“For the record, I’ve never admitted to stealing valuable government material,” said Edward Snowden, former CIA and National Security Agency employee and whistleblower on government surveillance, said Monday during a live video chat from Russia aired during the K(NO)W Identity Conference held in Washington. “I do happily admit to copying evidence of serious crimes and providing that to journalists.”
Addressing Friday’s WannaCry global cyberattack, which is being hailed as the largest ransomware attack to date, Snowden characterized the attack that used information from his former employer as “a perfect storm of all of the problems that everyone has been warning about for years now.”
Posited Snowden: “How did we get to this point” where malicious hackers are shutting down hospitals, railway station terminals have been affected, automobile manufacturing plants in France have been shut down, and FedEx in the United States has been impacted?
Snowden said the ransomware attack, which used a software vulnerability in Microsoft Windows that the NSA had been exploiting, “provides yet another example of why stockpiling computer vulnerabilities by governments is such a problem. This is happening around the world; it’s not just in the United States. This is an emerging pattern in 2017: We’ve seen vulnerabilities stored by the Central Intelligence Agency (these are top secret documents not connected to the internet show up on Wikileaks); now this vulnerability that’s ransacking the world, stolen from the NSA, is affecting customers no matter their nationality.”
Repeated “exploits in the hands of government have leaked into the public domain and have caused widespread damage,” he continued.
Snowden explained that the NSA, the state surveillance bureau in the United States, has traditionally “aimed externally, toward the foreign adversaries, military, spies, terrorists, but because of changes in the politics that happened at the Bush White House and Sept. 11, they started looking inside the country too — this is called mass surveillance.”
The NSA has “done a lot of harm to America’s rights, to the internet security broadly, but no one pretends that this is their intention,” Snowden said. “…Good people often do bad things for what they believe are good reasons. It’s very easy to make mistakes here.”
Snowden continued: “…And in a borderless network, right, we need to be focused on security, on defensive measures more than we are focused on these offensive benefits of surveillance. Because when you cut those corners, when you focus exclusively on being able to watch people, on being able to attack adversaries, on being able to spy on people of interest, what you’re doing is you’re keeping those doors open that allow your adversaries to attack you in the same way. And this is precisely what Microsoft alleges the NSA did that led to the ransomware attacks of this weekend.”
The NSA “knew about this flaw—the National Security Agency—in U.S. software, U.S. infrastructure, hospitals around the world, these auto plants and so on and so forth, but they did not report it to Microsoft until after the NSA learned that that flaw had been stolen by some outside group (right, we still don’t know the identity of the people who actually did this),” he said. “But the problem is, had the NSA not waited until our enemies already had this exploit to tell Microsoft, and then Microsoft could begin the patch cycle, but instead told Microsoft when the NSA first learned of this critical vulnerability, we would have had years to prepare hospitals networks for this attack rather than a month or two, which is what we actually ended up with.”
As Microsoft explained, the attack started in the United Kingdom and Spain, with the malicious WannaCry software quickly spreading globally, blocking customers from their data unless they paid a ransom using bitcoin.
At last count, the attack hit more than 200,000 computers in 150 countries.
Two Biggest Cyber Threats
The two most serious forms of cybersecurity threats today: “those by nation-state actors and those by organized criminal groups,” Snowden said.
When queried by moderator Manoush Zomorodi, host and managing editor of “Note to Self” from WNYC Studios, on the much debated issue of privacy versus security, Snowden responded: “This has never been a conversation about privacy versus security; privacy and security improve together, they’re actually tied to each other. When one is reduced the other is reduced. Surveillance and privacy are the contradictory factors. When surveillance increases, privacy decreases.”
And, he continued, “this actually means that when surveillance increases, security typically decreases. That might not seem obvious at first glance, but when you think about how surveillance actually functions it becomes quite clear, particularly in the computer security context.”
Surveillance “operates by observing, witnessing and exploiting vulnerabilities.”
In terms of regulation, Zomorodi queried Snowden on whether the Europeans are “the best model we have right now — in terms of privacy laws; they are strongest in Europe, they’re talking about fining companies like Facebook for hate speech and other things, they also have the highest data protection regulatory laws. Is the EU where we need to be looking?”
Snowden replied, this is a “complicated space; the answer is yes and no. They do better in some places, we do better in others.”
Nobody, he continued, “has it right in terms of regulation.”
Benefits of Blockchain
“The blockchain is good for a lot of reasons; it allows you to establish if something happened at a specific time and freeze it in a public ledger. … This person signed up at this time; or this person was at this bank at a certain time.”
The information “is crystalized and frozen there forever [on the blockchain]; it’s not going to be lost unless the entire network across the board is lost because it’s spread across jurisdictions and has to be centralized.”
When queried on whether the current know-your-customer and money laundering regulations are effective tools in countering illegal actors, Snowden replied, “No, They’re not. They are perhaps helpful and useful in some edge cases.”