Case Study 1.2: National Security or Computer Security?
In 2017, the world was rocked by massive computer attacks, the largest hitting 2,000 organizations in 65 countries. Hackers shut down hospitals in Britain, the Chernobyl nuclear site, Ukraine’s national bank, a Russian energy company, Merck pharmaceutical, and the Danish shipping company Maersk. They locked up computer files at a number of U.S. businesses, releasing the information after users paid a ransom.
The cyber weapons used in these assaults were developed by the National Security Agency. Computer experts at the NSA used flaws in the Microsoft operating system and other tools to spy on other nations and to carry out secret operations. They gained access to Iran’s air defense systems and infrastructure and disrupted its nuclear program, for example. They also interfered with North Korea’s nuclear missile launches and attacked Islamic State militants. The agency kept knowledge of software vulnerabilities to itself. Thus, officials didn’t notify Microsoft so the company could develop a patch to protect users from a computer program called EternalBlue. According to one security expert, “For many, many years, while it was secret, the NSA could use [EternalBlue] to unlock any door of any computer network in the world. It was the ultimate cyberweapon for espionage.”1
NSA’s cyber cover was blown when the secret weapons were leaked to a group called the Shadow Brokers, which posted some of the tools on the Web. (At that point the NSA notified Microsoft of the EternalBlue program.) Hackers then modified them to carry out their attacks. Experts predict that the attacks will escalate, wreaking even greater havoc as perpetrators move from targeting individual organizations to shutting down entire systems—medical, production, banking, government, transportation, power.
Victims and technology companies are critical of the NSA for failing to warn the public. Microsoft President Brad Smith urged the agency to “consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”2 However, according to security experts, the NSA apparently has no plans to release additional vulnerabilities, calculating that national security should take precedence over civilian computer security.
Discussion Probes
1. Has your organization been victimized by ransomware or other computer hacks? How did it respond? What steps are you and your organization taking to improve computer security?
2. Should national security take priority over the computer security of citizens?
3. What are the costs of keeping information about software vulnerabilities secret? The costs of releasing this information?
4. What are the benefits of keeping information about software vulnerabilities secret? The benefits of releasing this information?
5. Based on the costs and benefits, is the NSA justified in keeping information about cyber weaknesses to itself?
