Is NSA to blame for global WannaCry cyberattack?

The WannaCry cyberattack has by now been extensively quantified, with metrics ranging from total infected computers and the speed of its spread to the financial profit and news headlines with bad puns it generated.

Another metric increasing daily is the number of people asking who’s ultimately responsible for the largest ransomware attack in history. Central to answering that question is a tedious analysis of factors that enabled the ransomware’s development and potentially accelerated its distribution.

So far, experts and observers have cast blame, in full or in part, on factors ranging from, in no particular order, victim organizations’ poor cybersecurity hygiene, Microsoft, the NSA, the Shadow Brokers and North Korea-linked Lazarus Group. There are undoubtedly more. A few have observed it’s not so much one or two factors, but rather the concurrence of many or all of these factors that contributed to a perfect storm.

“Everyone is to blame in some way,” said Ben Johnson, a former NSA computer scientist and co-founder of cybersecurity company Carbon Black. “The NSA should have protected its tools better, but when a supplier comes out with a patch and says that it is extremely important to install, owners of that technology need to act.”

Phil Quade, chief information security officer of cybersecurity company Fortinet and former director of the NSA Cyber Task Force, noted the broader effect of WannaCry. “Primarily, WannaCry represents the first time that ransomware touched the public psyche,” Quade said. “It did that by affecting many countries at once. In other words, its scale and purpose were somewhat unique.”

Perhaps partly because of the widespread awareness that WannaCry raised, cybersecurity professionals, the general public and even nation-states have weighed in on who was ultimately responsible. Over the past week, the U.S. intelligence community, generally, and the NSA, in particular, have been both scapegoated and defended in the public debate.

But given the confluence of factors and actors that enabled the WannaCry outbreak, can any one single element bear sole responsibility?

U.S. Cyber Adversaries and NSA Critics Make Their Cases

Both of the U.S.’s top cyber adversaries – China and Russia, themselves implicated in dubious past and ongoing cyber operations – have blamed the NSA.

An op-ed in China Daily, the state news agency, said, “The U.S. National Security Agency must shoulder some of the blame, because the computer virus is based on one of the hacking tools that the agency created for its own use, which ended up in the hands of cyber criminals. That an agency tasked with protecting citizens from cyberattacks was itself so vulnerable to hackers shows how serious the problem is.”

The op-ed went on to note that cybersecurity has been one of the “major frictions” in U.S.-China relations. The U.S. has repeatedly “point[ed] an accusing finger” at China, the op-ed said, “although it has offered no credible evidence to support its accusation.”

In 2013, the U.S. published the IP Commission Report, which alleged China was stealing $300 billion worth of intellectual property from U.S. companies annually. Subsequent reports by the U.S. government and the cybersecurity industry have reached similar conclusions.

The China Daily op-ed went on to claim the U.S. is “hypocritical” in its charges against China, arguing “no other country has mounted such wide-ranging, costly and long-term surveillance operations in the history of the internet as the NSA’s PRISM and other spy programs.”

The op-ed urged the U.S. and China to engage in more “meaningful dialogue” and strive for “cooperation, not confrontation.”

According to Russian state-owned news agency Tass, Russian President Vladimir Putin, speaking at a conference in Beijing last week, said, “We are fully aware that the genies, in particular, those created by secret services, may harm their own authors and creators, should they be let out of the bottle.”

Putin went on to say, “With regard to the source of these threats, then I believe that Microsoft has spoken directly about this. They said that the first sources of this virus were the United States intelligence agencies. Russia has absolutely nothing to do with this.”

Putin was referring to a blog post penned by Microsoft’s Brad Smith. In that post, Smith criticized intelligence agencies worldwide for their ongoing failure to disclose vulnerabilities to technology vendors so security patches can be developed and issued:

Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. … And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action. The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.

But the WannaCry incident is more than a matter of vulnerability disclosure. Two months before the outbreak, Microsoft issued a security patch (MS 17-010) for current Windows operating systems that fixes the vulnerability WannaCry exploits.

