michelangelus - Fotolia

White House WannaCry attribution leaves unanswered questions

The White House's WannaCry attribution included the broad strokes, experts say, but the case avoided some key pieces of information, such as the role of the NSA in the attacks.

Although experts accepted the White House assertion that North Korea was behind the WannaCry attacks, some took issue with the government's stance.

In the original announcement of the WannaCry attribution on Monday, and in the press conference on Tuesday, Tom Bossert, homeland security adviser to the White House, reiterated the need to hold those responsible for the attacks accountable.

"As we make the internet safer, we will continue to hold accountable those who harm or threaten us, whether they act alone or on behalf of criminal organizations or hostile nations," Bossert wrote in an op-ed in the Wall Street Journal. "Malicious hackers belong in prison, and totalitarian governments should pay a price for their actions. The rest of us must redouble our efforts to improve our collective defenses. The tool kits of totalitarian regimes are too threatening to ignore."

However, experts noted a large omission in this accountability: The WannaCry ransomware was built on cyberweapons developed by, and subsequently stolen from, the National Security Agency (NSA).

Jake Williams, a former member of the Tailored Access Operations team for the NSA and founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., noted on Twitter that Bossert never used the words "NSA" or "leak" in the WannaCry attribution op-ed.

"If a Somali terrorist blew up a bomb in [New York City] using explosives supplied by the Syrian government, I don't think we'd ever talk about the attack without talking about Syria. Whether you like it or not, the U.S. supplied the 'explosives' for WannaCry. We need to own this," Williams wrote on Twitter.

"And it's not just WannaCry. AES-NI, NotPetya, and multiple other malware samples have used EternalBlue. But don't stop at EternalBlue. We've had customers hit with other leaked exploits. I don't think we'll ever account for the full damage caused by these leaks," Williams wrote. "Public opinion around nuclear weapons would change if we admitted we couldn't secure them and we'd be attacked by our own stolen weapons. Let's have adult discussions about this happening in the cyber domain and cut out the White House propaganda."

During the press conference on Tuesday, Bossert was directly asked about the NSA's role in developing EternalBlue and the Shadow Brokers' leak of the NSA cyberweapons. Bossert avoided the question, instead saying the U.S. has "led the most transparent vulnerabilities equities process in the world."

Erasing Kaspersky

In addition to glossing over the NSA's connection to WannaCry, Bossert and the White House also omitted Kaspersky Lab's contribution to the WannaCry attribution case. Although Bossert gave credit to Microsoft and Facebook for fighting WannaCry attacks and noted that the U.K., New Zealand, Canada, Australia and Japan all agreed that North Korea was behind the attacks, Bossert didn't give credit to Kaspersky.

Given the current political climate, it seems unlikely that the administration will publicly acknowledge Kaspersky's work in cyberthreat intelligence and attribution.
Jake Williamsfounder of consulting firm Rendition InfoSec LLC

Kaspersky Lab's investigation team was the first to draw a connection between North Korea's Lazarus hacking group in June 2017 -- just one month after the initial WannaCry attacks.

However, the only mention of Kaspersky in Bossert's comments was a reminder that the U.S. government counts Kaspersky as untrustworthy due to possible -- but unverified -- connections with the Russian government, and it has moved to ban Kaspersky products from government systems.

Williams said he was not surprised by this omission.

"Given the current political climate, it seems unlikely that the administration will publicly acknowledge Kaspersky's work in cyberthreat intelligence and attribution," Williams told SearchSecurity. "However, there is little doubt they are making use of those same reports behind closed doors. Kaspersky continues to be an important source of cyberthreat Intelligence data, including reporting on attackers linked to the Russian government."

Cooperation between government and private sector        

As part of the push for accountability, Bossert and the White House said there needed to be closer relations between the public and private sectors following the WannaCry attribution. Bossert wrote that stopping malicious behavior "requires governments and businesses to cooperate to mitigate cyber-risk and increase the cost to hackers. The U.S. must lead this effort, rallying allies and responsible tech companies throughout the free world to increase the security and resilience of the internet."

Scott Petry, co-founder and CEO of Authentic8 in Mountain View, Calif., said pushing for this kind of cooperation is reasonable and not all that new.

"The Department of Homeland Security has pushed a number of initiatives -- for instance, their Enhanced Cybersecurity Services, where sensitive threat intel is distributed to authorized recipients. They've pushed commercial organizations to provide more intel to DHS for dissemination," Petry told SearchSecurity. "These initiatives have run into some headwinds, though, since organizations have been unable or unwilling to share meaningful attack data. There are compliance and data privacy issues, as well as the conditioned response of not disclosing breaches in a timely fashion."

Matt Suiche, founder of managed threat detection company Comae Technologies, based in Dubai, United Arab Emirates, also noted that the process for such cooperation is not clear.

"Collaboration between entities is very important; we saw it with the recent epidemies -- WannaCry, NotPetya, etc. -- through the infosec community on Twitter. Very useful and detailed descriptions of how the malwares were working, and even responses from individuals -- kill switches -- while the big security companies were too slow to provide intelligent feedback," Suiche told SearchSecurity. "But the question is: Are they just saying it for PR, or do they have a preset of trusted partners they will only communicate with? If tomorrow a security startup wants to collaborate and help DHS, is there an official channel for this?"

Dig Deeper on Security operations and management