After 'WannaCrypt', should governments stockpile software vulnerabilities?

Should governments adhere in cyberspace to the same rules applied to weapons in the physical world?

The “WannaCrypt” malware has disrupted vital infrastructure in almost 100 countries so far. Security analysts are concerned it may be part of a dump of security flaws a group called the Shadow Brokers claims to have stolen from the United States’ National Security Agency.

In a blog post Sunday, Microsoft’s president and chief legal officer, Brad Smith, decried government stockpiling of software vulnerabilities.

“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world,” he wrote. “The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.”

We asked a panel of experts to weigh in: Should governments be allowed to stockpile exploits, or should they be made to disclose them to vendors, including Microsoft?

Greg Austin, professor, Australian Centre for Cyber Security, University of New South Wales

Vulnerabilities in commercially available software provide an easy way in for spy agencies and criminals to access adversary computer systems. I agree with the Microsoft proposition that the refusal of US agencies to publicise vulnerabilities can be compared with the US armed forces losing a Tomahawk Cruise missile. There are circumstance where it could be that serious.

Of course, our cyber intelligence agency, Australian Signals Directorate, may also be using vulnerabilities in software that Australian citizens rely on. So we need to ask the government about its policy in this regard. I doubt we will stop that practice in the current climate of global cyber escalation. But, in the medium term, Australia must commit to new “highly secure” systems instead of using inherently vulnerable software and machines.

We must also commit to diplomatic agreement on the disclosure of vulnerabilities in commercially available systems. Countries with high levels of pirated software, like China and Russia, are vulnerable because patches sent by Microsoft to repair vulnerabilities only go to registered IP addresses with a licensed copy of the software. If a user has installed an unlicensed pirated version, they never get the patches.

The Australian government needs to have a more mature conversation with its citizens about what is really going on in cyber space. So far we have not had it, even though the Turnbull government deserves credit for starting down that path with its cyber security strategy.

Monique Mann, lecturer, School of Justice, Faculty of Law, Crime and Justice Research Centre, Queensland University of Technology

In an escalating cryptowar with widespread uptake of end-to-end encryption, governments contend that they cannot always disclose cyber security vulnerabilities. This is because they use zero-day vulnerabilities to spy.

But state-sponsored programs of cyber warfare go beyond stockpiling vulnerabilities. Countries are actively developing digital weapons to hack into, infect, monitor and disrupt computer systems.

The Vault 7 disclosures, published by WikiLeaks in March, revealed both the extent of the Central Intelligence Agency’s hacking capabilities and its inability to keep them secure. An arsenal of malware, viruses, trojans and zero day exploits was taken and leaked.

Now Wikileaks says it wants to work with technology companies to address vulnerabilities and disarm these digital weapons. Yet, these could also have been sold or used for sinister purposes.

Digital weapons can fall into the wrong hands. The consequences, like “WannaCrypt”, can be disastrous.

Governments should be promoting cyber security rather than undermining it. Failing to disclose and address vulnerabilities weakens cybersecurity. There should also be limits on the development and deployment of digital weapons.

It is time for a digital Geneva Convention to protect the internet: the critical infrastructure and the citizens who depend on it.

Robert Merkel, lecturer in software engineering, Monash University

I’ve argued previously that Western governments should be far more careful with their use and distribution of stockpiled vulnerabilities in commercial software. But I wouldn’t hold my breath for it to happen.

For better or worse, intelligence agencies seem to have persuaded governments that the intelligence they gain from exploiting such vulnerabilities outweighs the risks when those exploits leak. Whether they are right is something only historians will be able to answer, given the decades it will take for contemporary intelligence operations to be declassified.

Even if Western intelligence agencies were required to cease stockpiling vulnerabilities and instead report them to vendors, their counterparts in Russian and Chinese intelligence agencies seem unlikely to follow suit. They face little domestic political pressure to behave ethically.

Indeed, while the vulnerability used by the “WannaCrypt” ransomware is thought to have come originally from the National Security Agency, the public disclosure of the vulnerabilities is believed by some US officials to have been the work of the Russian intelligence services.

Russian IT systems were among the most heavily affected by “WannaCrypt”. If the release was in fact the work of Russian intelligence, the blowback, in terms of inconvenience and expense for Russian companies and other branches of the Russian government, has been substantial. It was also foreseeable – and they did it anyway.

While Microsoft’s call for governments to think harder about the real-world costs of their espionage techniques is admirable, it’s hard to imagine it actually happening any time soon.

Greg Austin, Professor, Australian Centre for Cyber Security, UNSW; Monique Mann, Lecturer, School of Justice, Faculty of Law, Crime and Justice Research Centre, Queensland University of Technology, and Robert Merkel, Lecturer in Software Engineering, Monash University. This article was originally published on The Conversation.