Ransomware: Who’s to Blame or Not to Blame in Baltimore Attack?

As the ongoing impacts of the ransomware attack against the city of Baltimore worsen, the blame game has reached national news headlines. Let’s explore some of the precedent-setting issues involved.

by / June 2, 2019

As the city of Baltimore continues to recover from the devastating ransomware attack that struck on May 7, 2019, the total incident costs are estimated to be at least $18.2 million, according to The Baltimore Sun. City leaders have not given a timetable for how long the total recovery effort will take, other than saying it could be months.

As the number of U.S. ransomware incidents has skyrocketed, the national discussion has shifted regarding who is to blame for our current predicament.

Some of the broader questions now being asked include:

  • Are creators of destructive malware or cybertools, which were originally intended for use against foreign adversaries, responsible if those cyberweapons are later reused against friendly targets?
  • What legal responsibility do three-letter agencies have to ensure that hacking tools do not fall into the wrong hands and/or to defend potential victims if the weapons are used against allies?
  • What happens when the military or intelligence agencies fail in their hacking efforts and people, or companies, or governments, get harmed somehow? (Or a corollary: What if bad actors hack back and most Americans don’t have the tools to stop them?)
  • Should victims of ransomware or other cybercrimes be able to sue government agencies who created cyberweapons or tools with non-malicious intent — even if the cybercrime victim failed to take basic, reasonable, well-known steps to protect themselves? For example, organizations were warned to patch computer systems or perform backups, but they failed to act.
  • Can costs incurred by governments from a severe ransomware (or other cyberattack) be reimbursed under the Disaster Relief and Emergency Assistance Act (Stafford Act 42 U.S.C. 5721)?
  • Or, put more simply regarding ransomware and other cybercrime incidents: To blame or not to blame (others) — that is the (new cyber) question.

These topics, with impact far beyond the current Baltimore example, are sure to reoccur over the next several years and likely throughout the upcoming 2020 decade. Regardless of the outcome of this particular Baltimore cyberincident, these questions are sure to evolve and be discussed and litigated in the future.    

Details, Please?

Here are some of the recent headlines, with stories that dive deeper into this particular ransomware situation:

ArsTechnica.com: Eternally Blue: Baltimore City leaders blame NSA for ransomware attack — Mayor and council president ask for federal disaster dollars to clean up IT toxic waste. “The mayor and city council president of Baltimore are pushing for the ransomware attack that brought Baltimore's city government to a standstill to be designated a disaster, and officials are seeking federal aid to help pay for the cleanup from the RobbinHood malware's damage. …

EternalBlue was part of a set of tools developed for the NSA's Tailored Access Operations (TAO) group that were leaked by Shadow Brokers in 2017. The tool was then used two months later as part of WannaCry, the destructive cryptographic worm that affected thousands of computers worldwide. Shadow Brokers has been linked by some security experts to a Russian intelligence agency; WannaCry has been attributed to North Korea's military. …”

Nextgov.com: NSA Deflects Blame for Baltimore Ransomware Attack — Rob Joyce, the NSA’s top cyber policy adviser, on Thursday rebuffed blame after one of the agency’s cyber weapons was used to hold Baltimore’s computer networks for ransom, arguing the attack would’ve been avoided if the city was more proactive with its digital hygiene.

“NSA shares the concerns of all the law-abiding citizens around the world about the threat posed by that criminal, malicious cyber activity, but the characterization that there’s an indefensible nation-state tool propagating ransomware is simply untrue,” Joyce said at a cybersecurity conference hosted by CrowdStrike.

The New York Times: N.S.A. Denies Its Cyberweapon Was Used in Baltimore Attack, Congressman Says

“A Maryland congressman said on Friday that the National Security Agency had denied that one of its hacking tools, stolen in 2017, was used in a ransomware attack on Baltimore’s government that had disrupted city services for more than three weeks.

The statement, made by Representative C.A. Dutch Ruppersberger, came in response to an article in The New York Times last weekend. The Times was told by people directly involved in the investigation in Baltimore that the N.S.A. tool, EternalBlue, was found in the city’s network by all four contractors hired to study the attack and restore computer services. …”

The Baltimore Sun: Blame city's failure to update software, not NSA — “Microsoft provided the fix for the flaw in its operating system that EternalBlue exploits over two years ago. Best practices in the IT industry are to take critical patches from software vendors and have them on test systems (to make sure they do not have any unintended consequences) the week after they are released and have them on production systems within 30-60 days. That Baltimore's IT department hasn't deployed those patches two years later is an unconscionable dereliction of duty. I shudder to think what the state of the rest of the city's systems are in if it can't keep up with Microsoft patches. …”

Monday Morning Quarterback — Ransomware Edition  

At a time when many, if not most, ransomware victims pay the ransom and don’t report the specific details, it can be hard to determine the origin of the cyberattack or attribute any culpability.

