I’m not a big fan of focusing on blame rather than fixing a problem but, in the case of the massive and ongoing Wannacry Ransomware attack, the NSA (and they are far from alone) focused on a tactical strategy that places a relatively slight investigation advantage against the collapse of the free world, and chose unwisely. Now this Cyber Attack might have, and still could, escalate into a Nuclear Exchange but the odds of that, thankfully, are declining. We might not be as lucky the next time, and the potential for devastating litigation remains very high given this attack was the direct result of an NSA policy and negligence. The kind of liability we are talking about, were this a company and not a government agency, would likely take a company like Google (News - Alert) out and, I expect, foreign companies and governments may find a way to hold the U.S. accountable.
Let’s focus on the causes of the Wannacry attack and why, as bad as this was, the perpetrators might have done us all a huge favor.
Offense Over Defense
This is a long-term problem with regard to weapons development; the folks that want to attack something get the funding and then somehow think, once an advance weapon is created, that they’ll have an advantage indefinitely. With Nuclear weapons, a massive effort went into creating the ones that devastated Japan and ended the war in 1945 against that country, but the war was already winding down and the U.S. was not threatened. Since then, there have been five known instances (and likely more that haven’t been reported) where a nuclear war could have broken out, massively devastating the country. Yet, the funds spent on defending against an attack remain a fraction of the funds used to create even more devastating weapons. Be aware that all five close calls weren’t intentional and largely amounted to one side or the other screwing up. Ending the world on an “Oops” isn’t the way I think any of us want to go out.
Now, if you were having a dispute with your neighbor and I was to offer you a weapon that would get that neighbor to move— with the caution that they might come back and kill you and every member of your family with their own copy in one to five years— you’d be smart to either say no or to take it, and then spend every moment coming up with a way to defend against that weapon. But history suggests you’d more likely take the weapon and accept the risk of being killed instead, suggesting that our brains are wired really badly for decisions like this.
NSA Is A Case In Point
With the Wannacry attack, the basis was an exploit that the NSA painstakingly researched to find and badly kept a secret. Now, be aware, there are a large number of foreign and domestic hostile actors that are also working on similar projects, suggesting that even if the NSA hadn’t leaked, someone was likely to find and use this exploit. This suggests there are likely a massive number of potential exploits that governments know about but haven’t reported to the manufacturers or their own citizens in the hope that they can use them to find a criminal or terrorist and that these citizens don’t find out, when they are exploited, that their government could have but chose not to protect them.
Now this finding of exploits is only a small part of Cyber practices that the U.S. Government has sponsored over time that are tactically smart but strategically and massively stupid. The U.S. Government wanted its own back-door into software platforms like iOS and Windows, and this attack showcases just how incredibly foolish such a thing would be. Such a back door, which would eventually be leaked or discovered, would provide an even greater potential for a future attack, even if you did everything right (the current attack was only possible because people didn’t patch timely, and used outdated or pirated software—there’s irony in that last point, given that is the source of much of Russia’s pain).
Wrapping Up: Protection And Warning
Certainly, at an enterprise or government level, a combination of access control software like Varonis and an aggressive patching policy would have prevented this attack. Microsoft (News - Alert) was made aware of this vulnerability as a result of the NSA leak and had issued a patch months ago, but folks failed to apply it in a timely manner and the money they saved by not doing so is likely a small percentage of the cost today. Oh, and a product like Varonis might have prevented the NSA leak in the first place.
In the end, the attackers may have done us a huge favor. This attack is massive but it isn’t anywhere near as massive as an attack using a backdoor might have been. Plus, it showcased not only that this idea of having a back door is incredibly stupid, but that the practice of finding and not reporting them is equally as bad.
Interestingly, given this problem started with the Federal Government, the Trump Administration just signed an executive order that may go a long way towards protecting the government. His latest Executive Order holds the heads of agencies personally responsible for breaches, which should prioritize spending on Cyber defense. We’ll see, in the end, but a far better path might be to make them a bigger part of the solution and a smaller part of the problem.
The big lesson is that our aggressive focus on offense without any real balance on defense is a world ending strategy. Concepts like Mutually Assured Destruction still leave you dead if there is an “oops” moment and, if something doesn’t change, an “oops” will likely end us. We’ve been warned again with Wannacry, not sure how many warnings we have left.