The particularly nasty computer program dubbed "WannaCry" that attacked hospitals, businesses and government agencies around the world this past weekend was like a cybercrime highlight reel, a compilation of by-now familiar elements — conscience-free cybercriminals, an obscure vulnerability in Microsoft Windows, older and ill-maintained corporate computer networks and computer users tricked into opening booby-trapped email attachments — that played out on an epic scale.
What's different this time is that the hackers apparently had considerable help from the U.S. government. They used a stolen tool reportedly developed by the National Security Agency to exploit a hidden weakness in the Windows operating system and spread their ransomware far and wide. The tool was one of many linked to the NSA that were leaked online last year, then finally decrypted in April for use by anyone with the requisite coding skills.
It's tempting to howl at the NSA for not alerting companies like Microsoft when its researchers find vulnerabilities in their products. The reality, though, is that doing so would reduce the effectiveness of cybertools that have become an integral part of modern efforts by agencies like the NSA to fight terrorism, international criminal organizations and rogue states. What's needed is a better effort to determine if and when a vulnerability discovered by the feds represents too great a threat to keep it secret from the potential victims. That's a difficult balance to strike, and the decision shouldn't be made solely by the executive branch without the input of independent experts and, potentially, lawmakers.
The even more important lesson here is that years, even decades of warnings from security experts simply aren't getting through to the public. WannaCry should not have reached disastrous proportions — Microsoft released a patch that could close the vulnerability in March, well before the NSA's tool was decrypted. Yet tens of thousands of computers weren't updated, allowing the malware the room it needed to spread.
The problem could easily get much, much worse as more routine devices become smart, Internet-connected ones. Evidently we need stronger incentives not just for companies to release more secure products, but also for users to keep them updated and protect their data with encryption and backups. That's what the lawmakers and federal officials should be focusing on — not on trying to discourage consumers from using encryption on their smartphones, or on building stockpiles of malware based on vulnerabilities they alone have found.