On May 7, 2019, the city of Baltimore was targeted with a ransomware attack, demanding approximately 100,000 USD in Bitcoin to decrypt the malware
The attack impeded access to government e-mail accounts (approximately 10,000) and impacted online payments to city departments. This is not the first time the city was targeted in this manner. A previous ransomware incident in 2018 successfully disrupted emergency dispatch system for 17 hours. As of this May 29, 2019, the latest incident is still impacting Baltimore with no timetable as to when the situation will be ameliorated. Citizens have not been able to pay utilities, parking tickets, and other related municipal taxes.
While ransomware has been an ongoing problem for several years, the May 2019 attack bears closer inspection, largely due to the exploit used that had been initially linked to the National Security Agency (NSA), although recent reporting is casting doubts on this. Regardless, it does raise important questions regarding potential government liability if secretly found vulnerabilities and developed exploits escaped into the wild. Two years ago, a leaked NSA vulnerability dubbed “EternalBlue” made its way into the wild as a result of a group called the “Shadow Brokers” and has since become a favored option for hostile actors. Subsequently, current opinion is that EternalBlue was a critical component in the recent Baltimore attack to such a degree that city politicians are asking questions of NSA, which is believed to having initially discovered the vulnerability but kept it for its own purposes rather than disclosing it to Microsoft. To exploit the vulnerability, an unauthenticated attacker only has to send a maliciously-crafted packet to the server, according to one site.
If the EternalBlue vulnerability was used to facilitate the recent attack, then there is an argument to be made that it should have been patched well in advance of this attack. Microsoft provided a patch for the vulnerability in March 2017. To be clear, patch management and cyber security due diligence is incumbent on all individuals and organizations and should be done promptly in order to reduce the risk of exposure.
However, the fact that such a significant vulnerability (the NSA also had a tool leak into the wild under the EternalBlue name) has been and may still be currently used to support hostile cyber activity calls into question the responsibility of governments in reporting vulnerabilities that could potentially impact millions of people.
The ethical question of whether states should disclose vulnerabilities for remediation or keep them private to be used at their discretion will remain a point of contention between advocates of privacy and national security. Certainly, knowledge of these vulnerabilities can assist intelligence collection to support national interests, and the importance of having this capability is self-evident. However, an argument can be made that informing manufacturers and vendors will better serve and protect the civilian population writ large. When such exploits and weapons escape into the wild for public consumption, they have been used for maximum benefit for attackers. In addition to the recent ransomware attack, EternalBlue was instrumental in the global WannaCry ransomware campaign (an 53 billion USD global loss); the NotPetya attacks (an estimated 1.2 billion USD global loss); a banking Trojan campaign; and by suspected nation states to conduct cyber espionage.
So as more governments develop, improve, and expand their offensive cyber capabilities, the question remains what is ultimately a government’s responsibility with regards to developing exploits/tools that are ultimately used to cause harm? While the global community struggles to identify and codify state norms of behavior in cyberspace, the topic of state responsibility for the loss of cyber exploits/tools, whether purposefully or not, has not been discussed. If determining definitions of cyber weapons and cyber attacks remain inconclusive obstacle for states, perhaps coming to consensus on the need for states to ensure that unreported vulnerabilities and tools safeguard them or risk a financial penalty would be a good first step that all could agree on.
Failing to come to such agreement would be a great disappointment given that some of the most notable cyber incidents have been tied to nation states. Therefore, state liability should be able to be applied, not from the perspective of whether such tools should be developed, possessed, or used, but from the legal standpoint that offending governments did not responsibly safeguard and prevent these vulnerabilities/tools accidental release. Cyber indictments against individuals/organizations and cyber sanctions are becoming mainstream approaches to punishing cyber attackers, with states using their own legal frameworks as a guide toward imposing these penalties. The evidence supporting these actions need only to adhere to the filing country’s criteria. Similar legal actions can be applied against those offending governments with respect to vulnerability/tool loss.
A former U.S. cyber czar once remarked that building up stockpiles of undisclosed vulnerabilities and leaving the Internet vulnerable runs contrary to a state’s national security interests. This is a valid statement particularly as the lines separating civilian, government, and military are increasingly blurred. Protecting citizens are governments primary function and that extends to the virtual world. Ensuring that cyber weapons aren’t compromised, and if they are, taking responsibility for remediation in the spirit of civilian welfare is the least that governments can do.
About the Author
Emilio Iasiello has more than 12 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in peer-reviewed journals and blogs. Follow Emilio on Twitter