Ransomware, Breach, Malware

Petya, WannaCry Ransomware Cyberattacks: Can NSA Be Held Accountable?

As we learned yesterday, a virulent ransomware attack has invaded organizations globally for the second time in two months. As in the May 2017 WannaCry/WannaCrypt assault, this one reportedly also involved tools and resources pilfered from the U.S. National Security Agency (NSA) -- and subsequently sold on the Internet.

In its immediate wake, culpability has been assigned (as Fortune points out) to the likely suspects--from Microsoft (unpatched older OS software) to the organizations themselves (unpatched systems) to the NSA (for exploiting the Microsoft code) to cyber security developers (it’s big business now), and, of course, to the cyber kidnappers themselves.

Obviously, there’s plenty of blame to go around. Still, blame is one thing, accountability is entirely different. Multiple security companies, such as BitDefender, Kaspersky Lab and Symantec, have tied the Petya ransomware variant to NSA leaked hacking tools codenamed EternalBlue and EternalRomance.

Petya and WannaCry Ransomware: Holding the NSA Accountable?

That makes the NSA partly responsible. Among the key questions on plenty on minds:

  • Can the agency, whose track record is anything but stellar in recent years, be held accountable to some degree for the growth and proliferation of ransomware?
  • Should governments, including our own here in the United States, and companies suffering from the attacks, pursue action against the agency?
  • If powerful exploits mined by the NSA are being used against the digital infrastructure that underpins governments and businesses, how can the NSA not be called on the carpet?

In May, following WannaCry, infamous NSA whistleblower Edward Snowden posed the question on Twitter, that oddly enough seemed to pass without much discussion:

““If @NSAGov had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened. In light of today's attack, Congress needs to be asking @NSAgov if it knows of any other vulnerabilities in software used in our hospitals.”

Let’s face it, Snowden has a point, unlikely as it is to progress any further into action. Should the NSA have come clean when the exploit code was stolen and by not doing so, should some kind of price be exacted? Should, as Snowden says, the NSA be asked by Congress what else it knows about stolen code and other ticking time bombs just waiting to explode? Should, figuratively speaking, heads roll?

To some, the issue is more complicated than that.

Holding the NSA Accountable for Cyberattacks: Opinions Vary

Rob Enderle, president and principal analyst of the Enderle Group, suggested after the WannaCry hack that perhaps the NSA is guilty of bungling.

“Much of last month (May) was hundreds of thousands of us dealing with the fact that the NSA likely spent millions finding an exploit that they subsequently lost with the resulting impact that hospitals all over the world had to almost shut down. This would be like developing the nuclear bomb and then losing it, oh wait, we did that too,” he wrote in a Techspective blog.

Others are more forgiving.

Rob Knake a senior fellow at the Council on Foreign Relations, argued in a blog post that “no amount of warning would have been enough to get Windows XP out of hospitals, or get hospitals to install the latest patches in a timely manner. If NSA had disclosed the vulnerability years ago, it would likely still remain exploitable today.”

In defending the NSA, Knake said that “contrary to prevailing sentiments in the privacy community, NSA does not exploit vulnerabilities for its own amusement.”

Nobody, of course, is saying the NSA failed to sound alarm bells about leaked code just for grins. What critics are saying, however, is that no notice, no information, no warning, isn’t excusable just because.

At the other end of the spectrum, some are aggressively pointing fingers at the NSA, forwarding the argument that it didn't report the security hole because the agency had a vested interest in not doing so. What's happening now, the argument goes, is we're simply seeing hackers make use of the exploit and attacking unpatched targets, as well we should have expected to see.

A Middle Ground?

There may be a middle ground, as articulated by Brad Williams in Fifth Domain, that explains the conundrum of the debate over culpability and accountability.

“At the highest level, the intelligence-industry debate is often framed as follows: On the one hand, the intelligence community’s practice of keeping security vulnerabilities a secret serves the national interest by allowing professionals to exploit the vulnerabilities in legitimate intelligence and cyber operations that protect the country.

On the other hand, critics claim the practice of not disclosing security vulnerabilities leaves all technology users less safe, because rogue threat actors could also find and exploit the unpatched vulnerabilities for criminal or terrorist purposes.”

Yes, that's the intellectual debate culled down to its basics. However, if the rogue threat actors continue to strike, as certainly they will, the world’s responsibility resides in calling on the carpet those who could have operated differently to perhaps impede an attack. And that should include the NSA.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.