The Strange WannaCry Attribution
I’ve been trying to figure out why the U.S. government thought it was useful to attribute the “WannaCry” attack to North Korea. WannaCry was a global ransomware attack that hit hundreds of thousands of computers, cost billions of dollars in damage, and compromised U.K. healthcare computers in ways that “put lives at risk.” In a Tuesday, Dec.
Published by The Lawfare Institute
in Cooperation With
I’ve been trying to figure out why the U.S. government thought it was useful to attribute the “WannaCry” attack to North Korea. WannaCry was a global ransomware attack that hit hundreds of thousands of computers, cost billions of dollars in damage, and compromised U.K. healthcare computers in ways that “put lives at risk.” In a Tuesday, Dec. 19 press conference following up on a Monday Wall Street Journal op-ed, White House Homeland Security Advisor Thomas P. Bossert proclaimed the attribution and stated that other countries and private firms agreed, although as is typical, he provided no public evidence. (The Washington Post reported six months ago that the NSA attributed WannaCry to North Korea; the United Kingdom publicly attributed the attack in October.) Bossert also bragged about the United States’ great response to the attack, which left U.S. computer systems largely unscathed. In the process, he had to dart around the embarrassing fact that the WannaCry attack was based on an exploit called “Eternal Blue” that was stolen from the NSA. (As Marcy Wheeler noted, he didn’t do a very good job.) This embarrassment might have been worth it had there been a good reason for making the attribution public. But Bossert didn’t provide a good reason.
The main reason Bossert gave was that the attribution would promote “accountability,” a term he used often in both the op-ed and the presser. Accountability in this context means examining an action, determining whether it was appropriate, and imposing some form of penalty or sanction if it is deemed inappropriate. The United States examined WannaCry, attributed it to North Korea, and determined that it was “malicious behavior.” So what sanction did Bossert announce? In his op-ed, he didn’t specify one, though he did say that the United States “will continue to use our maximum pressure strategy to curb Pyongyang’s ability to mount attacks, cyber or otherwise.” But in his press conference, he was more candid about limitations:
President Trump has used just about every lever you can use short of starving the people of North Korea to death to change their behavior. And so we don’t have a lot of room left here to apply pressure to change their behavior. It’s nevertheless important to call then out, to let them know that it’s them and we know it’s them. Some of the benefit that comes from this attributions is letting them know that we’re going to stop their behavior. (emphasis added)
The problem with this last sentence—that attribution lets North Korea know we will stop their cyberattacks—is that in the three sentences before, and in the rest of the press conference and op-ed, Bossert made clear that the United States did not have the means to stop, or even retaliate against, the North Korean behavior. He said that he thought the public attribution alone, without more, accomplished something important in holding North Korea accountable. As he put it, somewhat confusingly, later:
It’s about simple culpability. We’ve determined who was behind the attack and we’re saying it. It’s pretty straightforward. All I learned about cybersecurity I learned in kindergarten. We’re going to hold them accountable and we’re going to say it. And we’re going to shame them for it.
There you have it: The U.S. government thinks that naming and shaming by itself is a useful response to a cyberattack that caused billions of dollars of damage (though relatively little in the United States) and targeted precisely the types of critical infrastructure officials have long warned was a red line. Another hint that the Trump administration buys the name and shame theory is that Bossert touted indictments in his op-ed:
When we must, the U.S. will act alone to impose costs and consequences for cyber malfeasance. This year, the Trump administration ordered the removal of all Kaspersky software from government systems. A company that could bring data back to Russia represents an unacceptable risk on federal networks. Major companies and retailers followed suit. We brought charges against Iranian hackers who hacked several U.S. companies, including HBO. If those hackers travel, we will arrest them and bring them to justice. We also indicted Russian hackers and a Canadian acting in concert with them. A few weeks ago, we charged three Chinese nationals for hacking, theft of trade secrets and identity theft. There will almost certainly be more indictments to come.
