Credit: Reuters/Kacper Pempel
It is common knowledge that the US National Security Agency (NSA) is engaged in collecting vulnerabilities in software platforms and building exploits for attacking systems to gather signals intelligence for national security and counterterrorism, after the Snowden revelations were made public in 2013. That the CIA is sitting on a repository of such vulnerabilities, was revealed more recently by WikiLeaks on March 6. Other law-enforcement agencies (LEAs) are likely doing the same, because they conduct legal hacking under warrant to access plaintext where data of interest is found to be encrypted. Intelligence agencies of other countries are engaging in similar activities.
If these vulnerabilities are reported to software companies, they would fix the bugs to secure their products, thereby improving cyber security globally. Stockpiling them without letting the vendors know means LEAs can build malware to exploit these vulnerabilities and use such exploits for espionage or kinetic attacks. Clearly, hiding the vulnerabilities can give an edge to these agencies. Robert Knake, who, as part of the Obama administration, helped develop the vulnerabilities equities process, stated that ‘the United States will not do unilateral disarmament.’ This is enough to understand that discovering vulnerabilities helps develop cyber arms.
WannaCry and national security
The global WannaCry worm attack that began on May 11 has renewed the debate on cyber security versus nation-states attempting to build offensive cyberweapons by keeping under wraps the vulnerabilities of various computing platforms known to intelligence and security agencies of governments. Treating safe navigation through cyberspace as a global commons – the fifth commons – is a key requirement of nations for economic growth, as well as social and political development. The military also requires safe navigation through the very same global commons.
NATO doctrine already commits member states to treat an attack in cyberspace as one that can be responded to by any of its members in any theatre of war (land, sea, air, outer space and cyberspace). Does this incident reveal that the militarisation of cyberspace is dominating its peaceful uses?
The exploit for the Windows vulnerability developed by the NSA was stolen from the NSA’s stockpile by a group called Shadow Brokers. NSA had informed Microsoft about the situation, which in turn released a security patch to protect users against this vulnerability, however, even large organisations find it difficult to patch all the systems under their control. It is also not possible to automatically update older versions of Windows with the patches.
A world unprepared
The WannaCry worm outbreak, which unfolded in UK, Europe, US, Russia, India, China and many other countries, took the world by storm. The malware attack successfully compromised hundreds of thousands of machines running various versions of Windows, including the outdated XP. Even though Microsoft had announced withdrawal of support for XP several years ago, it is still running in ATMs, ticketing machines, hospitals and numerous industrial control systems. Organisations in the private sector and in the government have trouble replacing old systems with new operating systems because of resource constraints. The US Navy signed a contract with Microsoft for maintenance support of Windows XP systems over a year ago, showing the compulsion of operational requirements even in critical organisations such as the US Navy.
The malicious WannaCrypt software encrypted users’s data. The attackers then demanded ransom in Bitcoin for decrypting files, hence the name ‘ransomware’. This is not the first time, and will not be the last, that such an exploit with global consequences for cyber security is stolen by criminals from the stockpile of an intelligence agency.
That an attack vector, ostensibly meant to enhance national security or prevent terrorist attacks, ends up being used as a tool to attack civilian targets – hospitals (UK), universities (China), state railways (Germany), interior ministry (Russia), banks (India) – in times of peace is ample evidence that governments have to think differently about enhancing security in cyberspace.
Different actors, different positions
Microsoft president and chief legal officer Brad Smith argues in a blog post on May 14, titled The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack, that while tech companies like Microsoft are the first responders to attacks, security has become a shared responsibility between tech companies and customers and the stockpiling of vulnerabilities by governments is a problem. Addressing the last area he states,
‘”…exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen……….The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
On the other hand, Knake defends the NSA for keeping under wraps a vulnerability in Windows, known to it for a long time. In his May 16 piece, Don’t Blame NSA for WannaCry, he underlines that signals intelligence is the NSA’s core mission and the tools are meant for gaining supremacy in cyberspace. It is the vulnerabilities in computing platforms that come in handy when decrypting data, conducting espionage and building cyberweapons for offensive operations. Knake argues that even if NSA had disclosed the vulnerability and users warned of possible consequences, it would not have prevented the attack,
“because no amount of warning would have been enough to get Windows XP out of hospitals, or get hospitals to install the latest patches in a timely manner. If NSA had disclosed the vulnerability years ago, it would likely still remain exploitable today.”
This claim is indeed supported by security reports issued every year by vendors like Verizon and Symantec, which confirm that over three fourth of attacks could have been prevented, only if all the security patches were applied. Knake contends that ‘NSA deserves blame for losing the exploit kit, not for developing it in the first place.’ He is not prepared to blame the NSA for spying, because ‘that’s what they do,’ though he is worried about insider threats to NSA.
