Who Is Really to Blame for the WannaCry Ransomware?

Over the weekend, hospitals in the U.K. were forced to turn away some patients as a result of a computer virus that had infected their operating systems. In France, automaker Renault shut down production at several plants because of the same virus. In Russia, that same virus knocked thousands of computers offline at the Interior Ministry.

Days after the virus first exploded on Friday, Microsoft is pointing the finger squarely at the U.S. National Security Agency, for its role in enabling the virus. WannaCry, the company argues, represents just the latest example of why intelligence agencies should not stockpile computer vulnerabilities that they use to hack into enemy systems. Instead, organizations such as the NSA should disclose computer vulnerabilities to their manufacturers, Microsoft argues.

But the NSA’s role in the creation of WannaCry has been misunderstood: The intelligence agency did not actually create WannaCry but played an inadvertent role in midwifing the bug.

Who is responsible for writing the malware remains a mystery, but some early evidence points toward North Korea. Researchers at Kaspersky Labs, a cybersecurity firm, have identified some similarities in the WannaCry code and tools used by Pyongyang hackers in previous attacks. In a blog post, the company cautioned that it is too early to definitively attribute the attack to North Korea.

This latest mayhem was caused by a virulent strain of ransomware, which encrypts an infected computer’s data and demands a ransom for the keys to unlock it. Known as WannaCry, this strain of ransomware was developed by as-yet unknown hackers using tools first developed by the NSA and affects some computers running Microsoft software. The criminals have so far netted a paltry $50,000 in ransom payments, based on payments into Bitcoin accounts associated with the malware. The virus has so far infected nearly 200,000 computers worldwide.

The severity of the attack — U.K. hospitals in several cases asked only those with life-threatening or severe conditions to seek care at facilities affected by the virus — has prompted an intense debate among computer executives, former intelligence officials, and activists about who exactly is to blame for the attack.

In April, a group of hackers calling themselves the Shadow Brokers — their true identities remain unknown — released a set of hacking tools purportedly stolen from the NSA. That dump included a vulnerability code-named EternalBlue, which preys on a flaw in Microsoft Word to transmit malicious software from one Windows computer to another.

The authors of WannaCry utilized this NSA tool to create the mechanism by which the ransomware spreads from one computer to another.

In short, an NSA cyberweapon utilizing a flaw in a piece of Microsoft software slipped out of the hands of the U.S. government and into the hands of malicious hackers, who put the weapon to work for their own financial ends.

“[T]his attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” Microsoft President Brad Smith wrote in a Sunday blog post. “The governments of the world should treat this attack as a wake-up call.”

For the most part, civil liberties groups are siding with Microsoft. “These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies but by hackers and criminals around the world,” Patrick Toomey, a staff attorney at the American Civil Liberties Union, said in a statement.

In February, Smith first called for the creation of what he has dubbed a Geneva Convention for cyberspace, which would outlaw nation-state cyberattacks on critical infrastructure and tech companies. Most importantly, such a convention would commit governments to turning over software vulnerabilities when they find them — rather than exploiting them to break into enemy computers — so that companies can patch them.

Therein lies the uncomfortable irony for Microsoft. A month before the Shadow Brokers released the EternalBlue vulnerability, Microsoft issued a patch for it, but that didn’t stop the ransomware’s spread. While neither Microsoft nor the NSA has confirmed it, computer experts believe that the NSA likely tipped off Microsoft about the flaw once they realized the tool had been stolen.

For a variety of reasons, that fix never made it onto the affected computers. In the case of Britain’s National Health Service, a significant number of its computers run Windows XP, an operating system that Microsoft stopped upgrading in 2014. Though some 5 to 10 percent of computers worldwide still rely on Windows XP, Microsoft no longer provides updates to the operating system. The company rushed out a patch on Saturday, however.

Part of the blame for this weekend’s attack lies with computer users and IT managers who haven’t upgraded their system. But for a host of reasons, even patching computer systems is a difficult challenge. A recent Apple software update, for example, caused some iPad Pros to cease functioning.

(In China, that country’s love of pirated software, which typically doesn’t receive updates, contributed to WannaCry’s virulent spread there on Monday.)

Complex software interacts in sometimes unforeseeable ways with its component parts, and this makes IT managers loath to push updates without a battery of tests. For ordinary computer users, straightforward laziness stands in the way of more frequent patching.

Even as computing advances provide more secure software, vulnerabilities won’t go away. Computer scientists estimate that for every 1,000 lines of code written, there will be between 15 and 50 errors.

In the face of pervasive computer insecurity, executives such as Microsoft’s Smith are begging the NSA and other intelligence agencies to help protect consumers, and their businesses’ bottom line, by disclosing vulnerabilities it finds. But from the perspective of the NSA, Microsoft is asking the signals intelligence agency to unilaterally disarm, which it isn’t going to do.

In his blog post, Smith compared the NSA hack to “the U.S. military having some of its Tomahawk missiles stolen.” But just as the United States wouldn’t scrap its Tomahawk missiles if one fell into enemy hands, the NSA isn’t going to give up its cyberweapons just because one escaped into the wild.

Photo via Twitter user @AlienVault