An unprecedented global cyberattack that infected computers in at least 150 countries beginning on Friday has unleashed a new wave of criticism of the U.S. National Security Agency.
The attack was made possible by a flaw in Microsoft’s Windows software that the NSA used to build a hacking tool for its own use – only to have that tool and others end up in the hands of a mysterious group called the Shadow Brokers, which then published them online.
Microsoft President Brad Smith sharply criticized the U.S. government on Sunday for “stockpiling” software flaws that it often cannot protect, citing recent leaks of both NSA and CIA hacking tools.
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Smith wrote in a blog post. “An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”
Some major technology companies, including Alphabet’s Google and Facebook, declined comment on the Microsoft statement.
But some other technology industry executives said privately that it reflected a widely held view in Silicon Valley that the U.S. government is too willing to jeopardize internet security in order to preserve offensive cyber capabilities.
The NSA did not respond to requests for comment.
The NSA and other intelligence services generally aim to balance disclosing software flaws they unearth against keeping them secret for espionage and cyber warfare purposes.
On Monday, senior administration officials defended the government’s handling of software flaws, without confirming the NSA link to WannaCry, the tool used in the global ransomware attack.
“The United States, more than probably any other country, is extremely careful with their processes about how they handle any vulnerabilities that they’re aware of,” Tom Bossert, the White House homeland security adviser, said at a press briefing on Monday.
Other tools from the presumed NSA toolkit published by the Shadow Brokers have also been repurposed by criminals and are being sold on underground forums, researchers said. But they appear to be less damaging than WannaCry. It is not known who is behind the Shadow Brokers.
Derek Manky, global security strategist at cyber security firm Fortinet, said he thinks WannaCry is probably the worst that will come from the Shadow Brokers’ publicly dumped toolkit, though the group may have held back from public revealing everything it obtained
“Out of that batch, it is probably a high-water mark,” Manky said.
“WE KNEW IT COULD BE A PROBLEM”
Security experts said the NSA had engaged in responsible disclosure by informing Microsoft of the flaw at some point after learning it had been stolen and a month before the tools leaked online.