Categories
computer security Computers and the Internet Cyberattacks and Hackers Cyberwarfare and Defense Espionage and Intelligence Services Microsoft Corp National Security Agency North Korea russia Shadow Brokers Software Uncategorized Windows (Operating System)

N.S.A. Takes Step Toward Protecting World’s Computers, Not Just Hacking Them

WASHINGTON — The National Security Agency has taken a significant step toward protecting the world’s computer systems, announcing Tuesday that it alerted Microsoft to a vulnerability in its Windows operating system rather than following the agency’s typical approach of keeping quiet and exploiting the flaw to develop cyberweapons.

The warning allowed Microsoft to develop a patch for the problem and gave the government an early start on fixing the vulnerability. In years past, the National Security Agency has collected all manner of computer vulnerabilities to gain access to digital networks to gather intelligence and generate hacking tools to use against American adversaries.

But that policy was heavily criticized in recent years when the agency lost control of some of those tools, which fell into the hands of cybercriminals and other malicious actors, including North Korean and Russian hackers.

By taking credit for spotting a critical vulnerability and leading the call to update computer systems, the National Security Agency appeared to adopt a shift in strategy and took on an unusually public role for one of the most secretive arms of the American government. The move shows the degree to which the agency was bruised by accusations that it caused hundreds of millions of dollars in preventable damage by allowing vulnerabilities to circulate.

“We wanted to take a new approach to sharing and also really work to build trust with the cybersecurity community,” Anne Neuberger, the agency’s cybersecurity director, told reporters.

The vulnerability exists in Windows 10, Microsoft’s flagship operating system, as well as some versions of its server software. It allows hackers to insert malicious code into a target computer and make it appear to be from a safe and trusted source. The vulnerability could also allow hackers to decrypt secret communications.

The vulnerability was serious, officials said. The National Security Agency warned government officials who oversee classified systems about the flaw and the coming Microsoft patch before discussing it publicly, Ms. Neuberger said.

The agency has in the past privately shared vulnerabilities it found with Microsoft and other technology companies. During the Obama administration, officials said, they shared about 90 percent of the flaws they discovered.

But the agency never allowed those firms to publicly identify the agency as the source of those discoveries, Ms. Neuberger said. The agency wanted the public acknowledgment of its role in finding the new defect to demonstrate the importance of patching the flaw, she said.

“Ensuring vulnerabilities can be mitigated is an absolute priority,” Ms. Neuberger said.

The National Security Agency’s action suggests the vulnerability for American government systems likely outweighed its usefulness as a tool for the agency to gather intelligence.

Experts and technology companies praised the agency. But some noted that even as one arm of the government was moving to protect the public’s ability to encrypt its communications, another was taking the opposite tack. A day earlier, the Justice Department called on Apple to break the encryption on its phones, and it has pushed for so-called back doors on Facebook’s encrypted message services.

The Washington Post earlier reported on the agency’s warning to Microsoft, which released a patch for the vulnerability on Tuesday.

Customers who automatically update their operating systems or applied Tuesday’s patch “are already protected,” said Jeff Jones, a senior director at Microsoft.

Microsoft said no evidence had emerged that malicious actors had exploited the vulnerability and said its security software could detect malware trying to do so.

The National Security Agency’s decision to reveal the flaw to Microsoft — and then to publicly announce its move — is in sharp contrast to how it handled another flaw that it discovered but told Microsoft about too late to prevent global damage.

In early 2017, agency officials told Microsoft’s president, Brad Smith, that it had found a flaw in its operating systems but lost it to a group called the Shadow Brokers, which somehow obtained hacking tools that the United States had used to spy on other countries. The agency had known about the flaw for some time but held on to it, believing that one day it might be useful for surveillance or the development of a cyberweapon.

But when the agency’s arsenal of flaws leaked out — presumably through insiders, though the National Security Agency has never said — among it was code nicknamed “Eternal Blue.” While Microsoft had raced to get people to patch the erroneous code, many systems remained unprotected.

Soon North Korean hackers used the code to develop “WannaCry,” software that crippled the British health care system, which used an outdated version of Microsoft Windows. And Russian hackers used it in the NotPetya attacks, among the most damaging cyberattacks in history, costing hundreds of million of dollars to companies including FedEx and Maersk, the shipping giant.

