5/15/2017 WannaCry Ransomware Attack Shows Danger of Cyber War Crimes ­ Bloomberg­05­15/ban­cyberweapons­that­target­civilian­infrastructure 1/5

Vulnerable tech. Photographer: Jonathan Nackstrand/AFP/Getty Images)

Last week's ransomware attack that brought down MRI scanners in the U.K., railroad ticket machines in Germany, interior ministry

computers in Russia and parts of the FedEx network in the U.S. is bound to cause a backlash against spy agencies' cyberwarfare capabilities. It

shows that services such as the U.S. National Security Agency hoard weapons that, by their very nature, target civilian infrastructure.

The WannaCry attack wasn't a big-time nation state operation, though it's likely that it may have originated in Russia. Last year, 75 percent of

crypto ransomware -- malware that encrypts files on the target machine to force its owner to pay a ransom in exchange for their decryption -

- originated <> from the Russian-speaking hacker underworld. The largest number of

WannaCry attacks occurred <> in Russia and Ukraine. The hackers here weren't

playing some political interference game: They were after money, in bitcoin. Researchers who tracked the bitcoin addresses hardwired into the

malware found <> that tens of

thousands of dollars had been paid before the spread of the virus was halted <

stop-a-global-cyber-attacks.html> by a cybersecurity expert who accidentally found a flaw in WannaCry.

That flaw, apparently the result of the hackers' rather clumsy attempt to prevent their malware from being analyzed, shows the attack wasn't

highly sophisticated. Its main element was developed by the NSA, not the hackers -- a vulnerability codenamed Eternalblue, which allowed the

The WannaCry code demonstrates how petty criminals can adapt leaked intelligence tools to their uses. By

May 15, 2017, 12:48 PM GMT+1


Ransomware Attack Shows Threat of Cyber War Crimes

Leonid Bershidsky 17

5/15/2017 WannaCry Ransomware Attack Shows Danger of Cyber War Crimes ­ Bloomberg­05­15/ban­cyberweapons­that­target­civilian­infrastructure 2/5

agency to commandeer old, pre-Windows 10 versions of the Microsoft operating system. The NSA code was released

<> in April by a hacking group calling itself Shadow Brokers, which

had apparently failed to find a buyer for a large trove of NSA cyberweapons.

After the recent leaks of hacking tools from the NSA and the Central Intelligence Agency, cyberespionage critics, including NSA whistleblower

Edward Snowden and WikiLeaks founder Julian Assange, have criticized the agencies for hoarding vulnerabilities for their own use instead of

flagging them to companies like Microsoft in the interest of public safety. Following the WannaCry attack, one of the biggest in history,

Microsoft itself has joined the ranks of the critics. In a strongly worded blog post, Brad Smith, the company's president and chief legal

officer, wrote <

weeks-cyberattack/#sm.00000d4d2maplacqypyw3scw2xkzo> :

Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario

with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a

completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state

action and organized criminal action.

Microsoft and its peers shouldn't count on the NSA to hand over information about vulnerabilities; spies will be spies. Given the current

regulatory environment, it's the responsibility of these companies themselves, with their enormous financial resources, to track down these

gaps in the security of their products, paying to acquire information if necessary.

Smith, however, is right when he calls <

convention/#sm.00000d4d2maplacqypyw3scw2xkzo> for a "Digital Geneva Convention" that would protect civilians against nation-states'

cyberwars, just as the Fourth Geneva Convention <

EN.pdf> defends civilians in time of conventional war.

How did the NSA plan to use Eternalblue in the first place is a good question. The fact that it only works against old Windows systems shows

that it is specifically directed against civilian infrastructure, such as public sector networks that are often administered cheaply, by overworked

and less qualified information technology professionals, on obsolete hardware, with software that won't run on Windows 10.

The newest version of the Microsoft operating system now holds just 26 percent <

share.aspx?qprid=10&qpcustomd=0> of the global market. The share of Windows 7, released in 2009, is 48.5 percent and 7 percent of the

world's internet-connected computers still use 16-year-old Windows XP. No matter how Microsoft pushes the newest system to customers (the

upgrades are free), some systems stick with the old versions, simply because they can't afford the switching effort in terms of the time required

and the old hardware's insufficiency. Expensive MRI machines used by the British National Health Service are a good example; medical

equipment everywhere is likely to run antiquated systems -- and it's exposed

<> to attacks delivered through the


The Russian interior ministry's computers affected by the WannaCry virus aren't military-use machines; they're old computers in police

stations and service centers, the ones that are always the last to get an upgrade. For the German railroads, too, switching all the ticket terminals

to Windows 10 is not exactly a priority.

It's easy to say everyone should be vigilant, install every patch released and, preferably, never miss an operating system update. Certainly

many institutions and companies underinvest in this area. These civilian systems, however, will always lag behind -- and that's why the NSA

5/15/2017 WannaCry Ransomware Attack Shows Danger of Cyber War Crimes ­ Bloomberg­05­15/ban­cyberweapons­that­target­civilian­infrastructure 3/5

Terms of Service Trademarks Privacy Policy  ©2017 Bloomberg L.P. All Rights Reserved

Careers Made in NYC Advertise Ad Choices  Website Feedback Help

thinks old Windows vulnerabilities are worth hoarding.

It's tempting for an intelligence service to find ways to shut down an adversary's power grid or hospital system, or to hack traffic lights in a big

city to cause chaos. But that's as unethical as shooting or torturing the civilians in war. It should be illegal to develop such weapons, just as it is

to produce nerve gas for military uses. Intelligence agencies should be legally required to give up any cyberweapons that don't specifically

target the military capabilities of adversary states.

It would be naive to believe that would rule out the use of such cyberweapons. But it will improve intelligence services' accountability and, at

the very least, force them to take better care of any dark stuff that comes into their hands. As it is, if they have a piece of malware, it's highly

likely that even small-time criminals will have it, too.

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

To contact the author of this story:

Leonid Bershidsky at [email protected]

To contact the editor responsible for this story:

Therese Raphael at [email protected]