Should U.S. "stockpile" web vulnerabilities?

June 2013 file photo shows National Security Administration (NSA) campus in Fort Meade, Md.

AP

As hundreds of thousands of companies in more than 150 countries come to grips with the largest coordinated ransomware attack in history, revelations that malicious hackers used an exploit likely developed by the NSA has shined light on what had been an open secret in the tech and cybersecurity industries: the National Security Agency finds and hoards information about an ever-growing stash of internet and computer vulnerabilities.

The so-called WannaCry hack takes advantage of a vulnerability in Microsoft Windows, leveraging an exploit stolen from the NSA in April to lock the computer systems of companies ranging from hospitals to car manufacturers in exchange for ransom. The widespread attack has prompted calls -- most notably from Microsoft's President and Chief Legal Officer -- for the NSA to share with companies what it knows about other vulnerabilities, and raised questions about the agency's ability to safeguard its stockpile of secret exploits.

"The interesting thing about WannaCry is that it's our weapons being used against us. Arguably it's the world's best attack craft, and it's being used by common criminals," said Simon Crosby, co-founder and CTO of the California-based security firm Bromium. 

Ransomware -- malware that encrypts files, preventing people from accessing them until they pay a ransom -- has been in use for a long time, but Crosby said only recently has the technology been able to wreak havoc as it did during Friday's attack.

"Up until now it didn't get much attention, because it didn't have the ability to get beyond individuals and their companies. But now what you have, in the form of nation-state malware as created by the NSA, is the ability to really dive deep and encrypt the important data in a system, and it really gets scary."

The potency of that malware, powerful enough to risk lives while at least temporarily shuttering hospitals or other services, was laid bare in a blog post written by Microsoft's Brad Smith.

"Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen," Smith wrote. "And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today -- nation-state action and organized criminal action."

Comparing a hack to the theft of Tomahawk missiles might sound like hyperbole, but Ed Goings, the National Principal in Charge of Cyber Response at KPMG, says it isn't far off.

"It can be very similar, if not worse, than the theft of a Tomahawk," said Goings, who formerly investigated computer crime for the Air Force Office of Special Investigations, a predecessor of Cyber Command, the United States' primary internet security agency. "They both can be used in catastrophic ways, they both can be used as an deterrent, and they both can be used as an overt attack ... but in cyber, you're able to cross international lines undetected."

Goings defended the stockpiling of vulnerabilities, arguing that they are tactically important for a military that increasingly perceives cyber threats as being on par with attacks that come via the more traditional routes of land, air and sea.

"We've kept those (stockpiles) for years, and the reason they are kept is just like any tactic of war, to win you need to know your opponents tactics," Goings said. "I still firmly believe there is information that our (military and intelligence) needs to keep secret in order defend this country."

The ability to quickly engage in both cyber policing and combat has taken an added degree of urgency as officials continue to grapple with the Russian intrusion in the 2016 election. 

On Sunday, Sen. Ben Sasse, R-Nebraska, told John Dickerson, the host of CBS News' "Face the Nation," that he expects politicians in future elections will face increasingly invasive attacks, often resulting in the publication of stolen data that's been muddled with fake information.

He painted a hypothetical picture of such an attack:

"John Dickerson decides to run for office in 2018, and, all of a sudden, your credit card records get dumped in some sort of a cyber-hack leak, and 97 percent of those records are going to be real. And there's going to be texture to it, and you were in city X on this day, and you were in city Y on this other day, but three percent of the records are going to be fabricated. And they're going to be interwoven. And, John, you have been spending a lot of money at a women's clothing store in Chattanooga, but your wife isn't in Chattanooga, so that's weird. And then there's public doubt about you. And then, five days later, your phone records are dumped, and they're 99 percent accurate, but 1 percent, you're calling a brothel in Chattanooga on Tuesday nights, when your wife is at bridge club."

It's a scary scenario for politicians, some of whom heard testimony calling into question the military and intelligence sectors' ability to defend the U.S. from cyber attacks just last week, in a hearing of the Senate Armed Services Committee. Two former intelligence officials and a retired Navy admiral told the Senate committee on Thursday that the U.S. lacks first responders for cyber attacks.

"We're not particularly well organized. Yet we, as the United States, have the largest threat surface of any nation in the world," said retired Admiral James Stavridis. He and Michael Hayden, the former director of the National Security Agency, argued that Cyber Command should be spun off from the NSA into an operation shaped like the Coast Guard, responsible for a combination of law enforcement, first response, public safety and cyber combat.


Got news tips about digital privacy, cybercrime or the intelligence community? Email this reporter at KatesG@cbsnews.com, or for encrypted messaging, grahamkates@protonmail.com (PGP fingerprint: 4b97 34aa d2c0 a35d a498 3cea 6279 22f8 eee8 4e24).

  • Graham Kates

    Graham Kates is an investigative reporter covering criminal justice, privacy issues and information security for CBSNews.com.