The agency dismissed the idea that it was responsible for the malicious use of the code — arguing that the responsibility lay with North Korea and Russia, which mounted the attacks. But privately, many agency officials acknowledged that the tendency to hoard such flaws in hopes of developing weapons had come at a huge price and that the United States bore some responsibility for the damage caused by Eternal Blue and other tools.

Some experts believe Eternal Blue is continuing to cause problems, allowing hackers to disrupt computer systems.

The White House often decides whether to hold on to a flaw for future use or reveal it to the manufacturer. Obama administration officials set up a system to make the decision. Trump administration officials say a similar process still exists, but they have stopped publishing information about the percentage of vulnerabilities they make public.

The National Security Council reviewed the latest decision to share information about the new flaw with Microsoft, Ms. Neuberger said.

The vulnerability involves Windows’ digital signature system, according to one of the people familiar with the issue. Microsoft, and other companies, use digital signatures to identify software and updates as authentic.

The vulnerability unearthed by the National Security Agency could potentially allow a hacker to add a fake signature that could allow malware to be inserted onto a vulnerable computer. Because the vulnerability was not yet public, no known malware has taken advantage of it.

Criminal hackers or nation states typically take weeks to exploit a new vulnerability, so businesses, governments and individuals may have a little time to install the security patch developed by Microsoft. Experts urged them to move quickly nonetheless.

It was not clear how much of a strategic shift the agency’s announcement amounted to. The agency presumably is still hunting for vulnerabilities and flaws that could allow them to infiltrate Iranian computer systems, as well as those used by Russia, China and other adversarial countries.

But if the agency continues to follow the example set Tuesday, future vulnerabilities that affect not just one critical computer system but instead millions of users or more across the world, its experts could help fix the problem rather than exploit it.

Categories
5G (Wireless Communications) Cyberwarfare and Defense Espionage and Intelligence Services Europe European Union Huawei Technologies Co Ltd Uncategorized United States International Relations

Blocked in U.S., Huawei Touts ‘Shared Values’ to Compete in Europe

BRUSSELS — The committee room of the European Parliament was crowded with lawmakers and lobbyists who were facing off with executives of the telecommunications giant Huawei. One lawmaker, eager to raise the trust issue, got directly to the point: Could Huawei be a front for Chinese state espionage?

Abraham Liu, the company’s top official in Europe, pushed right back. Huawei, he said, is completely independent, with no obligation to spy for China, and to do so “would be like committing suicide.”

Then he added a twist — and a veiled swipe at Huawei’s loudest critic, the Trump administration: It is Huawei, not America, that shares European principles.

“Europe’s values of openness, innovation and the rule of law have led to it being a powerhouse in mobile communications — and Huawei shares these values,” Mr. Liu said.

In Washington, Huawei is treated like a grave security risk over concerns that Chinese intelligence agencies could use the company’s technology to infiltrate the systems of foreign customers. Yet in Brussels, the European Union’s de facto capital, the company is waging a multifaceted charm offensive, partly by exploiting European distrust toward the Trump administration — and, for now, it is working.

As the company competes to build Europe’s next-generation 5G wireless networks, Huawei is spending millions of dollars on an intensive advertising and lobbying campaign, while making a bold argument to European policymakers: That while the Trump administration is unpredictable and unreliable, Huawei is a guarantor of privacy, transparency and globalization.

The message hasn’t gone unnoticed, nor has the irony.

“The Chinese have started brazenly claiming that it is China, not the United States, that shares more values with Europe,” said Julianne Smith of the German Marshall Fund in Washington.

“Chinese scholars and officials also frequently remind European audiences that unlike the United States, China believes in climate change and multilateralism, a message that is especially powerful in a place like Germany,” she said.

To push its message, Huawei has made unexpected moves. One is the hearing, in October, in which Mr. Liu spoke about values. It was not a case of a corporate leader being hauled before lawmakers for a grilling. Instead, Huawei had organized the “public debate” with members of the European Parliament, live-streamed the proceeding and posted the video online.

In the United States, the Trump administration has essentially blocked Huawei, but Mr. Trump’s efforts to push European allies to ban Huawei have fallen flat.

Neither the European Union nor individual countries have moved to restrict the company’s access to their markets. Hungary, whose far-right prime minister, Viktor Orban, identifies himself as a Trump ally, announced in November that Huawei would lead its 5G infrastructure rollout.Even as government officials have debated its role, Huawei has forged ahead, and says it has already made dozens of deals to sell 5G hardware to wireless carriers across Europe. The extent of its involvement is unclear, because a single carrier can buy gear from multiple vendors, and some pieces of equipment are more security-sensitive than others.

