[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Companies Victimized by Repurposed NSA Tools Don’t Share Those Details with Government

Reporting on an appearance by acting DHS undersecretary for the National Protection and Programs Directorate Christopher Krebs, CyberScoop explains that the government only heard from six victims of the WannaCry and NotPetya ransomware outbreaks (two known major victims are Maersk shipping, which had to shut down multiple terminals in the US, and the US law firm DLA Piper).

Christopher Krebs, acting undersecretary for the National Protection and Programs Directorate, told an audience of cybersecurity professionals Wednesday that the biggest issue with both incidents came from an absence of reports from businesses who were affected. While experts say that WannaCry and NotPetya disrupted business operations at American companies, it’s not clear how many enterprises were damaged or to what degree.

The government wanted to collect more information from affected companies in order to better assess the initial infection vector, track the spread of the virus and develop ways to deter similar future attacks.

Collecting data from victim organizations was important, a senior U.S. official who spoke on condition of anonymity told CyberScoop, because the information could have been used to inform policymakers about the perpetrator of the attack and potential responses

The rest of the story explains that private companies are generally reluctant to share details of being a ransomware victim (particularly if a company pays the ransom, there are even legal reasons for that).

But it doesn’t consider another factor. If a cop left his gun lying around and some nutjob stole the gun and killed a kid with it, how likely is that family going to trust the cop in question, who indirectly enabled the murder?

The same problem exists here. Having proven unable to protect its own powerful tools (this is more a factor in WannaCry than NotPetya, though it took some time before people understood that the latter didn’t rely primarily on the NSA’s exploit), the government as a whole may be deemed less trustworthy on efforts to respond to the attack.

Whether that was the intent or just a handy side benefit for the perpetrators of WannaCry (and of Shadow Brokers, who released the exploit) remains unclear. But the effect is clear: attacking people with NSA tools may undermine the credibility of the government, and in the process, its ability to respond to attacks.

image_print
6 replies
  1. SpaceLifeForm says:

    Well, the headline is actually telling:

    Avoided government help.

    Yeah, that is actually smart. The old “we’re from the government and are here to help” combined with worthless VEP leads to suspicion.

    It is not a surprise then that DNC did not want any government DFIR action. But that may have occurred anyway.

    The problem is: who do you trust when it comes to DFIR?

    An allegedly reputable firm could really be a front company.

    https://medium.com/theyoungturks/crowdstrike-the-dncs-security-firm-was-under-contract-with-the-fbi-c6f884c34189

  2. Jorma says:

    We’ve gone down the rabbit hole on this stuff. Well I say we, the collective. I should have said we have been taken down the rabbit hole. The entire cyber security world is like 11 dimensional Spy vs Spy or how about whack a mole, on acid.

    I say spy vs spy because there is scant difference between the ‘sides’. Between what is the government, and what isn’t. Obviously I am not adding a thing to this discussion I just wanted to vent.

  3. SpaceLifeForm says:

    OT: In Like Flynn

    http://www.npr.org/2017/09/13/550679417/house-dems-michael-flynn-may-have-lobbied-for-nuclear-deal-inside-white-house

    Retired Lt. Gen. Mike Flynn may have lobbied on behalf of a vast foreign deal to build a fleet of nuclear reactors across the Middle East as he was serving as national security adviser, according to new documents out Wednesday.

    [What a method this could be to get raw nuclear material to Mideast, and then magically lose track of the goods]

  4. Charles says:

    OT: Jeremy Scahill interviews Edward Snowden on the hacks. NSA is only medium confident Russians were involved in hack because NSA may have identified presence of many hackers. “NSA is spying on everyone, everywhere, all the time…so why aren’t we getting evidence on [such an important topic]?”

    I think that’s an interesting question. Possible answers: a) NSA is ok with Donald Trump, b) NSA hasn’t prioritized resources to examine the issue, c) NSA’s haystack is so large that it can’t actually find anything, d) NSA doesn’t want to expose its capabilities and therefore is laundering what it knows through other agencies, and (of course) e) the Russians didn’t do the hack. My guess is it’s a combination of b, c, and maybe d. But it is getting really irritating that on very big and important issues where US technical capabilities are supposed to be actually capable of technical things (e.g., deciding who was behind the attack on the MH-17 flight over Ukraine), we get the mushroom treatment.

    Snowden also talks about Equifax. Amusing, though not much substance.

    • orionATL says:

      snowden says :

      ” NSA is spying on everyone, everywhere, all the time…so why aren’t we getting evidence on [such an important topic]?”

      that’s my question.

      but then,

      maybe nsa is like one of those companies ew talks about that doesn’t want to report its findings because doing so will just cause it more trouble :))

Comments are closed.