Should the National Security Agency (NSA) act as a responsible Grey Hat, and why does congress believe they can be the NSA’s watchdog? In the wake of WannaCry, a lot of questions popped up on why the NSA has a stockpile of zero-day exploits, and just how safe those exploits are. Fair questions to be sure. But those questions are not easily answered, nor can they be so easily governed by simple toothless legislation.
Let’s rewind for a moment and find out why these questions are arising in the first place. As most of you remember the WannaCry ransomware was, and is, one of the most quickly spread malware to date. The primary reason for this was the tool it used to propagate over networks. It used a tool called EternalBlue to attack a (now known) flaw in a Windows service. The tool was developed by the NSA and was part of the toolset that was leaked to the public a few months back, which is the very crux of the debate.
Can the NSA keep its tools from being used against us by hackers? Does the cost outweigh the benefit? Are there benefits, or are these tools being used in a dragnet style procedure, causing the unconstitutional collection of data in a non-targeted scope? The unfortunate answer to these questions and many more was a new bill brought to us by a bi-partisan team, known as the “Patch Act.”
The purpose of the Patch Act, is to create a review board to establish the moral obligations of the FBI, DHS, CIA, NSA, etc… on how they are to operate with their vulnerability equities (hacking tools). Essentially this review board will discuss and decide when, how or IF, it is to disclose vulnerability information to application vendors. So the review board will determine the known/unknown state of security for our machines. It’s a tricky balancing act. If they disclose a vulnerability, they lose a tool. If they don’t disclose, we (the users) lose a point of security and run the risk of that vulnerability being used against us as we did with WannaCry.
There could, however, be a slight problem with the Patch Act. The board is going to be composed of the heads of the very agencies that it is supposed to watchdog. To say that they will be impartial is a bit of a pipe dream. I’m honestly not even sure how much the departments talk to each other, so if nothing else this may improve communication.
While I believe the Patch Act has roots as an oversight and transparent review process, it’s clearly intended as a “feel good act of faith” for the general public, and not meant as true and honest oversight.
This is a difficult issue to tackle. How do we monitor the people we expect to keep us safe, knowing that in order to do so, they must act in a way that is counter to the laws and freedoms we hold dear. In this case, they hold tools that ultimately they will lose control of, and those tools will be used against us. But do we let them determine IF the tools are worth the harm it may bring us, just because those tools may help them in their primary job, of keeping us safe? Then we throw in the question: Are those tools, in-fact, helping to keep us safe? What is the cost, and what is the value? And can the tool wielder be an impartial judge?
It goes without saying that an oversight commission has been tried before, and still exists, but failed miserably. The agencies simply closed their doors to the commission, and left it there scratching its head.