Hold North Korea Accountable for WannaCry—And the NSA, Too

Seven months after the WannaCry ransomware ripped across the internet in one of the most damaging hacking operations of all time, the US government has pinned that digital epidemic on North Korea. And while cybersecurity researchers have suspected North Korea's involvement from the start, the Trump administration intends the official charges to carry new diplomatic weight, showing the world that no one can launch reckless cyberattacks with impunity. "Pyongyang will be held accountable," White House cybersecurity chief Tom Bossert wrote in an opinion piece for the Wall Street Journal.

But for some in the cybersecurity community who watched WannaCry's catastrophe unfold, North Korea isn't the only party that requires accountability. They argue that if guilty parties are going to be named—and lessons are to be learned from naming them—those names should include the US government itself. At least some of the focus, they say, belongs on the National Security Agency, which built and then lost control of the code that was integrated into WannaCry, and without which its infections wouldn't have been nearly as devastating.

"As we talk about to whom to attribute the WannaCry attack, it’s also important to remember to whom to attribute the source of the tools used in the attack: the NSA," says Kevin Bankston, the director of the New America Foundation's Open Technology Institute. "By stockpiling the vulnerability information and exploit components that made WannaCry possible, and then failing to adequately shield that information from theft, the intelligence community made America and the world’s information systems more vulnerable."