Wannacry Ransomware: The NSA's Fault, But the Attackers Did Us a Huge Favor


I’m not a big fan of focusing on blame rather than fixing a problem but, in the case of the massive and ongoing Wannacry Ransomware attack, the NSA (and they are far from alone) focused on a tactical strategy that places a relatively slight investigation advantage against the collapse of the free world, and chose unwisely.  Now this Cyber Attack might have, and still could, escalate into a Nuclear Exchange but the odds of that, thankfully, are declining.  We might not be as lucky the next time, and the potential for devastating litigation remains very high given this attack was the direct result of an NSA policy and negligence.  The kind of liability we are talking about, were this a company and not a government agency, would likely take a company like Google out and, I expect, foreign companies and governments may find a way to hold the U.S. accountable.  

Let’s focus on the causes of the Wannacry attack and why, as bad as this was, the perpetrators might have done us all a huge favor. 

Offense Over Defense

This is a long-term problem with regard to weapons development; the folks that want to attack something get the funding and then somehow think, once an advance weapon is created, that they’ll have an advantage indefinitely. With Nuclear weapons, a massive effort went into creating the ones that devastated Japan and ended the war in 1945 against that country, but the war was already winding down and the U.S. was not threatened.  Since then, there have been five known instances (and likely more that haven’t been reported) where a nuclear war could have broken out, massively devastating the country. Yet, the funds spent on defending against an attack remain a fraction of the funds used to create even more devastating weapons.  Be aware that all five close calls weren’t intentional and largely amounted to one side or the other screwing up.  Ending the world on an “Oops” isn’t the way I think any of us want to go out. 

Now, if you were having a dispute with your neighbor and I was to offer you a weapon that would get that neighbor to move— with the caution that they might come back and kill you and every member of your family with their own copy in one to five years— you’d be smart to either say no or to take it, and then spend every moment coming up with a way to defend against that weapon. But history suggests you’d more likely take the weapon and accept the risk of being killed instead, suggesting that our brains are wired really badly for decisions like this. 

NSA Is A Case In Point

With the Wannacry attack, the basis was an exploit that the NSA painstakingly researched to find and badly kept a secret.  Now, be aware, there are a large number of foreign and domestic hostile actors that are also working on similar projects, suggesting that even if the NSA hadn’t leaked, someone was likely to find and use this exploit.  This suggests there are likely a massive number of potential exploits that governments know about but haven’t reported to the manufacturers or their own citizens in the hope that they can use them to find a criminal or terrorist and that these citizens don’t find out, when they are exploited, that their government could have but chose not to protect them. 

Now this finding of exploits is only a small part of Cyber practices that the U.S. Government has sponsored over time that are tactically smart but strategically and massively stupid.  The U.S. Government wanted its own back-door into software platforms like iOS and Windows, and this attack showcases just how incredibly foolish such a thing would be. Such a back door, which would eventually be leaked or discovered, would provide an even greater potential for a future attack, even if you did everything right (the current attack was only possible because people didn’t patch timely, and used outdated or pirated software—there’s irony in that last point, given that is the source of much of Russia’s pain). 

Wrapping Up:  Protection And Warning

Certainly, at an enterprise or government level, a combination of access control software like Varonis and an aggressive patching policy would have prevented this attack.  Microsoft was made aware of this vulnerability as a result of the NSA leak and had issued a patch months ago, but folks failed to apply it in a timely manner and the money they saved by not doing so is likely a small percentage of the cost today.  Oh, and a product like Varonis might have prevented the NSA leak in the first place.  

In the end, the attackers may have done us a huge favor.  This attack is massive but it isn’t anywhere near as massive as an attack using a backdoor might have been. Plus, it showcased not only that this idea of having a back door is incredibly stupid, but that the practice of finding and not reporting them is equally as bad.  

Interestingly, given this problem started with the Federal Government, the Trump Administration just signed an executive order that may go a long way towards protecting the government.  His latest Executive Order holds the heads of agencies personally responsible for breaches, which should prioritize spending on Cyber defense.  We’ll see, in the end, but a far better path might be to make them a bigger part of the solution and a smaller part of the problem. 

The big lesson is that our aggressive focus on offense without any real balance on defense is a world ending strategy.  Concepts like Mutually Assured Destruction still leave you dead if there is an “oops” moment and, if something doesn’t change, an “oops” will likely end us.  We’ve been warned again with Wannacry, not sure how many warnings we have left.  


President and Principal Analyst, Enderle Group

Related Articles

Turning Data into Stories with Natural Language Generation

By: Erik Linask    7/29/2020

Arria's NLG technology takes the burden of storytelling from data analysts by using artificial intelligence to turn data into narrative.

Read More

Benefits of using bitcoins for business

By: Special Guest    7/29/2020

Bitcoin is a digital cryptocurrency that is used by many people to make payments. Indeed, online retail stores are accepting bitcoins as a mode of pay…

Read More

Intelligent Defect Inspection: How Computer Vision Enhances Quality Control

By: Special Guest    7/28/2020

Business competition pressures manufacturers to produce faster, reduce expenses, and increase efficiencies. But all these requirements run into the qu…

Read More

It's Online Collaboration's Time to Shine: Are You Surfing the Wave or Sinking Under It?

By: Special Guest    7/27/2020

What should also be obvious to UCaaS providers is this is a rare opportunity. Unfortunately, too many appear satisfied with letting this wave roll by …

Read More

What Technology Does My New Business Need?

By: Special Guest    7/20/2020

Technology has helped to revolutionise business in several different ways, but with productivity at the heart of every business, technology is needed …

Read More