A runaway strain of malware hit Windows computers Friday and spread through the weekend, rendering hundreds of thousands of computers around the world more or less useless. The big twist: The virus was made possible by U.S. government hackers at the National Security Agency. But the finger-pointing won’t stop there, and it probably shouldn’t.
As the worm, known as WannaCry, has been contained, more free time has opened up in which to argue and assign blame beyond the anonymous hackers who used leaked NSA code to assemble the virus, and whatever party decided to turn it into ransomware. Microsoft isn’t holding back.
In an unusually bold and forthright post by president Brad Smith, the company called out the NSA by name for not just creating, but “stockpiling” — and then, like Cyber Frankenstein, losing all control over — the attacks that made WannaCry possible:
This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.
Every software weakness the NSA (or CIA, or FBI) decides to use for itself in total secrecy is necessarily one it won’t share with a company like Microsoft so that it can write and release a software update to keep its customers safe. (Whether or not you see this as a good and necessary thing likely has a lot to do with your opinion of whether the NSA too often prioritizes its ability to hurt adversaries over the privacy and safety of U.S. citizens or over the privacy and safety of people in general).