Baltimore City Hall in Maryland. Information security professionals are debating who to blame for a city-crippling ransomware infection that is said to have involved an NSA hacking tool which leaked publicly in 2017.
Alex Wroblewski—Getty Images
By Robert Hackett
June 1, 2019

Since early May, Baltimore has been grappling with a city-crippling ransomware attack. A fiery debate has erupted within the information security community over who is to blame for the mess.

The match that lit the blaze: A story published by the The New York Times last weekend claiming the U.S. National Security Agency is partly responsible for helping to spread the computer-seizing digital infection. The report alleges that hackers used malware, dubbed RobbinHood, paired with EternalBlue, a powerful, self-propagating hacking tool allegedly developed by the NSA to target (now outdated) Microsoft Windows software. The code behind EternalBlue leaked online at the hands of a mysterious, still-unknown entity called the ShadowBrokers in 2017, and nation state actors have used the weapon to launch destructive cyberattacks—including North Korea’s WannaCry and Russia’s NotPetya—costing billions of dollars in damages for businesses and governments around the globe.

Because NSA lost control of this hacking tool, an alleged “key component” of the latest ransomware, according to the Times, the paper lays blame at the spy agency’s feet.

The backlash on that point has been fierce. Some information security professionals have argued that the malware in question did not need EternalBlue to wreak its havoc. Dave Aitel, a former NSA hacker and present chief security officer of Cyxtera, a data center company, wrote on his personal blog that “that particular exploit being used to do lateral movement for this ransomware is neither supported by any public facts, nor my own sources on the issue.” Alternative means of propagation were far likelier, he said. Rob Graham, CEO of Errata Security, a cybersecurity shop, agreed that even if the ransomware incorporated EternalBlue code, it probably didn’t rely on the tool to spread. “Yes, ransomware increasingly includes Eternalblue as part of their arsenal of attacks, but this doesn’t mean Eternalblue is responsible for ransomware,” he wrote on his own blog.

Unsurprisingly, the NSA is disclaiming responsibility for the fallout. C.A. Dutch Ruppersberger, a Maryland congressperson, said that senior NSA leaders told him “there is no evidence at this time that EternalBlue played a role in the ransomware attack affecting Baltimore City,” as the Times reported in a follow-up story on Friday. Rob Joyce, a top NSA bigwig offered his own form of disavowal: “The characterization that there is an indefensible nation-state tool propagating ransomware is simply untrue,” he said in remarks reported by CyberScoop, a cybersecurity news outlet.

The NSA has a point. If EternalBlue truly was key to the Baltimore attack, as the Times initially reported, then it would appear that Baltimore had for years failed to update its computer systems to defend against a known, critical vulnerability. Microsoft released a patch in 2017; the exploit works on machines running Windows software that’s two years out of date. The harsh truth: Baltimore should have been better prepared.

Keeping IT systems up to date and secured is easier said than done, of course. Government offices are perennially resource-strapped and impoverished of tech expertise, struggling to get by on dated equipment. (I used to work in local government—trust me.) And another point to consider: Even if the NSA is not to blame for Baltimore’s debacle, that still does not absolve the agency of its prior negligence. It’s unclear how the spooks lost control of their bag of cyber tricks, including EternalBlue, a couple years ago, let alone the identities of the thieves that call themselves the ShadowBrokers.

As we ponder these questions and wait for Baltimore to release more details about its thwomping, a recommendation: For the love of all that’s holy, please patch this other critical, wormable Windows security hole. Microsoft released a patch for the bug, dubbed BlueKeep, on May 14th, but as of two weeks later 900,000 computers still appear to remain vulnerable, by Wired’s count. If you need a reason to act with celerity, just look at Baltimore.

Do the right thing. Patch.

Robert Hackett

@rhhackett

robert.hackett@fortune.com

Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.

SPONSORED FINANCIAL CONTENT

You May Like