WASHINGTON — The National Security Agency has taken a significant step toward protecting the world’s computer systems, alerting Microsoft to a vulnerability in its Windows operating system rather than keeping quiet and exploiting the flaw to develop cyberweapons as the agency typically would, people familiar with the matter said Tuesday.
The warning allowed Microsoft to develop a patch for the problem, and it appears to be a shift in strategy for the intelligence agency. In years past, the NSA has collected and hoarded all manner of computer vulnerabilities, using them to gain access to computer networks to collect intelligence and develop cyberweapons to use against U.S. adversaries.
But that policy came under criticism when the NSA lost control of some of those tools, which fell into the hands of cybercriminals and other malicious actors in recent years, including North Korean and Russian hackers.
The NSA was set to discuss the decision to alert Microsoft later in the day. The Washington Post earlier reported its warning to Microsoft, which was slated to release a patch for the vulnerability on Tuesday.
The NSA’s decision to reveal the flaw to Microsoft — and then to publicly announce its move — is in sharp contrast to how it handled another flaw that it discovered but told Microsoft about too late to prevent global damage.
In early 2017, NSA officials told Microsoft’s president, Brad Smith, that it had found a flaw in its operating systems but lost it to a group called the Shadow Brokers, who somehow obtained hacking tools that the United States had used to spy on other countries. The NSA had known about the flaw for some time but held onto it, thinking that one day it might be useful for surveillance or the development of a cyberweapon.
But when the agency’s arsenal of flaws leaked out — presumably through insiders, though the NSA has never said — among it was code nicknamed “Eternal Blue.” While Microsoft had raced to get people to patch the erroneous code, many systems remained unprotected.
Soon North Korean hackers used the code to develop “WannaCry,” software that crippled the British health care system, which used an outdated version of Microsoft Windows. And Russian hackers used it in the NotPetya attacks, among the most damaging cyberattacks in history, costing hundreds of million of dollars to companies including FedEx and Maersk, the shipping giant.
The agency dismissed the idea that it was responsible for the malicious use of the code — arguing that the responsibility lay with North Korea and Russia, which mounted the attacks. But privately, many agency officials acknowledged that the tendency to hoard such flaws in hopes of developing weapons had come at a huge price and that the United States bore some responsibility for the damage caused by Eternal Blue and other tools.
Some experts believe Eternal Blue is continuing to cause problems, allowing hackers to disrupt computer systems.
The vulnerability involves Windows’ digital signature system, according to one of the people familiar with the issue. Microsoft, and other companies, use digital signatures to identify software and updates as authentic.
The vulnerability unearthed by the NSA could potentially allow a hacker to add a fake signature that could allow malware to be inserted onto a vulnerable computer. Because the vulnerability was not yet public, no known malware has taken advantage of it.
Criminal hackers or nation states typically take weeks to exploit a new vulnerability, so businesses, governments and individuals may have a little time to install the security patch developed by Microsoft. Experts urged them to move quickly nonetheless.
It was not clear how much of a strategic shift the NSA announcement amounted to. The agency presumably is still hunting for vulnerabilities and flaws that could allow them to penetrate Iranian computer systems, as well as those used by Russia, China and other adversarial countries.
But if the agency continues to follow the example set Tuesday, future vulnerabilities that affect not just one critical computer system but instead millions of users or more across the world, its experts could help fix the problem rather than exploit it.