Nevertheless, the blame game is sure to heat up further as ransomware incidents accelerate. This article from two years ago laid out some of the potential actors and details surrounding who can get blamed for ransomware attacks:   

  • The U.S. Intelligence Community
  • Microsoft (or another vendor providing operating systems with vulnerabilities or not supporting old operating systems like Windows 7 or Windows XP.)
  • The End Users
  • Third-Party Vendors
  • The Internet of Things
  • The Bad Guys

There are those that think “hacking back” will only increase the finger-pointing and blame game further.

Here is a sample of the diverse comments received on this topic from some well known cyberexperts:

Chris Roberts — chief security strategist at Attivo Networks:

“Yep, NSA’s tools did lead to this BUT Baltimore HAD two bloody years to patch their stuff (systems).”

Gary Hayslip former CISO for the city of San Diego:

Chris Roberts, right there with you brother, your lack of basic hygiene for managing your own municipal networks doesn't excuse you from being held accountable.”

Douglas Edwards senior solutions architect multidiscipline Big Data Infrastructure for Integration Architect:

“Gap is widening on how confused the public has become on cybercrime cause and effect.”

Dan Walsh — InfoSec Protagonist at Act 1:

“Too easy to blame the victims: NSA or Baltimore; media-reported finger pointing is just clickbait. The problem is bigger than our failing organization-as-endpoint security strategy. A combination of trusted tier 1 internet connection zones, clean pipes, and multi-factor IDM will go much further to enabling an authentic long-term enterprise solution.”

William Klumper — CIO, CISO and privacy officer, senior advisor to Fundingshield LLC:

“They did this to themselves with very deliberate decisions and how they — their leadership — allocated funds. Much of it was to pander votes, get re-elected, etc. They are playing victim and using that role to their advantage. In theory, because of the blatant negligence of their leadership and failing on so many fronts, they should pay out of their pocket book to aid in the recovery. They will not. They will either ask for a handout or tax their people in a classic tax and spend. The problem is they have no plausible defences. They got hacked once and knew their systems were inadequate. Love how the mayor said a recent audit that all was OK. It was just a check the box and it was designed to give plausible deniability. It a checklist.”

Joseph Hall — chief information security officer at HEROIC Cybersecurity:

“The initial failure was the loss of a military-grade cyberweapon. They mitigated this by reporting the vulnerability to the software companies. Patches were made and the news cycle was flooded with this. Did their IT staff plan for this? Was budget or priority a problem? Were they living under a rock? I don't know.”

For those who want to learn more about ransomware and its impacts in general, here are some of my previous blogs from the past few years and related articles with more specific details:  

Where Have We Seen This Movie — in Other Contexts?

While there is little doubt that the blame game will continue regarding cybercrimes and victims, you may be wondering if there are any other disciplines to examine which can foretell where we might be heading on this issue in the medium to long term from a legal and public policy perspective.

I think the answer is yes, but there are obviously some major differences from the physical world and cyberspace. Nevertheless, I think this debate has at least some similarities and lessons we can learn from:  

Gun control debates — Every time there is a deadly criminal shooting in the headlines, we re-enter the national debate about possible solutions. We were reminded of this again this weekend with the Virginia Beach shooting rampage in which a city employee killed 12 others. The two sides of this debate are well known, and some even want to prosecute the gun manufacturers.    

Military weapons falling into the wrong hands — This Newsweek article highlights the high-tech future of war, and the many billionaire players involved. At the same time, we have many examples where high-tech weapons fell into enemy hands and were used against our troops. A similar pattern may be developing in cyberspace.   

Cyber Insurance — There have been several cybersecurity incidents in which insurance companies did not pay out, claiming that the incident involved was the result of a cyber war. The claim was that this condition was outside the bounds of the policy coverage.  

Closing Thoughts

Ultimately, the courts, and government organizations like FEMA, will need to decide the long list of related questions (some of which are listed at the beginning of this piece) that are arising from home-grown cyberweapons that bad actors somehow gain access to (and use) against ill-equipped organizations.

Whether Baltimore was directly harmed by NSA-developed cyberweapons is a debatable point. However, there is little doubt that more incidents like this are coming with differing levels of available cyberdefenses to stop them. No doubt, more powerful cyberweapons could be used by adversaries that could cause more harm.  

Will we get to a point where hacking tools developed by our intelligence community fall into the wrong hands without patches or effective defensive solutions available to help our civilian organizations? Perhaps.

Most experts agree that Baltimore could have done much more (like patching their systems) to prevent this particular ransomware from causing so much operational damage. In addition, no organization has (good) excuses for not having workable, up-to-date backups.      

Nevertheless, my opinion is that more public and private sector organizations will turn to the “blame game” as their after-the-incident public policy strategy (and potential source of financial reimbursement if it works) - whether they should have theoretically stopped the cyberattack or not.    

Platforms & Programs