And at a NATO gathering near London this month, when Mr. Trump pressed Prime Minister Boris Johnson to shut Huawei out of Britain, Mr. Johnson — who has postponed a decision on the question — was noncommittal.

Secretary of State Mike Pompeo, in an opinion piece published by Politico Europe, implored policymakers “not to give control of their critical infrastructure to Chinese tech giants.”

To a degree, European policymakers in charge of assessing risks to cybersecurity share the United States’ concerns about Huawei. A recent European Union report highlighted, without naming Huawei, that a non-European 5G technology provider could be forced to allow its government to hack into and even control its networks, enabling access to private data, trade secrets and national security operations.

In Germany, Chancellor Angela Merkel has said that Huawei should be allowed to compete for 5G contracts, but other politicians have pushed back, indicating that the company could be in for a fight there.

“No Chinese company is an independent company,” Norbert Röttgen, a former government minister from Ms. Merkel’s party, said recently, adding that Huawei’s involvement was “an imminent question of national security.”

Yet one German telecommunication company, Telefonica Deutschland, has announced that it intends to contract Huawei for its 5G development.

European Union rules make it difficult to target individual companies for political reasons. The bloc could impose stringent standards of conduct and openness for 5G contractors that could be used to restrict Huawei but, as yet, has simply let each member country to decide how to proceed.

Distrust toward the Trump administration is also a significant factor, as European policymakers worry that American sanctions on Huawei are simply a bargaining chip in the United States’ broader trade war with China and might be reversed.

“There is a fear that if you take what potentially are quite expensive decisions with regards to 5G because the Americans have told you that they are a security problem, and then President Trump gets a trade deal with China and suddenly Huawei is all O.K. again, then you’ll feel like the earth has moved under your feet,” said Ian Bond, director of foreign policy at the Center for European Reform, a policy group in London.

Years before the advent of 5G, Huawei was establishing a major presence in Europe, where it ranks third in mobile phone sales, behind Samsung and Apple. The company says it has 12,000 employees, and 23 research and development centers in Europe, a way of building favor and familiarity with policymakers.

And it has moved boldly to position itself in Brussels.

Huawei has spent more than $3 million this year on advertising and lobbying, according to its disclosures in the European Union lobbying registry. That is more than the combined spending of its European 5G competitors, Ericsson and Nokia, and far more than its American rival, Qualcomm.

In a huge advertising campaign this year, the company plastered banners featuring happy faces at Brussels Airport and in key spots around the city.

“Vote for 5G,” they read. “#Vote Smarter.”

In a press packet sent to hundreds of journalists there, Huawei argued that “It is crucial to roll out 5G the European way, in line with European values.” Huawei, it added, was best placed to guarantee those values.

The company also placed advertising in the most insider-focused journalism product in town, Politico Europe’s daily newsletter. “Brussels Playbook, presented by Huawei — Vote for 5G,” the subject line of an early-morning email read in late May this year.

Huawei has made donations to at least two major research institutions in Brussels that study European policy. Several other institutions receive funding from the Chinese government.

For Huawei, public records show that the amounts are relatively small, about $55,000 per organization. But they guarantee that the company is a player in the Brussels policy machinery.

In an interview, Mr. Liu said the company spent money on advertising and lobbying because of “attacks from the U.S. toward Huawei.” He said the company was “obliged to talk to the stakeholders in Europe and also the rest of the word, because the U.S. is very powerful — the U.S. government is super-powerful.”

“They’re trying to murder us,” he said.

In many ways, Huawei is using the Brussels playbook of major American technology players like Google, which has pioneered the use of public advertising campaigns in Brussels to influence legislation or regulations. The two companies even share a small, unassuming office building three blocks from the European Commission, where Google occupies three floors and Huawei one.

A review of the European Commission’s transparency register shows that Huawei employees met with top officials from the Commission, including commissioners and their top civil servants or members of their cabinets, 46 times in the past five years. The vast majority of those meetings were about 5G, the register shows.

Mr. Liu says his company’s continued presence in Europe demonstrates Washington’s failure to show any concrete evidence of wrongdoing by Huawei.

“It’s not fair on us as a private company to face such a challenge from a superpower,” he said. “And for Europe, we appreciate that the European stakeholders take a different approach.”