What Can We Learn from Wannacry?
June 6, 2017 by Bill Rosenthal

The other day, I did a web search on the string “wannacry wake up call” and got “about 1,180,000 results.” The conventional wisdom, then, is that the Wannacry attack is a danger signal to which we need to pay attention. This is a case in which the conventional wisdom is right on target.

Let me offer a quick review of the disaster, based on its entry at Wikipedia. The attack began on Friday, May 12, and within a day had struck more than 230,000 computers in 150 countries. Wannacry is a ransomware worm, and it encrypted the files of the infected computers, demanding from each user about $300 in bitcoin for decryption. 

The initial infection appears to have occurred through a vulnerable SMB port, and the worm propagated itself to other computers through the same SMB vulnerability. On the day of the attack, a researcher going by the name of MalwareTech discovered the worm’s code included a kill switch. MalwareTech exploited the kill switch and dramatically slowed the attack. 

Altogether, victims paid about $126,000 to the attackers. It’s unlikely those who paid the ransom gained any relief as a result. At least one researcher says that the way the campaign was organized meant that the attackers probably could not even identify who had paid them.

That was just one sign the Wannacry campaign was staged by amateurs. Another sign is that Wannacry’s slipshod code was simply bolted on to an NSA exploit the attackers downloaded from the web. It’s unclear to me whether the attackers left the kill switch in the code because they didn’t know it was there or because they were making use of a technique intended to keep researchers from studying their worm in a “sandbox.”

The Wannacry damage was far less extensive than it could have been. The code only spread and executed because of a Windows vulnerability that had already been patched. The only computers that were vulnerable were those whose users had not updated them. Microsoft, in fact, had even issued security updates and patches for systems it was no longer formally supporting. You can make an argument that, although the attackers are indeed criminals, their victims deserve much of the blame for the damage. Ira Winkler, who makes this argument, compared the victims to a bank that leaves bags of cash out on the sidewalk overnight instead of in the vault. 

Some of the blame, then, belongs with the victims. Perhaps some of it belongs with the government, too.

Wannacry was based on vulnerabilities collected by the National Security Agency. You might think that NSA’s mission is to provide for national security, but that’s not really the case. Here’s the agency’s mission statement from its web page: “The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both Signals Intelligence (SIGINT) and Information Assurance (IA) products and services, and enables Computer Network Operations (CNO) in order to gain a decision advantage for the Nation and our allies under all circumstances.”

Wannacry tells us to wake up and update our computers. But I think it also tells us to wake up and have a responsible conversation about national security. Is the role of national security to gain an “advantage” for our country or to protect our country? Wannacry’s ability to exploit NSA’s portfolio of destruction suggests there is a difference, and that we should all be discussing it. What do you think?