Ex-Obama cyber czar defends government rules for hacking tools

Ex-Obama cyber czar defends government rules for hacking tools
© Getty Images

Former President Barack ObamaBarack Hussein ObamaObama shares summer reading list ‘Three Californias’ plan would give Dems more seats Loyalty to Donald Trump is new normal for the Republican Party MORE’s cyber czar is defending rules governing the hoarding of hacking techniques following the global ransomware attack — in which it’s possible a National Security Agency cyber tool was used against targets like hospitals and governments. 

Michael Daniel, a top adviser to Obama on cybersecurity from mid-2012 to the end of the Obama administration, said U.S. intelligence agencies have to arm themselves for a cyber war and that critics who argue for a disarmament are not living in a realistic world.

He also argued the rules ultimately make the U.S. safer.

“It is naive to believe that in the 21st century, intelligence agencies, law enforcement agencies are not going to have the need to discover software vulnerabilities and exploit them for intelligence purposes,” Daniel told The Hill in an interview.

“In fact, it’s what we want them to do. It’s part of the way we catch terrorists, it's part of how we discover the intentions of those who plan to do us harm. As a society, we want those decisions to occur.”

Congress is beginning a debate over whether to change federal rules on when the NSA and other agencies must disclose security holes in software. Agencies such as the NSA can now hold on to some of these vulnerabilities so that they can potentially take advantage of them.

The Wanna Cry ransomware attack renewed criticism of this system. In the attack, hackers used tools believed to have leaked from the NSA to launch a global attack on users of Microsoft Windows. The attack caused a global panic as hospitals in Great Britain were forced to turn away patients. Some government systems in Russia are reportedly still not back online.

Ransomware is a type of malware that encrypts a target's data, with the attacker only providing the decryption key after receiving payment.

The current U.S. process for determining whether an agency must tell a software or hardware manufacturer that it has a vulnerability is known as the Vulnerabilities Equities Process.

Under that system, the NSA and other agencies must report vulnerabilities it wants to keep to an executive branch panel, which then determines whether the manufacturer needs to be notified.

Microsoft, NSA leaker Edward Snowden and the American Civil Liberties Union are among the figures who say manufacturers should always be told about vulnerabilities. They argue this would make the world safer from hackers.

“We can be more transparent, but I don't think the government can ever be as transparent as some people would like,” he said.

“If the government came out and said we had a stockpile of eight vulnerabilities, and the Russian or Chinese intelligence services knew they had figured out seven of the vulnerabilities the U.S. continued to use, they could entirely block the U.S. intelligence agencies.”

Daniel suggests that the best the government may be able to do is release percentages of how many vulnerabilities were disclosed in a given period. It would, at a minimum, clarify that a process was working. 

The PATCH Act, introduced in March by Sens. Brian Schatz (D-Hawaii), Ron JohnsonRonald (Ron) Harold JohnsonSenate probes FBI's heavy-handed use of redactions to obstruct congressional investigators Hillicon Valley: DHS gets new cyber chief | White House warns lawmakers not to block ZTE deal | White nationalists find home on Google Plus | Comcast outbids Disney for Fox | Anticipation builds for report on FBI Clinton probe Graham jokes about Corker: GOP would have to be organized to be a cult MORE (R-Wis.) and Cory GardnerCory Scott GardnerSessions floats federal law that would protect states that decriminalize marijuana RNC mum on whether it will support Trump-backed Corey Stewart Overnight Health Care — Sponsored by PCMA — Dems see midterm advantage in new ObamaCare fight MORE (R-Colo.) and Reps. Ted Lieu (D-Calif.) and Blake FarentholdRandolph (Blake) Blake FarentholdSenators introduce bill to overhaul sexual harassment policy Freedom Caucus bruised but unbowed in GOP primary fights Five races to watch in the Texas runoffs MORE (R-Texas), wouldn’t require U.S. agencies to reveal vulnerabilities.

It would, however, codify the current system and introduce a multi-agency review process. 

Daniel, who is now the president of the Cyber Threat Alliance, a group of cybersecurity companies that share threat information, says he sees the bill as a net positive but is critical of taking too much authority away from the executive branch.

“I’m very skeptical about Congress codifying processes,” he said. 

“It would not be bad for Congress to say there has to be some kind of process and it has to meet the following criteria, but leave the specific details to the executive branch.