If the hackers who crippled Baltimore city government computers used a cyberweapon developed by the National Security Agency, as the New York Times reported Saturday, the federal government bears some responsibility in helping to clean up the mess. Yes, the city should have updated its Windows systems with a security patch Microsoft released two years ago after a hacking group called Shadow Brokers leaked the tool. But that doesn’t absolve the NSA from blame. In seeking to keep a powerful offensive cyberweapon for itself, it risked national security rather than protecting it.
Some security experts take the opposite view (and some question whether the NSA tool, known as EternalBlue, was involved in a significant way — or at all — in the Baltimore attack). They argue that two years after the initial leak and a powerful wave of cyberattacks that followed, the city is at fault for failing to take a simple step to protect itself from the threat. We agree that Baltimore officials need to be held accountable for their investments in information technology and their cybersecurity policies and practices. But that doesn’t leave the federal government off the hook if EternalBlue facilitated or exacerbated the attack on the city.
Would a homeowner be at fault for a burglary if he failed to take the initiative to change his locks after the police developed a master key to open his old ones without the homeowner’s knowledge or permission, left it out where criminals could steal it and then continued to deny any involvement in the whole business? If that analogy sounds absurd, well, so does the actual string of events that brought us to this point.
The Times and others have reported that after NSA workers found a weakness in some versions of Windows, they did not notify the company but instead wrote code to exploit it, code they kept secret for five years because it was considered too valuable an offensive weapon. Once it learned of the problem, Microsoft was quickly able to develop a patch to the Windows software to block it. But that didn’t prevent state actors in North Korea, Russia and China from unleashing massively destructive attacks that hobbled public and private networks worldwide in the ensuing months. Baltimore is hardly alone for still being vulnerable to EternalBlue; around a million computers and servers worldwide retain the security flaw it exploits, nearly half of them in the United States.
Rep. C.A. Dutch Ruppersberger, who has been particularly involved in cybersecurity issues, and Sen. Chris Van Hollen have both called for hearings on the possible NSA-Baltimore ransomware connection, and City Council President Brandon Scott has asked Gov. Larry Hogan to seek a federal emergency declaration in hopes of unlocking federal funds to help pay for the recovery. The city has not offered an estimate of the costs to restore its computer system — a painstaking process that involves clearing machines one at a time — but other cities hit by ransomware attacks have spent millions in an attempt to get back to normal.
Assuming the Times report is correct, it would absolutely be appropriate for the federal government to cover some of the costs. But the bigger question is whether the NSA has changed its behavior in the wake of the EternalBlue leak. There has yet to be any public accounting of how that occurred or what steps the agency has taken to prevent such a breach in the future. And there has certainly been no adequate resolution to the debate about what the agency should do when it discovers systemic security flaws like the one exploited by EternalBlue. A few years ago, the federal government developed a protocol for deciding when to notify companies about vulnerabilities with their software, and the NSA says it does so more than 90 percent of the time. But critics argue that the agency has become too bent on its offensive capabilities and that the 10 percent of flaws it keeps to itself are the most potentially powerful ones.
As the lingering ill effects of the EternalBlue leak demonstrate, it only takes one “exploit” — the term of art for such hacking tools — to cause billions of dollars at damage and potentially put lives at risk. We understand the perspective of those who believe that in some extraordinary cases, the potential intelligence gain from keeping a security flaw secret is so great as to outweigh the potential damage. But we don’t share it. These weapons have the capability to cause too much damage and can too easily fall into the wrong hands. We decided long ago that some weapons — chemical and biological agents, for example — are too dangerous and have no place in our world. It’s time we came to the same conclusion about cyberweapons like EternalBlue.