Image for The Hypocrisy of Blaming North Korea for WannaCry
Avatar image of Jesse Schooff

The Hypocrisy of Blaming North Korea for WannaCry

Our volunteer, Jesse Schooff, argues why the U.S. needs to acknowledge their role in the May 2017 ransomware attacks before blaming others.

On December 19th, White House homeland security adviser Tom Bossert publicly accused North Korea of being behind the “WannaCry” ransomware. WannaCry hit in May of 2017 and spread rapidly, crippling many companies and public institutions, including — perhaps most notably, and devastatingly — England's National Health Service.

The U.S. says their accusation is the result of lengthy investigation and analysis by partner governments (including Britain, Japan, Australia, New Zealand and Canada), as well as private technology firms. This makes a fair bit of sense: independent security researchers have previously connected North Korea with other hacks and malware. North Korea despises what it sees as its enemies in the west, and is using clever means at their disposal to fight them.

That said, countries like the United States and the United Kingdom placing the blame for WannaCry solely on the shoulders of North Korea amounts to bald-faced hypocrisy.

WannaCry was made possible because of a software vulnerability in Microsoft Windows, which the U.S. National Security Agency discovered several years ago. Insteading of disclosing the flaw to Microsoft — who would in turn create a patch and roll it out through Windows Update — the NSA kept the flaw secret, so that they could develop their own hacks.

The problem is that a bug that isn’t known by the software’s manufacturer nor the general public — the kind of bug we call a “zero day” bug — isn’t just exploitable by one party (e.g., U.S. spies). It’s also exploitable by anyone else who discovers the bug independently.

When the NSA was compromised in April 2017, hackers leaked knowledge of several major vulnerabilities to the public. And although Microsoft had internally found and patched the flaw the month before, many had yet to install the patch. The creators of WannaCry were quick to exploit this fact.

Imagine if your government secretly created a new strain of disease for germ warfare. They also create a vaccine — just in case — but don’t vaccinate their own citizens. They reason that if they start a mass vaccination, it will tip off their enemies, who will easily duplicate the vaccine and inoculate their own citizens, rendering the weapon useless. 

Now imagine that spies from a rival nation steal the germ and use it against the people of the very country that developed it — against you. Who do you blame: your own country, who developed the disease and withheld the cure from you; or the nation who stole and used the disease against you?

This is an extreme example, partly because germ weapons are banned under the Geneva Protocol, but also because we’re talking about attacking computers, not people (at least directly). Bearing that in mind, given that the consequences of the WannaCry attack included crippling several hospitals, human lives really are part of the equation. 

This is why I’ve habitually written about why governments need to be allies of information security researchers and proven security practices, not the adversaries who undermine infosec. Instead of hoarding zero-day software vulnerabilities to use against perceived enemies, governments should turn the bugs over to software companies to get fixed — improving the safety of everyone, including their own citizens and institutions. 

I would argue that in the hypothetical example I posited, one should blame both the country who developed a weapon and the ones who deployed it. Applied to WannaCry, the United States deserves an equal share of the blame. Though somehow, I doubt they’ll own up to it. 


Afterword: For our Canadian supporters, it’s worth mentioning our government’s proposed national security legislation, Bill C-59, which will radically expand the powers of the Communications Security Establishment (CSE). Among those many new powers is a mandate which allows the CSE to research new software vulnerabilities and purchase them from hacking firms, for the purpose of furthering their intelligence-gathering agenda. Again, the goals of improving our nation’s infosec while simultaneously undermining infosec in general are completely incompatible. 


If you’re opposed to government-sanctioned hacking by the CSE, you can use our Stop the Spying site to send a letter to parliament.


Jesse Schooff is a veteran IT professional and technical communicator. As a volunteer blogger for OpenMedia he specializes in issues of privacy and information security. You can find more of his writing at geekman.ca



Take action now! Sign up to be in the loop Donate to support our work