WannaCry Ransomware: Who Is Really to Blame for the Cyber-Attacks?

Over the weekend, hospitals in the UK were forced to turn away some patients as a result of a computer virus that had infected its systems. In France, automaker Renault shut down production at several plants because of the same virus. In Russia, that same virus knocked thousands of computers offline at the Interior Ministry.

Days after the virus first exploded on Friday, Microsoft is pointing the finger squarely at the National Security Agency, for its role in enabling the virus. WannaCry, the company argues, represents just the latest example of why intelligence agencies should not stockpile computer vulnerabilities that they use to hack into enemy systems.

Instead, organisations such as the NSA should disclose computer vulnerabilities to their manufacturers, Microsoft argues.

But the NSA's role in the creation of WannaCry has been misunderstood: The intelligence agency did not actually create WannaCry, but played an inadvertent role in midwifing the bug.

This latest mayhem was caused by a virulent strain of ransomware, which encrypts an infected computer's data and demands a ransom for the keys to unlock it. Known as WannaCry, this strain of ransomware was developed by as-yet unknown hackers using tools first developed by the NSA and affects some computers running Microsoft software. The criminals have so far netted a paltry $50,000 (roughly Rs. 32 lakhs) in ransom payments, based on payments into Bitcoin accounts associated with the malware. The virus has so far infected nearly 200,000 computers world-wide.

The severity of the attack - UK hospitals in several cases asked only those with life-threatening or severe conditions to seek care at facilities affected by the virus - has prompted an intense debate among computer executives, former intelligence officials, and activists about who exactly is to blame for the attack.

In April, a group of hackers calling themselves the ShadowBrokers - their true identities remain unknown - released a set of hacking tools purportedly stolen from the National Security Agency. That dump included a vulnerability codenamed EternalBlue, which preys on a flaw in Microsoft Word to transmit malicious software from one Windows Computer to another.

The authors of WannaCry utilised this NSA tool to create the mechanism by which the ransomware spreads from one computer to another.

In short, an NSA cyberweapon utilizing a flaw in a piece of Microsoft software slipped out of the hands of the US government and into the hands of malicious hackers, who put the weapon to work for their own financial ends.

"This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," Microsoft President Brad Smith wrote in a Sunday blog post. "The governments of the world should treat this attack as a wake-up call."

For the most part, civil liberties groups are siding with Microsoft. "These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies, but by hackers and criminals around the world," Patrick Toomey, a staff attorney at the American Civil Liberties Union, said in a statement.

In February, Smith first called for the creation of what he has dubbed a Geneva Convention for cyberspace, which would outlaw nation-state cyber-attacks on critical infrastructure and tech companies. Most importantly, such a convention would commit governments to turning over software vulnerabilities when they find them - rather than exploiting them to break into enemy computers - so that companies can patch them.

Therein lies the uncomfortable irony for Microsoft. A month before the ShadowBrokers released the EternalBlue vulnerability, Microsoft issued a patch for it, but that didn't stop the ransomware's spread. While neither Microsoft nor the NSA has confirmed it, computer experts believe that the NSA likely tipped off Microsoft about the flaw once they realized the tool had been stolen.

For a variety of reasons, that fix never made it onto the affected computers. In the case of Britain's National Health Service, a significant number of its computers run Windows XP, an operating system that Microsoft stopped upgrading in 2014. Though some 5 to 10 percent of computers worldwide still rely on Windows XP, Microsoft no longer provides updates to the operating system. The company rushed out a patch on Saturday, however.

Part of the blame for this weekend's attack lies with computer users and IT managers who haven't upgraded their system. But for a host of reasons, even patching computer systems is a difficult challenge. A recent Apple software update, for example, caused some iPad Pros to cease functioning.

(In China, that country's love of pirated software, which typically doesn't receive updates, contributed to WannaCry's virulent spread there on Monday).

Complex software interacts in sometimes unforeseeable ways with its component parts, and this makes IT managers loathe to push updates without a battery of tests. For ordinary computer users, straightforward laziness stands in the way of more frequent patching.

Even as computing advances provide more secure software, vulnerabilities won't go away. Computer scientists estimate that for every 1,000 lines of code written, there will be between 15 and 50 errors.

In the face of pervasive computer insecurity, executives such as Microsoft's Smith are begging the NSA and other intelligence agencies to help protect his consumers, and his business's bottom line, by disclosing vulnerabilities it finds. But from the perspective of the NSA, Microsoft is asking the signals intelligence agency to unliterally disarm, which it isn't going to do. In his blog post, Smith compared the NSA hack to "the US military having some of its Tomahawk missiles stolen." But just as the United States wouldn't scrap its Tomahawk missiles if one fell into enemy hands, the NSA isn't going to give up its cyber weapons just because one escaped into the wild.

© 2017 The Washington Post