Cyber Security

Microsoft Says The NSA Shares Blame For Ransomware Attacks

The WannaCry authors used a stolen NSA vulnerability to hurt Windows users — should the NSA take responsibility?

Cyber Security
Photo Illustration R. A. Di Ieso
May 15, 2017 at 1:47 PM ET

Microsoft, fresh off of a frantic weekend helping Windows 10 customers around the world hit by the most widespread ransomware outbreak in history, has publicly accused the U.S.’s National Security Agency of sharing some of the blame.

In a blog posted Sunday, Microsoft President Brad Smith weighed in on of the biggest debates in cybersecurity: vulnerability disclosure. When the NSA and other intelligence agencies discover flaws in Windows code, how often should the NSA keep that secret to hack targets, for instance, and what obligation does it owe to Microsoft?

This ransomware, called WannaCry, encrypts a victim’s files, demanding a bitcoin payoff if the target ever wants to see them again — caused widespread damage over the weekend. Victims ranged from British hospitals that had to send scheduled surgery patients home to electronic billboards in Thailand and the Russian Foreign Ministry. Security analysts have concluded the malware is spread through an exploit previously discovered by the NSA, which was embarrassingly leaked to the public through a mysterious group called Shadow Brokers.

When Shadow Brokers first released the NSA exploit that drives WannaCry infections three months ago, Microsoft quickly issued a patch for anyone who bothered to update Windows. But not everyone is prompt or has the access to update their systems, leading to untold vulnerable computers around the world.

Since the NSA had known about this Windows 10 vulnerability without telling Microsoft, Smith argued, the agency is at least partially to blame. “[T]his attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017,” Smith wrote. “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”

Edward Snowden, the whistleblower and former NSA analyst living in exile in Russia, is a longtime critic of the agency stockpiling vulnerabilities. “Had @NSAGov disclosed the vuln when they discovered it, hospitals would have had years — not months — to prepare,” he tweeted.

The NSA didn’t respond to former request for comment. But others familiar with government cyber practices defended the agency’s broader practice of keeping vulnerabilities, and not just because analysts believe the agency keeps only dozens, not hundreds, secret. Smith’s post wasn’t fair, argued a source with experience at U.S. Cyber Command, an offensive-minded cyber warfare unit commanded by the director of the NSA.

“Microsoft’s view that governments shouldn’t stockpile vulnerabilities at all is unrealistic,” the source told Vocativ. “They did report the vulnerability to Microsoft when it became a risk. The vulnerability was patched for 2 months before WannaCry hit the internet. The problem here has nothing to do with the fact that NSA found this bug but rather that people just don’t patch.”

“Even if NSA did report the bug as soon as they found it, that wouldn’t have stopped anyone from reverse engineering the patch and developing their own exploit from that,” the source said. “It would have been just as effective because, again, people don’t seem to be patching their systems.”