So why was WannaCry so successful if the vulnerability it exploits had been disclosed and an existing security patch issued months prior to the outbreak? Johnson noted that patching at the enterprise level entails multiple challenges.

“[One] challenge is when you come up with an update to get your customers to upgrade as smoothly and quickly as possible, having confidence that the patch will fix the defect but not introduce new ones or cause downtime,” Johnson said. “It’s never as easy as vulnerability found, and the entire customer base is upgraded.”

Johnson added, “Sadly, there are often many forces at work that make it more difficult to quickly patch than we all might think. This will happen many more times until individuals get fast at patching their systems, and unfortunately, a lot of security teams still have trouble identifying the network and computer surface area that they are actually protecting. We have a ways to go.”

NSA Alumni Weigh in on WannaCry Culpability, the Vulnerability Disclosure Debate

Vulnerability disclosure is a long-running, complicated debate within the cybersecurity profession. The relationship between and responsibilities of intelligence agencies and private companies entail just one part of a multi-faceted debate.

“This is not just about the intelligence community,” Quade noted. “There are vulnerabilities that are discovered by the Defense Department and law enforcement communities, as well. And each of these communities are there to serve the people.”

But perhaps the most prominent angle of the vulnerability disclosure debate in recent years has revolved around the intelligence-industry relationship, especially given the multiple leaks of NSA and CIA cyber tools, techniques and procedures that exploit undisclosed vulnerabilities.

At the highest level, the intelligence-industry debate is often framed as follows: On the one hand, the intelligence community’s practice of keeping security vulnerabilities a secret serves the national interest by allowing professionals to exploit the vulnerabilities in legitimate intelligence and cyber operations that protect the country. On the other hand, critics claim the practice of not disclosing security vulnerabilities leaves all technology users less safe, because rogue threat actors could also find and exploit the unpatched vulnerabilities for criminal or terrorist purposes. Critics’ most recent case study is the WannaCry cyberattack.

Many cybersecurity professionals have been employed at one time or another by both the U.S. government and private companies, which gives these individuals a unique viewpoint on and insight into the issue. Johnson and Quade, for instance, are former NSA staffers.

Asked his high-level assessment of the vulnerability disclosure debate within the context of WannaCry, Quade said, “Democratic governments’ intelligence agencies worldwide do a lawful job protecting the national security of their countries by gaining insight on what foreign adversaries, like terrorists, seek to do. Such insights save lives and money. Insights are gained, in part, by finding ways [to] determine the adversary’s plans and intentions without the adversary knowing; that’s the definition of spying. Authorized intelligence keeps nations safe.

“I think what we’re seeing in some of these debates is a too-narrow view of sometimes competing, but both legitimate, equities of national security and vulnerability disclosure. Since both are important, that’s why the White House runs a process to assess the best solution on a case-by-case basis,” he said, referring to the Vulnerabilities Equities Process implemented under the Obama administration.

Johnson agreed.

“Intelligence agencies are in a tough spot — we saw this with the Apple vs. FBI debate,” he said. “In this case, there was a severe flaw created by Microsoft that needed to be patched. Microsoft is at fault for having the flaw, and it could have pushed harder for companies to fix it.”

Quade pointed to the nature of code and the seeming inevitability of vulnerabilities. “Code is complex; that results in vulnerabilities,” Quade said. “Vulnerabilities are found all the time, and responsible companies work hard to prevent or fix them. Microsoft issued a fix for this one months ago.”

Johnson echoed Quade’s point, noting, “When you build software, it’s on you to make sure it is stable and defect free. We know that having zero defects is near-impossible, so the hope is that if someone finds a bug or vulnerability, it is disclosed, but that is only a hope.”

Quade noted, too, that all technology users play an important role.

“All of us have a stake in vulnerabilities,” he said. “Preventing and finding vulnerabilities is a responsibility of companies. Using vulnerability patches and using safe online practices is a responsibility of users. Finding and using vulnerabilities is a responsibility of the intelligence community.”

