I’ve been trying to figure out why the U.S. government thought it was useful to attribute the “WannaCry” attack to North Korea. WannaCry was a global ransomware attack that hit hundreds of thousands of computers, cost billions of dollars in damage, and compromised U.K. healthcare computers in ways that “put lives at risk.” In a Tuesday, Dec.
Latest in WannaCry
The Government Accountability Office last week published a report that, among other things, weighs in on the pros and cons of the NSA/CYBERCOM “dual-hat” system (pursuant to which the director of the NSA/CSS and commander of CYBERCOM are the same person). The report deserves attention but also some criticism and context. Here’s a bit of all three.
1. What is the “dual-hat” issue?
The WannaCry and Petya malware, both of which are partially based on hacking tools allegedly developed by the National Security Agency, have revived calls for the U.S. government to release all vulnerabilities that it holds. Proponents argue that this would allow patches to be developed, which in turn would help ensure that networks are secure. On its face, this argument might seem to make sense—but it is a gross oversimplification of the problem, one that not only would not have the desired effect but that also would be dangerous.
Software and computer systems are a standard target of intelligence collection in an age where everything from your phone to your sneakers has been turned into a connected computing device. A modern government intelligence organization must maintain access to some software vulnerabilities into order to target these devices. However, the WannaCry ransomware and NotPetya attacks have called attention to the perennial flipside of this issue—the same vulnerabilities that the U.S. government uses to conduct this targeting can also be exploited by malicious actors if they go unpatched.
Another month, another ransomware epidemic. Broadsheets are screaming panic while companies yell back that All Is Well and Ukraine shows the world what gifs can do for incident response. Twitter is abuzz with the rapid, globalized forensics effort of a legion of amateurs and professionals (though nothing yet from the White House).
Last month, a ransomware attack—one of the most far-reaching cyberattacks in history—affected thousands of hospitals, corporations, and other institutions in more than 150 countries. As expected, an attack of this magnitude galvanized calls for action to prevent this kind of event in the future.
Yesterday I was interviewed by NPR about the Shadow Brokers and their relationship to WannaCry. Overall I think it went well, especially since NPR is very comfortable with answers that start with “we don’t know” and then set out the evidence we do know. But I may have been wrong on one significant thing: I thought the Windows tools were the most damaging the Shadow Brokers have to offer.
The most important policy question raised by the WannaCry ransomware fiasco is not the most obvious one.
In a recent blog post, Microsoft argued that the use of a vulnerability for Windows XP stolen from the NSA and released by the Shadow Brokers has caused widespread damage in the public domain, and the lesson that governments should learn from this incident is that government stockpiling of vulnerabilities that might be inadvertently revealed presents a hazard to safe computing around the world.