TOPICS > World

When should the government reveal cyber flaws to tech companies?

May 15, 2017 at 6:40 PM EDT
If the government can detect that there is a hole in a company's software that makes it vulnerable to attack, do they have an obligation to tell that company, even if it gives away the government's tool for conducting surveillance? William Brangham speaks with Eric Geller of POLITICO about that tension and what consumers need to know when it comes to cybersecurity and how to protect themselves.

JUDY WOODRUFF: And some further reporting now on this and what consumers need to know.

And that comes from William Brangham.

WILLIAM BRANGHAM: And, for that, we turn to Eric Geller, who covers cyber-security for Politico.



WILLIAM BRANGHAM: So, you just heard the president of Microsoft make his argument, that they’re not really to blame for this, for the slowness or relative slowness, of putting out the patches.

What do you make of that point he’s making?

ERIC GELLER: Well, Microsoft is in a tricky position here, because, as you heard, he didn’t want to discuss whether they had been informed by the NSA.

Seems likely they were informed. The only other possibility is that they were told by this group that leaked the files. So, either way, they’re in a tricky situation. They have got to rush to fix this problem that they didn’t know about. They’re wondering whether they should demand some changes to the way the government deals with these policies.

And, of course, at the same time, they’re wondering what the consequences are going to be for consumers. So they are in a tricky situation. I think they moved as fast as they could. Of course, what we’re seeing is, the more time you have to tell customers about the problem, the more customers who will fix it. They had only a very short period of time.

WILLIAM BRANGHAM: And, obviously, we have been talking about this potential that the — this was somehow a tool created by the NSA that was stolen by hackers.

And Microsoft is arguing that that’s really the problem, that the government is devising tools to break into our computers. Inevitably, those tools are going to get out, and we’re going to see the havoc we have seen.

What do you make of that argument?

ERIC GELLER: They certainly have a point that the U.S. government has not done a great job of keeping its secrets secret over the past few years, Edward Snowden, Harold Martin, who was recently arrested and charged with stealing classified information.

The Shadow Brokers, we still don’t know who they are. And then, of course, WikiLeaks has been posting CIA files. So, look, Microsoft has a point. The government is not as good as this as it should be.

On the other hand, the government needs to be able to break into Russian computers, ISIS computers. There are all kinds of valid foreign intelligence targets out there who are using Windows and who need to be surveilled by our government in order to do its job.

So, I think Microsoft is in a tricky spot because it doesn’t want to say the government shouldn’t be able to spy on terrorists, but those same terrorists, they use the products that we use. And so issues that allow them to be spied on, they also put us at risk.

WILLIAM BRANGHAM: Obviously, that seems like the trickiest part of the debate. If the government can detect that there is a hole in a company’s software, do they have an obligation to tell that company, so that they can patch it?

But then that also gives away the tool that the government no longer has to do this exact surveillance you’re describing.


And the government has a process. I should say, they have a process for deciding when to reveal a flaw to a company. It’s called the vulnerability equities processes. And the government actually revealed it a few years ago when there was a major vulnerability that was disclosed in public.

They still don’t have all the fine-tuning details of that nailed down. And there’s been some efforts. California Democrat Ted Lieu yesterday said — or, I should say, Friday said that he wanted to reform that process. He wanted to change the rules for when the government has to tell a company about this.

We’re in the very early stages of this process. This is a very obscure issue. It’s not one that people are familiar with, but it’s one that, I think, as we saw this weekend, it’s becoming more important to our own lives.

WILLIAM BRANGHAM: Getting back to this attack itself, do you think, as we have been reporting, that this seems like it’s winding down, or, as Judy mentioned, are we see going to more variants crop up?

ERIC GELLER: It’s hard to say, because, as you point out, anybody can build a new variant, anybody can change the code, put it back out there, and the ways of sort of killing it and tamping down on it, they have to be pursued freshly, they have to be pursued anew.

And so it’s possible that this never stops. I have a hard time imagining that cyber-criminals will just keep doing this forever. They are going to find other things that they like to do, but there is certainly no technical reason that it can’t happen forever.

WILLIAM BRANGHAM: We saw this break out first in hospitals in the U.K. Is that because they, hospitals, are particularly vulnerable, or was it because they were targeted specifically?

ERIC GELLER: It’s unclear right now.

I think they were probably targeted. One sort of conspiracy theory here is that this wasn’t meant to be released when it was, that it was sort of a test. They were trying to figure out what would happen, and it got out, and perhaps the way it was initially configured, it ended up going to the National Health Service first.

Either way, I would say probably not accidental. These things have to be coded. They have got to be targeted at particular entities. It’s hard for me to imagine that the scale that we saw with the NHS, that that was completely random. But I should say that U.S. officials and private cyber-security firms have really, I think, at this point no idea who it is, although they are pursuing some leads.

WILLIAM BRANGHAM: Lastly, just for our viewers out there who are worried, could this strike me, what can I do to protect myself, can you give just us a quick digital computer hygiene lesson?

What are the things people should do to stop this from happening to them?


I think the number one thing is, you want to patch Windows. If you’re running Windows — and I think a lot of people out there are — make sure that you’re using — you should be running Windows 10, which is…

WILLIAM BRANGHAM: So, when you get those software update notifications, do those.

ERIC GELLER: Do them right away.

You’re much better off doing that and just making sure that Microsoft is finding all the things that could go wrong. And just you have got to install everything whenever it comes out there.

And then also I would say, if you’re running Windows XP — and I hope to God that very few of your viewers are running Windows XP — but if you are, you should throw that computer away and get a new one as soon as possible, because Microsoft is not going to support these kind of critical patches for Windows XP forever.

WILLIAM BRANGHAM: And, of course, don’t click on those dodgy-looking e-mails.

ERIC GELLER: Absolutely.

WILLIAM BRANGHAM: Eric Geller of POLITICO, thank you so much.

ERIC GELLER: Thank you.