It's been three days since WannaCry ransomware attacks began rippling across the world, affecting more than 200,000 people and 10,000 organizations in 150 countries. And the threat of further infection still looms.
The pervasiveness of WannaCry reveals just how insidious wide-scale ransomware attacks can be, endangering public infrastructure, commerce, and even human lives. But the implications of the incident don't end there. The attack has transformed from an acute situation to be dealt with by security experts to a symbol of how fundamentally vital cybersecurity protection is and the true scale of what can happen when systems and devices lack crucial defenses. The far-reaching consequences of WannaCry has also revived a nuanced and long-standing debate about just how much risk the public should be exposed to when intelligence agencies secretly take advantage of vulnerabilities in consumer products.
WannaCry's evolution is the latest example. The attack spread by exploiting a Windows server vulnerability known as EternalBlue. The NSA discovered the bug and was holding on to it, but information about it and how to exploit it was stolen in a breach and then leaked to the public by a hacking group known as the Shadow Brokers. Microsoft issued a fix in mid-March, but many computers and servers never actually received the patch, leaving those systems open to attack. By holding on to this information instead of directly disclosing the vulnerability to manufacturers, this NSA espionage technique—ostensibly meant to protect people—caused a great deal of harm. And there's no sign that groups like the NSA will discontinue this practice in the future.
"Even if what the NSA and the US government did is entirely right, it's also OK for us to be outraged about this—we're angry if a cop loses his gun and then it gets used in a felony," says Jason Healey, a cyberconflict researcher at Columbia University, who studies the US government's existing vulnerability and exploit disclosure process. "I think the government's response to this is often 'Look, this is espionage, it's how the game is played, quit crying.' And that's just not cutting it. Everyone is right to be outraged and the government needs a better way of dealing with this."
There's certainly plenty of outrage that an NSA spy tool was stolen in the first place, then leaked, and then exploited to the detriment of individuals and businesses around the world.
"An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen," Brad Smith, the president and chief legal officer of Microsoft, wrote on Sunday. "This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. … We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."
It is vitally important that tech companies release patches in an accessible way and that customers—both individuals and institutions—apply those patches. Experts agree that the tech community and its users share responsibility for the WannaCry fallout given that Microsoft had released a protective patch that wasn't installed widely enough.