Wannacry Ransomware: The NSA's Fault, But the Attackers Did Us a Huge Favor

By Rob Enderle May 15, 2017

I’m not a big fan of focusing on blame rather than fixing a problem but, in the case of the massive and ongoing Wannacry Ransomware attack, the NSA (and they are far from alone) focused on a tactical strategy that places a relatively slight investigation advantage against the collapse of the free world, and chose unwisely.  Now this Cyber Attack might have, and still could, escalate into a Nuclear Exchange but the odds of that, thankfully, are declining.  We might not be as lucky the next time, and the potential for devastating litigation remains very high given this attack was the direct result of an NSA policy and negligence.  The kind of liability we are talking about, were this a company and not a government agency, would likely take a company like Google out and, I expect, foreign companies and governments may find a way to hold the U.S. accountable.  

Let’s focus on the causes of the Wannacry attack and why, as bad as this was, the perpetrators might have done us all a huge favor. 

Offense Over Defense

This is a long-term problem with regard to weapons development; the folks that want to attack something get the funding and then somehow think, once an advance weapon is created, that they’ll have an advantage indefinitely. With Nuclear weapons, a massive effort went into creating the ones that devastated Japan and ended the war in 1945 against that country, but the war was already winding down and the U.S. was not threatened.  Since then, there have been five known instances (and likely more that haven’t been reported) where a nuclear war could have broken out, massively devastating the country. Yet, the funds spent on defending against an attack remain a fraction of the funds used to create even more devastating weapons.  Be aware that all five close calls weren’t intentional and largely amounted to one side or the other screwing up.  Ending the world on an “Oops” isn’t the way I think any of us want to go out. 

Now, if you were having a dispute with your neighbor and I was to offer you a weapon that would get that neighbor to move— with the caution that they might come back and kill you and every member of your family with their own copy in one to five years— you’d be smart to either say no or to take it, and then spend every moment coming up with a way to defend against that weapon. But history suggests you’d more likely take the weapon and accept the risk of being killed instead, suggesting that our brains are wired really badly for decisions like this. 

NSA Is A Case In Point

With the Wannacry attack, the basis was an exploit that the NSA painstakingly researched to find and badly kept a secret.  Now, be aware, there are a large number of foreign and domestic hostile actors that are also working on similar projects, suggesting that even if the NSA hadn’t leaked, someone was likely to find and use this exploit.  This suggests there are likely a massive number of potential exploits that governments know about but haven’t reported to the manufacturers or their own citizens in the hope that they can use them to find a criminal or terrorist and that these citizens don’t find out, when they are exploited, that their government could have but chose not to protect them. 

Now this finding of exploits is only a small part of Cyber practices that the U.S. Government has sponsored over time that are tactically smart but strategically and massively stupid.  The U.S. Government wanted its own back-door into software platforms like iOS and Windows, and this attack showcases just how incredibly foolish such a thing would be. Such a back door, which would eventually be leaked or discovered, would provide an even greater potential for a future attack, even if you did everything right (the current attack was only possible because people didn’t patch timely, and used outdated or pirated software—there’s irony in that last point, given that is the source of much of Russia’s pain). 

Wrapping Up:  Protection And Warning

Certainly, at an enterprise or government level, a combination of access control software like Varonis and an aggressive patching policy would have prevented this attack.  Microsoft was made aware of this vulnerability as a result of the NSA leak and had issued a patch months ago, but folks failed to apply it in a timely manner and the money they saved by not doing so is likely a small percentage of the cost today.  Oh, and a product like Varonis might have prevented the NSA leak in the first place.  

In the end, the attackers may have done us a huge favor.  This attack is massive but it isn’t anywhere near as massive as an attack using a backdoor might have been. Plus, it showcased not only that this idea of having a back door is incredibly stupid, but that the practice of finding and not reporting them is equally as bad.  

Interestingly, given this problem started with the Federal Government, the Trump Administration just signed an executive order that may go a long way towards protecting the government.  His latest Executive Order holds the heads of agencies personally responsible for breaches, which should prioritize spending on Cyber defense.  We’ll see, in the end, but a far better path might be to make them a bigger part of the solution and a smaller part of the problem. 

The big lesson is that our aggressive focus on offense without any real balance on defense is a world ending strategy.  Concepts like Mutually Assured Destruction still leave you dead if there is an “oops” moment and, if something doesn’t change, an “oops” will likely end us.  We’ve been warned again with Wannacry, not sure how many warnings we have left.  




 

President and Principal Analyst, Enderle Group

SHARE THIS ARTICLE
Related Articles

Pai Makes His Case for Title II Repeal

By: Paula Bernier    11/21/2017

FCC Chairman Ajit Pai today made clear his plans to repeal Title II net neutrality rules. The commission is expected to pass his proposal at its Dec. …

Read More

Mist Applies AI to Improve Wi-Fi

By: Paula Bernier    11/9/2017

Mist has created an AI-driven wireless platform that puts the user and his or mobile device at the heart of the wireless network. Combining machine le…

Read More

International Tech Innovation Growing, Says Consumer Technology Association

By: Doug Mohney    11/8/2017

The Consumer Technology Association (CTA) is best known for the world's largest trade event, but the organization's reach is growing far beyond the CE…

Read More

Broadcom Makes Unsolicited $130B Bid for Qualcomm

By: Paula Bernier    11/6/2017

In what could result in the biggest tech deal in history, semiconductor company Broadcom has made an offer to buy Qualcomm for a whopping $130 billion…

Read More

How Google's 'Moonshot' Could Benefit Industrial Markets

By: Kayla Matthews    10/30/2017

The term "moonshot" encapsulates the spirit of technological achievement: an accomplishment so ambitious, so improbable, that it's equivalent to sendi…

Read More