradictory objectives of:
a) UK intelligence agencies keeping software vulnerabilities secret so that they can be used in an offensive way to spy on our enemies, and
b) protecting the UK from criminals and other nation states who can use the same vulnerabilities to spy on us and compromise the integrity of critical national and economic infrastructure.
I’ve put together the following (which is deliberately not aimed a technologists) to encourage this debate.
- A few years ago the US spy agency, the NSA, found a bug in Microsoft Windows.
- This bug allowed the NSA to take control of any machine running Windows, spy on what the user was doing and read the contents of all their files. They basically had a back-door into every PC that they managed to take control of.
- It is a clever bug and to make it happen either the user of the PC had to run a small program or — and this is the serious bit — the NSA just had to send commands to the PC over the network. This means that they could take control of any machine on a network just by sending these commands to it — in cyber security this means that you can build software we call a worm that once it infects one machine on a network it can affect all machines on the same network.
- The fact that the NSA does this is not unexpected — their job after all is to be a spy agency.
- At some stage (Reuters reports 2013) the NSA was careless and the software they wrote using this bug, which was used to take over people’s PCs, was stolen by another foreign intelligence agency (and most people suspect Russia).
- In April 2017 a group calling itself the Shadow Brokers put a copy of this stolen NSA software and the instructions describing how it worked on the Internet. The Shadow Brokers are widely regarded as a ‘front’ for Russian intelligence.
- The ‘bug’ that allows this software to work was fixed by Microsoft in March 2017 (fortunately or by coincidence the month before it was revealed to the world by the Shadow Brokers) and so most Windows systems that receive regular updates would have been immune to the bug within a few days.
- However not all versions of Microsoft Windows receives updates. Some corporations don’t update every PC automatically — and an old version of Windows, Windows XP was never provided with the fix to inoculate it against this bug. (That’s because Windows XP stopped being supported by Microsoft in 2014).
- Last week a criminal gang produced some software that made use of the NSA-found-bug to take control of people’s Windows PCs. Rather than allowing the criminals to spy on what happens on the PC, this software encrypts all the files on the PC and charges a ransom to the user for the files to be decrypted (RansomWare). This is the software that has caused the problems; it holds your files to ransom by encrypting them until you pay the criminals.
- It is reported the software was sent randomly to people as attachments to email messages — the messages were made to look realistic, something you will have probably heard about called phishing, although other reports claim this is not the case.
- When the user opened the attachment the criminal software ran and started to encrypt the user’s files. But it also then looked on the local network and out onto the internet for any other machines it could infect and encrypted the files on that PC as well.
- The criminal software is be able to infect any Windows PC that had not applied the Microsoft patches released in March and all the PCs running Windows XP.
- In big companies patching is quite hard and so it isn’t unusual that some organisations had not patched all their copies of Windows.
- The criminal software has been written quite well and it isn’t (yet) possible to decrypt the files without paying the criminals. Security researchers are working on a way of trying to fix this.
- Microsoft has now released a fix for the old Windows XP PCs.
From a public policy perspective, the core facts about this are that:
- The vulnerability in Microsoft software was known to the NSA in or before 2013 
- NSA allegedly shares much of this type information with GCHQ 
- In 2013 NSA was aware that other intelligence agencies had knowledge of this vulnerability because the NSA was compromised 
- In 2014 Microsoft stoped issuing patches for Windows XP 
- In 2014 the UK government paid Microsoft for one year’s continued support and patching of XP knowing it was widely in use in the public sector 
- In 2015 the UK Government decided to stop paying for continued XP support.and patching 
- Had NSA or GHCQ told Microsoft about this vulnerability in 2013, none of this would have happened. 
Questions to ask the UK Government
- When was GCHQ aware of this NSA-found vulnerability?
- Given the large installed base of Windows XP in the NHS and other parts of the UK infrastructure, who in the Government decided it was more valuable as an offensive knowledge than it was to tell Microsoft so they could fix it?
- What contingency plans were in place to protect national infrastructure and vital services in the event that the vulnerability became public knowledge?
- If the answer is that there were no contingency plans, then the Government should be pressed on this. I would suspect that for every chemical and nuclear agent the UK possesses there are extensive contingency plans in place if the agent is released accidentally or by a foreign agency?
- When the Government decided not to continue paying Microsoft for support Windows XP, was the minister responsible for this decision aware of the vulnerability and that it was being used offensively by GCHQ. Was there a risk assessment done at the time, and can this be made publicly available?
- How many other Windows vulnerabilities does GCHQ know about that affect Windows XP?
- Although the Prime Minister keeps repeating that “Patient data was not compromised” this is not entirely accurate. The confidentiality of patient data was not compromised, but it has been reported the availability of patient data was compromised. In a heath environment this can be just as serious as a breach of confidentiality — and this “no data was compromised” line should be challenged.
- This represents a breach of the seventh Data Protection principle and it will be interesting to see what action the Information Commissioner’s Office takes. The Commissioner has the power to issue an Enforcement Notice to change behaviour. Such an Enforcement Notice could, for example, force organisations to move away from unsupported operating systems and to patch properly. The use of Enforcement Notices should be encouraged — it would be more positive than just issuing monetary penalties.