A good part of the blame for the WannaCry ransomware attack belongs to the National Security Agency, notes Bruce Schneier, in an article in Foreign Affairs.
The noted security expert decried the NSA for its role in detecting the flaw years ago, but choosing to “exploit it rather than disclose it.”
The government’s proclivity to keep software flaws stashed for use as potential weapons, rather than disclose them so they could be patched, bears a good part of the blame for the ransomware attack that knocked systems offline around the world, Schneier explained.
Despite the fact that the government has criteria in place on whether or not to disclose a software vulnerability, and despite an official statement from NSA Director Michael S. Rogers asserting that the government does in fact disclose 91 percent of the flaws it detects to the various vendors, the basic code used in the WannaCry campaign – code-named EternalBlue – leaked from the NSA. And this despite internal warnings that the code had the potential to do great harm if unleashed.
The argument was that the code was a powerful weapon in gathering intelligence and, further, that those within the NSA believed the flaw would not be discovered by others. But, countering that, Schneier cited two recent studies that showed that six to 20 percent of disclosed vulnerabilities are rediscovered within a year. And, “alarming” leaks from the CIA and NSA have too easily handed attack tools to criminals, he added.
“The United States should satisfy its offensive requirements through a steady stream of newly discovered vulnerabilities that, when fixed, also improve the country’s defense,” he wrote.
There was one positive aspect of the WannaCry scourge, Schneier admitted: Once the NSA realized EternalBlue had been distributed, the agency notified Microsoft which released a patch that limited the damage.
And, keeping patches up to date is, he concluded, the lesson to be learned here.