The particularly nasty computer program dubbed WannaCry that attacked hospitals, businesses and government agencies around the world this past weekend was like a cybercrime highlight reel, a compilation of by-now familiar elements that played out on an epic scale.
What is different this time is that the conscience-free hackers apparently had considerable, albeit unwitting, help from the US government. They used a stolen tool reportedly developed by the National Security Agency to exploit a hidden weakness in the Windows operating system and spread their “ransomware” to computers far and wide.
It is tempting to howl at the NSA for not alerting companies like Microsoft when its researchers find vulnerabilities in their products. The reality, though, is that doing so would reduce the effectiveness of cybertools that have become an integral part of modern efforts by agencies like the NSA to fight terrorism, international criminal organizations and rogue states.
What is needed is a better effort to determine if and when a vulnerability discovered by the feds represents too great a threat to keep it secret from the potential victims. That’s a difficult balance to strike, and the decision should not be made solely by the executive branch without the input of independent experts and, potentially, lawmakers.
The even more important lesson here is that years, even decades of warnings from security experts simply are not getting through to the public. WannaCry should not have reached disastrous proportions — Microsoft released a patch that could close the vulnerability in March, well before the NSA’s tool was released in usable form. Yet tens of thousands of computers were not updated, allowing the malware to spread.
The problem could easily get much, much worse as more routine devices become smart, Internet-connected ones. Evidently we need stronger incentives not just for companies to release more secure products, but also for users to keep them updated and to protect their data with encryption and backups. That is what the lawmakers and federal officials should be focusing on -- not on trying to discourage consumers from using encryption on their smartphones, or on building stockpiles of malware based on vulnerabilities they alone have found.