A cyber security expert has said the attack, which temporarily crippled the National Health Service (NHS) in Britain and other parts of the world a day before, reveals the failure of the United States Government’s “protocols for warning software developers and the private sector about system vulnerabilities.” “The National Security Agency (NSA) is supposed to lead the vulnerability equities process with all the other government agencies gathered round to discuss their interests in the vulnerability, and to weigh the offensive capabilities against defensive concerns for the private sector and U.S. interests,” The Guardian quoted Adam Segal, the director of the digital and cyberspace policy program at the Council on Foreign Relations, as saying.
“It seems that in this case their hand was forced. They knew the vulnerability was online because of Shadow Brokers and Vault 7, so they went to Microsoft and warned the company they needed to patch it,” he added.
A security expert at Surrey university had earlier claimed that the malware resembled an exploit of ‘EternalBlue’. ‘EternalBlue’ was the name given to a weakness in Microsoft’s security that is thought to have been identified secretly by the US N.S.A.
“From the analysis that has been done, it looks like it is the ‘EternalBlue’ weakness that has been exploited because it is using the same ports and protocols. We don’t know publicly if it is the NSA (that found the vulnerability) but it is widely assumed it is and that is what Shadow Brokers said,” The Guardian quoted Prof. Alan Woodward, as saying.
It was also believed that ‘WannaCry’ works by taking advantage of a flaw in Windows that the NSA knew about, but kept secret. This particular vulnerability was publically disclosed by a group calling itself Shadow Brokers, which claimed to have stolen it from the NSA, among a cache of files it took.
However, without yet knowing who or which groups are behind the attack, experts are wary of assigning motive beyond extortion. One of the theories is that the attack is primarily an attempt to embarrass the U.S. NSA and the intelligence community. It can also be to put more stress on the relationship between the government agencies and the private sector and the vulnerability equities process.