On 02 November 2019, Brian Batholomew (at the time of this writing, at Kapsersky Lab) posted a very interesting Twitter poll. To summarize (or in case the poll is removed), the question can be simplified as the following: if someone bought leaked data from the Shadow Brokers, would you still do business with them? For any company either based, domiciled, or doing significant business in the United States (given the nature of the Shadow Brokers leaks, focusing on alleged NSA-developed tools), the almost certainly obvious answer would be, “no, of course not.” And yet… the issue does not seem to be as clear as initial impressions would indicate.
As I explained in a previous posting, governments (especially the US government) have largely given the private sector a free hand in organizing, policing, and maintaining itself in the context of information technology. While this has apparently resulted in significant benefits in terms of innovation, development, and experimentation, such an approach has also created a landscape where organizations – especially “large” companies such as Microsoft, Cisco, IBM, and Oracle, among others – are largely left to their own devices to defend themselves against state-sponsored, persistent intrusion events. Furthermore, given the scope and extent of these company’s products, their technology becomes a focus for multiple malicious entities to develop and deliver attacks on third parties (i.e., customers). When combined with the international reach of the dominant entities within the information technology space – spanning from the US to the EU to Russia and China – such entities have had to adopt a posture concerning internal security, risk assessment, and customer support balancing the national interest of multiple countries with the company’s own interests in continuing involvement in multiple regions. In this sense, one could look at a Microsoft or Cisco as being similar to an Exxon or Shell in terms of international reach and attempting to mollify multiple, conflicting stakeholders simultaneously.
To unpack this issue, we must first look at a series of duties potentially binding the corporate personas (since in the US sense, corporations are kind of people) guiding multinational IT companies. First, such organizations presumably owe some level of allegiance to (or at least a degree of non-interference in) the affairs of their sponsoring, home country – in almost all cases, the United States. At the same time, such organizations have a clear duty to their customers – for operating systems, office products, databases, or other technologies – to provide working, reliable, and secure products. As such organizations have grown and become dominant in their respective industries globally, such responsibilities in terms of security and reliability presumably extend beyond the location of their origin and incorporation to cover entities well-removed from the interests of the state under which the company was born.
Organizations thus possess customers across multiple countries, even though the entity itself is likely based in the US, while facing duties to both the country of residence and the needs of paying customers. Given this framework of competing (and at times contradictory) duties and responsibilities, circumstances become rather interesting. As framed by Brian, the question appears rather simple – do business with a company abiding by the law (or at least US law), or risk doing business with an entity in violation of such law for having purchased information from an entity malicious to the US. Yet for the entities most significantly impacted by such events, the question appears neither clear-cut nor simple… Who does Microsoft, Cisco, Apple, Salesforce, or so many similar entities owe allegiance to – the government of the state in which they are headquartered, or their customers scattered across the globe?
To play events out as a thought experiment, imagine this: you are an organization producing a software product with clients (i.e., entities dependent upon your product for the security, integrity, and reliability of their business) based around the globe. While the product is not completely secure and could always be better in some fashion, it nonetheless represents a best-effort product to fulfill customer needs, many of which are mutually exclusive (between reliability, accessibility, security, and backwards-compatibility). At some point, you learn of a significant vulnerability and corresponding exploit in this product, but which is held at ransom (essentially) by an entity which may serve the purposes of a state-sponsored entity hostile to the state of your incorporation. Given the collection of events and observations – what is the ethical decision given conflicting duties – the duty to follow the interests of the “home country”, or the duty to best protect clients and customers who depend on you?
To look at a very specific example: MS17-010, also known as the EternalBlue or WannaCry vulnerability, was a fundamental flaw in Microsoft Windows operating systems for many years, allegedly used by the NSA for purposes unknown. While not specifically described by the Shadow Brokers, this vulnerability (and a working exploit for it) were offered for sale prior to public disclosure in April 2017. From the perspective of duty to customers, one could easily defend a decision by Microsoft (or a similarly-situated vendor – Cisco has faced similar such quandaries although without similar follow-on impacts) to purchase such information (whether directly or through some contracted, anonymous third party) for the sole intention of learning what vulnerabilities were discovered, and then patching or mitigating them through whatever means possible.
In the case of MS17-010, Microsoft appears to have received information from a party (likely the US government) in advance of the Shadow Brokers release – but given the extensive penetration of Windows operating systems across multiple economies and comprising multiple versions, the advance notice from March (Microsoft patch release) to April (Shadow Brokers vulnerability and exploit release) seems insufficient. Thus, Microsoft finds itself in a notional bind: attempt to purchase vulnerability information in advance of private release to enable possible protection of customers as early as possible, or obey the letter of the law in the country of residence (US) while leaving clients at risk.
In this set of circumstances, I would find Microsoft (or a similarly-situated entity) is well within its rights and obligations to defend its customers (which include nearly all US federal, state, and local government entities) by procuring such illegally-sourced information for defensive and hardening purposes. Note this is significantly different from other possible use cases – such as a third-party vendor or penetration testing organization procuring the vulnerability for analysis or even use. In those cases where ‘classified’ but leaked or lost data relates to an identified flaw, vulnerability, or exploit in a product, the owner and developer of that product should be able to defend, secure, or otherwise patch that product to protect its customers and clients, as well as their business and reputation.
Where this idea, which seems rather simple and straightforward, gets more complex is when we start extending from procurement of lost or disclosed capabilities (such as the Shadow Brokers leaks) to identified but still secret vulnerabilities – the can of worms known in the US as the vulnerability equities process (VEP). For the uninitiated, VEP attempts to balance the conflicting goals of possessing offensive or espionage cyber capabilities such as exploits and tools with the need to secure networks and infrastructure that are vulnerable to these same capabilities. Past VEP activity appears to have been overly generous to offensive needs, while more recently (especially in a post-Shadow Brokers world) VEP seems to have rebalanced a bit (such as the NCSC disclosure of a critical Windows RDP vulnerability which previously would almost certainly have been kept secret for offensive use). But while “hackers gonna hack” and “spies gonna spy”, it is also worth wondering if organizations should be precluded from using any reasonable means necessary (including the potential procurement of sensitive or legally restricted information) to ensure product security. Given that governments appear hesitant to disclose such information except after balancing out their own concerns, companies whose products are impacted would seem to be held in an awkward and unfortunate position – especially since the needs of the majority of their clients and customers may be completely separate from (or in opposition to) the goals of the government entity identifying vulnerabilities.
Overall, procuring or sourcing information illegally harvested for use seems obviously wrong and hard to defend – but doing so for purposes of defense and protection would appear allowable and even desirable, especially since the reasons for sensitivity may be in direct opposition to the benefit of many. Unfortunately, continued emphasis on offensive operations in government circles (or the greater influence of organizations such as military and intelligence communities in government over domestic security entities) means that this quandary will persist for the foreseeable future. Yet in cases such as the examples above, I think many should give pause before having the knee-jerk reaction towards an organization procuring such information.