National security vs cyber security
So, there we are – counterterrorism and national security versus cyber security. Whose responsibility is global cyber security? Transnational companies provide software platforms, data centres, online banking, email, messengers, search, social media, e-commerce, news, hospitality, entertainment and other services to their customers throughout the world. It is immaterial what their revenue model is, whether they charge a fee upfront or generate revenue through advertising. Cyber security in all services is their individual and collective responsibility, while customers too have to be vigilant. The impact of WannaCry–like incidents will be much worse in the future, since the number of IoT devices that may get compromised by such attacks will be very large. The number of IoT devices will soon far exceed the traditional ICT systems.
Call for action
What is the responsibility of governments for cyber security? Are they more engaged in the development of offensive capabilities using the vulnerabilities? We know that the same malicious code can be used as an espionage tool; an attack vector on national critical infrastructures or for identity theft in petty cybercrimes. This incident has not caused much damage, but it is a wake up call.
Governments typically weigh the prospect of a cyber arms race against cyber security. Global cooperation in building norms of behaviour by nation-states in cyberspace, under the aegis of the UN, is essential to contain the proliferation of attack vectors that have their origins in the security and intelligence agencies of countries. However, the progress in the UN to negotiate any treaty is going to be woefully slow, as can be seen from the norms that emerged from Group of Government Experts (GGE) after four rounds in 2015, with the fifth round presently underway.
Microsoft’s Smith gave a call for a Digital Geneva Convention (DGC) at the RSA Security Conference in February. Another notable development was The G7 Declaration on Responsible States Behaviour in Cyberspace signed on April 11, which reiterates the UN GGE norms agreed upon in 2015. The norms endorse the applicability of UN Charter, international law of armed conflict, international human rights convention, etc. to the arena of cyberspace. But that is too vague when the world is confronted with WannaCry and the spectre of more such attacks.
Could some specifics be identified and debated by the private tech sector in Track 2 mode, then moved to 1.5 or straightaway to Track 1 for framing of international norms? Without the involvement of governments and their agreement to norms, it will not be possible to secure cyberspace for peaceful uses. It is in this light that the DGC proposal to protect cyberspace, with the objective of ‘protect(ing) the public from nation-state threats in cyberspace,’ has to be achieved.
Microsoft has advanced the DGC proposal towards a treaty, based on its discussions ‘with government officials, industry peers and customers around the world.’ Using these inputs, it published three documents on April 13 that were described as ‘a set of binding agreements between nations, backed by a tech sector accord and supported by an independent attribution organization.’ It states that ‘the G7 declaration is focused on voluntary, non-binding state behaviour during peacetime’ and proposes that it should be moved to ‘a legally binding framework that would codify rules for governments and thus help prevent extraordinary damage.’ It adds that the tech sector accord will commit the tech industry ‘to assist and protect customers everywhere, and never to assist in attacking them…. 100% commitment to defense and zero percent to offense.’
These norms and agreements will have significance only if the attackers can be brought to justice. This requires attribution with near certainty, and that too by an independent organisation whom the world can trust. Left to governments, using their own agencies, attribution to attackers identified are generally not accepted by the accused attacking nation-states. The Estonia and Georgia attacks attributed to Russia and more recently the Sony Pictures attack attributed to North Korea are both prime examples.
Microsoft proposes an independent organisation, a ‘public-private group, drawing on the strengths of both technology companies and governments to investigate cyberattacks and identify those behind them.’ It cites the International Atomic Energy Agency, an intergovernmental body, as a precedent. There are others, such as the International Civil Aviation Organization, from which the world can learn to create an attribution organisation.
It is time that countries agree to limit the cyber arms race. Setting norms of behaviour by nation-states in cyberspace is the key to achieving this objective. Will transnational companies emerge as global companies serving all their customers in any part of the world? Will they treat all governments and citizens alike, without imposing the laws of a country in cyberspace? There is a lot to be done to get there.
Trust from all countries, especially from developing countries, is critical, because all norms are being debated first in the G7, G20, World Economic Forum and the like, notwithstanding the Shanghai Cooperation Organization, which has a strong voice too. Can we convert the ideas advanced in DGC into acceptable norms and entities to secure cyberspace for peaceful uses?
Kamlesh Bajaj is a Distinguished Fellow, EastWest Institute. He was the Founder CEO, Data Security Council of India; and Founder Director, CERT-In, Department of Electronics and Information Technology.