Episode 165 is a WannaCry Festivus celebration, as The Airing of Grievances overtakes The Patching of Old Machines. Michael Vatis joins me in identifying all the entities who’ve been blamed for WannaCry, starting with Microsoft for not patching Windows XP until after the damage was done. (We exonerate Microsoft on that count.)
Another candidate for WannaCry Goat of the Year is (of course) NSA for allegedly letting a powerful hacking tool fall into the hands of the Shadow Brokers, who released it in time for WannaCry’s authors to drop it into their worm. Private industry’s fingerpointing at NSA has led to introduction of the PATCH Act, which tries to institutionalize (and tilt) the vulnerability equities process. I raise a caution flag about trying to prevent harmful vulnerability leaks by spreading information about the vulnerabilities to a new batch of civilian agencies. I also ask whether a rational equities process should require that companies get the benefit of the process only if they agree to patch their products promptly and if they cooperate to the extent possible with law enforcement rather than forcing agencies to hack their products just to carry out lawful searches. Somehow I’m guessing that will cool Silicon Valley’s enthusiasm for the whole idea.
Meanwhile, Shadow Brokers, widely thought to be Russian intelligence, may be having an equally awkward Festivus celebration with their masters, since the exploit they released seems to be causing more widespread discomfort in Russia than in the West, probably because of Russia’s high usage of unpatched pirate software.
The North Koreans should be on the carpet as well, since there is increasing reason to believe that WannaCry was a mostly failed effort by Kim Jong Un to raise money through cybercrime. The worm seems to have collected only $100 thousand in bitcoin for its authors, and the worst of its impact was likely felt in China, the world capital of pirated unpatched software. Since North Korea seems to rely on China’s internet infrastructure to launch and control its cyberattacks, launching one that mainly hurts its host is typically shortsighted.
Finally, the victims don’t escape blame. The SEC unveiled its latest criticism of private sector security practices in the financial industry as the WannaCry publicity reached a peak.
Meanwhile, our own Jon Sallet joins the Oliver-Pai debate on net neutrality, and through the magic of radio, he is able to coffee-cup-shame both of them. (Sound effects credit to http://www.zapsplat.com/.) As an encore, Jon explains why the European Commission fined Facebook $122 million over its acquisition of WhatsApp – without undoing the deal.
As always the Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.