Legislating Vulnerability Disclosure: The PATCH Act

Partly in response to WannaCry, U.S. Senators last week introduced new legislation called the Protecting our Ability To Counter Hacking (PATCH) Act. The legislation is intended to clarify the how, when and where of security vulnerability disclosure to technology makers. Johnson and Quade are both skeptical of the legislation.

“Lawmakers don’t understand technology and the intricacies of the intelligence community and computer network operations enough to legislate it,” Johnson said. “It’s not as easy as drawing a line in the sand.”

Quade questioned the need for congressional legislation at all. “Legislating technology is bad public policy in general,” he said. “In the case of patching government IT systems and evaluating how to best optimize national security, public safety, economic competitiveness and civil liberties, the executive branch doesn’t need new authority from Capitol Hill, so it’s not clear what such a bill would do. The Senate, however, is historically known as a reasoned, deliberate body, so perhaps the dialogue, alone, serves a positive function.”

Johnson sees the vulnerability disclosure debate continuing no matter what is legislated or what solution the industry can devise. “There will always be a debate between those who think the government should keep secret all of its findings versus those who think the government should disclose everything,” he said. “We will continue to have this debate for a long time.”

Quade reiterated the theme of shared responsibility across all parties. “The boogeyman is not Microsoft nor worldwide intelligence agencies,” Quade said. “We expect the government to build good roads and companies to build good cars. But when driving a car, we have a personal responsibility to inflate our tires, clean our windshields and wear our seatbelts since accidents do happen. Cybersecurity is similar, in that there are responsibilities for the individual, companies and government.”

Quade added, “We’re all stakeholders in cyberspace and have a shared responsibility to optimize safety while using it. Sometimes we forget that.”

WannaCry Attribution and Victim Retribution

Aside from the culpability of the NSA or Microsoft, there’s the question of the threat actor who weaponized the NSA’s tool to exploit Microsoft’s vulnerability in the WannaCry attack.

Cybersecurity researchers at Google, Kaspersky Lab and Symantec have said that early forensics and malware reverse-engineering suggest WannaCry may be connected to the Lazarus Group, a hacking collective that has been linked to North Korea. Other experts have expressed doubt about the alleged North Korea attribution.

Some experts assumed the use of ransomware, which is viewed primarily as a financially motivated cyberattack, points to a cybercriminal threat actor, not a nation-state. But recent research by Kaspersky Lab and Symantec, conducted independently, suggests the Lazarus Group is increasingly hacking for financial profit.

Kaspersky researchers have said Lazarus Group contains a subgroup dubbed Bluenoroff, which appears to specialize in financially motivated hacks. Kaspersky, Symantec and other cybersecurity firms have implicated Lazarus Group in several global financial hacks over the past few years, including the $81 million heist from the Bangladesh Central Bank in February 2016.

If North Korea or another nation-state turns out to be behind WannaCry, what recourse might victim nations have according to the Tallinn 2.0 Manual, which establishes international standards in cyberspace?

NATO Cooperative Cyber Defense Center of Excellence Researcher Tomáš Minárik recently analyzed the incident and concluded, “If attribution to a particular state can be established in this case, the legal qualification would be similar to some earlier cases linked to states: The WannaCry campaign would not reach the threshold of armed attack or use of force, nor could it be qualified as prohibited intervention, due to the lack of a coercive element with respect to a government.”

Minárik continued:

However, government systems were also affected by the operation (Russian Ministry of Interior systems were compromised), which could be considered as interference with ‘inherently governmental functions.’ This would be a violation of sovereignty, and consequently an internationally wrongful act, according to Tallinn Manual 2.0 (see rule 4 commentary 15, and rule 14). As for non-government systems, the question of violation of sovereignty is not so clear-cut according to the Tallinn Manual 2.0, but if the ransomware disables systems in what is generally described as ‘critical infrastructure’, states might explore the option to invoke a violation of sovereignty.