The Kapersky action is a real sanction, but the indictments—a name and shame strategy that began under President Barack Obama but has thus far resulted in no prosecutions—are laughably tiny responses to the Iran and Russia and China operations in question.
The apparent fecklessness of the North Korea WannaCry attribution is clarified when put in recent historical context. On Dec. 19, 2014, the FBI publicly attributed the Sony attack to North Korea. On the same day, Obama said in press conference: “They caused a lot of damage, and we will respond. We will respond proportionally, and we’ll respond in a place and time and manner that we choose. It's not something I'll announce here today at a press conference.” Three days later, North Korea's Internet went down in what many, including North Korea, claimed was a U.S. action (though the U.S. has strongly denied any involvement.) Then on Jan. 2, 2015, the Treasury Department imposed sanctions on North Korean firms and individuals in response to the attack on Sony. The White House said the sanctions were a “proportional response” to “ongoing provocative, destabilizing, and repressive actions and policies [by North Korea], particularly its destructive and coercive cyber attack on Sony Pictures Entertainment.”
These sanctions seemed piddling to many at the time, given the scale of the Sony attack, but they were a lot more than Bossert announced in response to WannaCry. And yet the Obama sanctions seemed ineffective in deterring North Korea’s subsequent disruptive cyberoperations. As David Sanger, David Kirkpatrick, and Nicole Perlroth noted in an important story in October, North Korea in the last few years has been developing into a serious and dangerous, if still emergent, cyberpower—mostly for theft but also, as the WannaCry attack showed, for significant disruption as well. As former NSA Deputy Director Chris Inglis told the authors of the story: “Cyber is a tailor-made instrument of power for [North Korea]. There’s a low cost of entry, it’s largely asymmetrical, there’s some degree of anonymity and stealth in its use. It can hold large swaths of nation state infrastructure and private-sector infrastructure at risk. It’s a source of income.”
This is the background against which Bossert thinks a name and shame strategy will be consequential against North Korea. But the overwhelming evidence in recent years is that such a strategy is not consequential. “The idea that somehow public shaming is going to be effective, I think doesn’t read the thought process in Russia very well,” President Obama noted a year ago in connection with the DNC hack. The same applies to North Korea. Indeed, WannaCry is evidence that sanctions harsher than name and shame had little discernible effect on North Korea.
But it’s not just that name and shame is ineffective. For at least two reasons, it is counterproductive for the United States to take evident pride in an attribution of a major cyberattack that it at the same time concedes it lacks the tools to retaliate against or deter. First, the consequence of the attribution, and the emphasis on the damage caused by WannaCry, is to raise expectations, at least domestically, about a response. Second, the effect of such a drum-beating attribution and statement of damage, combined with a weak response, is to reveal what has been apparent for a while: “We currently cannot put a lot of stock … in cyber deterrence,” as former DNI Clapper said last year. “It is … very hard to create the substance and psychology of deterrence.” When we overtly signal to North Korea that we have no tools to counteract their cyberattacks, we invite more attacks by North Korea and others—though to be fair, for the reasons Inglis stated, North Korea already has plenty of incentive, since cyber is a relatively inexpensive but very consequential tool for it, and since the United States has already imposed such extensive sanctions and seems out of tools.
I must be missing something here. Probably what I am missing is that the public attribution sends an important signal to the North Koreans about the extent to which we have penetrated their cyber operations and are watching their current cyber activities. But that message could have been delivered privately, and it does not explain why the United States delayed public attribution at least six months after its internal attribution, and two months after the U.K. had done so publicly. Perhaps the answer to the delay question, and another thing I am missing, is that the public attribution is part of larger plan related to a planned attack on North Korea because of its nuclear threat. Bossert’s unconvincing op-ed and incoherent press conference wouldn’t support either interpretation; and if either interpretation is right, it still comes at a cost to general deterrence. But perhaps, surely, hopefully, there is more here than meets the eye.