Culpability for this Ransomware Belongs to the NSA

In all the coverage of the recent ransomware attack shutting down computer systems around the world, one point has been buried and obscured. The focus has been on precisely who spread this horrid thing, what damage it has done, what to do once you have it, and how to prevent it.

All fascinating questions. But an equally, if not more, important question is: who created this weapon of mass computer destruction? What was its origin? How did it get released in the first place?

And here, the answer is as sure as it is alarming. The culpability belongs to the National Security Agency. That’s right. The government that claims to be protecting us against cybercrime both made the virus and failed to secure it from being stolen by malicious actors.

ComputerWorld explains

The tools, which security researchers suspect came from the NSA, include an exploit codenamed EternalBlue that makes hijacking older Windows systems easy. It specifically targets the Server Message Block (SMB) protocol in Windows, which is used for file-sharing purposes…. The developer of Wanna Decryptor appears to have added the suspected NSA hacking tools to the ransomware’s code, said Matthew Hickey, the director of security provider Hacker House, in an email.

ArsTechnica explains:

A highly virulent new strain of self-replicating ransomware shut down computers all over the world, in part by appropriating a National Security Agency exploit that was publicly released last month by the mysterious group calling itself Shadow Brokers…. Another cause for concern: wcry copies a weapons-grade exploit codenamed Eternalblue that the NSA used for years to remotely commandeer computers running Microsoft Windows. Eternalblue, which works reliably against computers running Microsoft Windows XP through Windows Server 2012, was one of several potent exploits published in the most recent Shadow Brokers release in mid-April.

The New York Times says:

The attacks on Friday appeared to be the first time a cyberweapon developed by the N.S.A., funded by American taxpayers and stolen by an adversary had been unleashed by cybercriminals against patients, hospitals, businesses, governments and ordinary citizens…. The United States has never confirmed that the tools posted by the Shadow Brokers belonged to the N.S.A. or other intelligence agencies, but former intelligence officials have said that the tools appeared to come from the N.S.A.’s “Tailored Access Operations” unit, which infiltrates foreign computer networks. (The unit has since been renamed.)

The furious president of Microsoft weighed in:

Starting first in the United Kingdom and Spain, the malicious “WannaCrypt” software quickly spread globally, blocking customers from their data unless they paid a ransom using Bitcoin. The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States…. The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.

Cyberscoop interviewed several experts:

“In my view, there isn’t a policy problem, it’s an operational problem,” [former White House National Security Council cyber staffer Rob] Knake, now with the Council on Foreign Relations, told CyberScoop. “NSA should not have lost those tools. No way for policymakers to account for that problem other than to move quickly to get info on the vulnerabilities out, which they apparently did. Loss of the tools is an operational problem. The response was appropriate and timely.”

This is obviously terrible for the United States in terms of international relations. It is the equivalent of having built a weapon of mass destruction and inadvertently failing to secure it from access by criminals. Yes, the people who use such weapons are bad actors, but the bureaucracy that made the weapon and allowed its release in the first place bears primary responsibility.

Had a private company been responsible, its stock would now sit at nearly zero and the feds would be all over it for responsibility for cybercrime.And while the NSA’s responsibility is certainly being downplayed in the American mainstream media – NPR reported it but quietly and inauspiciously – you can bet it is all the talk in the 100 countries that are affected.

Yes, it would be very sweet if users around the world were forgiving and understanding. Everyone makes mistakes. Sadly, that is not the case. The NSA developed this virus to use against network systems of enemy countries and failed to secure it. The head of Microsoft is correct that this really is an outrage, and cries out for a fix.

Had a private company been responsible, its stock would now sit at nearly zero and the feds would be all over it for responsibility for cybercrime. Probably there would be jail time.

What will be the fallout from the NSA screw up? Watch for it: surely a bigger budget.