Who’s to blame for the astonishingly successful ransomware attack sweeping the planet?
Microsoft, the information technology giant whose popular Windows operating systems harbored the flaw malicious hackers exploited to paralyze at least 200,000 computers and systems in 150 countries, is pointing the finger at Washington.
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Brad Smith, Microsoft president and chief legal officer, charged in a blog on the company website. “An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”
Smith indicated that the National Security Agency knew of the Windows vulnerability but withheld that crucial information from the company so it could spy on hostile actors overseas. The company learned of the flaw and issued a patch March 14.
But last month, cyber thieves posted on the Internet a batch of hacking tools allegedly stolen from the NSA. These tools exposed, among other things, the Windows security gap. At 4:07 p.m. Greenwich Mean Time Friday, BBC News broke into a broadcast about the Pope’s visit to Portugal to report that “hospitals across England appear to have been simultaneously hit by a large scale cyber attack… many of the hospitals having to divert emergency patients.” The bug, identified as malware called WannaCry or WannaCrypt, shut down Britain’s National Health Service data system, which had not been updated with the Microsoft patch, and spread to other unpatched computers across Europe and Asia. The victims received digital ransom notes demanding payment of about $300 in bitcoins, a virtual currency that can preserve the attacker’s anonymity.
“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” Smith said. “This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world.”
General Keith Alexander, who served as NSA director from 2005 to 2014, told Suzanne Kelly, The Cipher Brief CEO & Publisher, that “more than 90 percent of everything we saw on [vulnerabilities] was pushed out to industry for patching.”
“Here’s the issue: pushing out a patch doesn’t fix the vulnerability,” Alexander added. “The companies have to apply that patch to their systems. Companies that don’t do that or don’t have the people to implement those patches – that’s the real risk. So, if everyone had patched their systems in March, this wouldn’t have spread within companies. Companies would still get hit by the phishing attack if they opened up a phishing email, but they wouldn’t get hit by the lateral movement, which is causing the most damage.”
Other industry experts expressed sympathy for the intelligence community’s desire to ferret out software security gaps and keep them secret and unpatched. The spy agencies have traditionally used such vulnerabilities against intelligence targets.
“This is a tough issue,” Todd Rosenblum, Senior Executive for National Security Programs and Strategy at IBM, told The Cipher Brief. “Our overseas intelligence collection apparatus relies on a wide array of tools to access information vital to our national security. Moreover, many U.S.-based companies are really multi-national companies with an operational presence in hard target locations. There are times that we must tilt toward preserving access to foreign intelligence information because of the nature of the information, its immediacy, and lack of other means to collect it.”
On the other hand, Rosenblum said, the intelligence agencies must recognize that “harming the business reputation of the U.S. is bad for our economic vitality.”
The WannaCry attack underscored a key question: can the government keep a secret? As Marshall Erwin, Head of Trust at Mozilla, told The Cipher Brief last month, “Instead of asking whether vulnerabilities can be independently discovered, the intelligence community should be asking whether they can too easily be stolen or leaked.”
Ultimately, said Nils Puhlmann, Co-Founder of the Cloud Security Alliance, it’s up to companies and individuals to protect themselves by installing patches and taking other computer security measures.
“It is an arms race,” Puhlmann said. “If we choose to do nothing, to not update and maintain our machines, to not pay attention to what we depend on, then we have already lost that race.”
And don’t wait for the government to solve the problem. By all accounts, the spread of the WannaCry attack was halted, at least temporarily, by a 22-year-old English computer researcher who calls himself Malware Tech and who works for Kryptos Logic, a Los Angeles threat intelligence company that tracks bot attacks. He told the British newspaper The Guardian that he looked at the malware code and noticed a connection to an unregistered domain. He bought the domain for $10.69, activated it and the attacks stopped. Apparently the domain acted as a “kill switch,” for reasons only the malware author knows for sure.
But the attack is not over. President Donald Trump held an emergency meeting with Tom Bossert, his Homeland Security Advisor, on Friday, and tech experts are warning that the WannaCry hackers and copycats are at work, creating a new wave of attacks.
Elaine Shannon is a contributing national security editor at The Cipher Brief.