U.S. Sen. Chris Van Hollen and Rep. C. A. Dutch Ruppersberger are seeking briefings from the National Security Agency after a report that a spying tool developed by the agency and then leaked online was used to spread the ransomware that has debilitated Baltimore’s computer systems.
And Council President Brandon Scott said the federal government should step in to cover some of the cost of Baltimore’s recovery.
The New York Times reported Saturday that hackers used a tool known as EternalBlue to spread the ransomware through the city’s systems. The Times cited anonymous security experts briefed on the case.
Ruppersberger, a Democrat whose district includes part of Baltimore, has previously raised concerns about the dangers posed by EternalBlue and other leaked tools — part of a huge cache posted online in 2017 by a group calling itself the Shadow Brokers — and says more needs to be done to counter them.
“If recent media reports regarding the origins of the Baltimore ransomware attack are true, the congressman’s concerns are further validated,” said Jaime Lennon, a spokeswoman for Ruppersberger. “We will be seeking a full briefing from NSA regarding these reports.”
While the tools have been widely linked to the U.S. spy agency, and experts and former government employees have said they appear to be authentic, U.S. officials have never acknowledged the connection.
Van Hollen, a Democrat, said in a statement that he had been in contact Saturday with Sen. Mark Warner of Virginia, the party’s top member on the Senate Intelligence Committee, and that they would seek a briefing from the NSA.
“We must ensure that the tools developed by our agencies do not make their way into the hands of bad actors,” Van Hollen said.
Scott said he was calling on Gov. Larry Hogan to ask the White House for the ransomware attack to be declared a federal emergency, which would unlock funding.
“Given the new information and circumstances its even more clear that the federal government needs to have a larger role in supporting the City’s recovery, including federal reimbursement for damages,” Scott said.
“The fact that the root technology that enabled this attack came from our own federal government, just miles away, only adds insult to injury.”
A spokesman for Hogan responded Saturday to the latest news on the ransomware, with a statement that said: "We continue to work closely with city leaders, including leveraging both state and federal resources, to help restore affected systems."
Lester Davis, a spokesman for Bernard C. “Jack” Young, said the Democratic mayor supported Ruppersberger’s efforts to glean more information.
“The information that was included in the Times story was very troubling,” Davis said.
“There’s going to be a lot of speculation around this. What the mayor's going to be interested in is getting beyond speculation and hearing from the authorities that would have some insight into what actually went on.”
The FBI and Secret Service have been working with the city to respond to the ransomware. An FBI spokesman did not respond Saturday to a request for comment.
Since the 2017 leak, EternalBlue has regularly been put to use by hackers from foreign countries to spread ransomware and other malicious computer code.
The leak rekindled a debate between security officials, civil libertarians and the cybersecurity industry over when spy agencies should disclose to technology companies that they have found flaws in their systems. The spy agencies can use those flaws to gather valuable intelligence about terrorists and foreign governments, but there is also a risk that criminals or rival spies find the same flaws and use them to target Americans.
In a report his office issued last year, Ruppersberger said the government needed to be prepared to take defensive steps against such leaked tools.
“The weaponization of these tools by malicious actors poses a significant risk to the U.S., our allies and the American private sector,” he wrote.
Because the U.S. government has never acknowledged the connection between the Shadow Brokers leak and the NSA, there has been no public accounting of what steps the agency took to protect the powerful tools it created or whether it should have kept the weaknesses they relied on a secret.
The EternalBlue tool relies on a flaw in Microsoft software, though the company issued a patch before the leakers posted the tools online. Many systems remain vulnerable two years later, but the existence of the patch prompted some security researchers to argue Saturday that the responsibility for the Baltimore breach lies with the city.
“If an organization has substantial numbers of Windows machines that have gone 2 years without patches, then that’s squarely the fault of the organization, not Eternalblue,” security consultant Rob Graham wrote in a tweet.
But Jake Williams, a former NSA operative who now runs a security company, framed the argument differently.
“Should the victims have patched? Sure,” he said, “But that’s like me putting the gun in the hands of someone intent on killing a police officer. If the officer isn’t wearing a bulletproof vest (but should have been), that doesn’t absolve me of playing a role in his death.”
Scott has formed a commission to review the city’s computer security. He said the commission would look at what the city’s IT office did to protect the network.
Scott said he wanted to learn what officials knew about the patch and whether steps were taken to install it — or if they failed to act.
“They have to be able to come up with a very good reason why they didn’t do that,” he said. “It’s unacceptable if it was readily available and known to them.”