Did Kim Jong Un Really Release the WannaCry Virus?

This article first appeared on Just Security.

The Trump Administration this week formally accused the North Korean government of responsibility for the WannaCry ransomware attacks that hobbled hundreds of thousands of computers “in more than 150 countries” in May 2017.

The accusation came first in a Wall Street Journal op-ed by U.S. Homeland Security Advisor Tom Bossert Monday night. At a press briefing on Tuesday, Bossert explained that North Korea’s “malicious behavior is growing more egregious, and . . . [t]he attribution is a step towards holding them accountable  . . .”

He noted, “We do not make this allegation lightly. We do so with evidence, and we do so with partners. Other governments and private companies agree. The United Kingdom, Australia, Canada, New Zealand, and Japan have seen our analysis, and they join us in denouncing North Korea for WannaCry.”

GettyImages-888602108 This undated picture released from North Korea's official Korean Central News Agency (KCNA) on December 09, 2017 shows North Korean leader Kim Jong-Un visiting Mount Paektu in Ryanggang Province. AFP/Getty

The attribution is in many ways unsurprising. Private companies alleged North Korean involvement within days of the ransomware’s spread, and the Washington Post reported in June that the National Security Agency had concluded that North Korea was behind the WannaCry worm.

Nonetheless, the attribution raises several important questions.

1. Where’s the evidence?

Attribution by op-ed doesn’t lend itself to technical detail. Prior U.S. attributions, particularly the attribution of the Sony hack to North Korea three years ago, have come in for criticism for providing insufficient detail to support accusations, and this attribution is the least-supported to date.

When asked in the press briefing about the basis for the U.S. accusation, Bossert said, “What we did was, rely on — and some of it I can’t share, unfortunately — technical links to previously identified North Korean cyber tools, tradecraft, operational infrastructure.”

This may be sufficient given the accusations against North Korea by the private sector, and even the UK government, over the last few months. But it does little to set an example or establish an evidentiary best practice for states to follow in attributing future cyberattacks to states or state-sponsored actors.

It is especially unlikely to satisfy states that pushed for a statement in the 2015 UN Group of Governmental Experts report that “accusations of organizing and implementing wrongful acts brought against States should be substantiated.”

2. What should be the respective roles of the government and private companies?

Although Bossert announced no governmental action besides the attribution itself, he praised the actions of private companies.

He said, “We applaud our corporate partners, Microsoft and Facebook especially, for acting on their own initiative last week without any direction by the U.S. government or coordination to disrupt the activities of North Korean hackers. Microsoft acted before the attack in ways that spared many U.S. targets.”

This praise is consistent with prior U.S. government statements emphasizing the important role that private parties play in cybersecurity, but it’s rendered more interesting here because of the circumstances of WannaCry.

As the New York Times reported in May, the ransomware exploited a vulnerability in Microsoft Windows that was revealed when the Shadow Brokers divulged hacking tools stolen from the National Security Agency. Microsoft patched the vulnerability before WannaCry’s release, but the ransomware spread widely on unpatched systems.

In a blog post in May, Microsoft President Brad Smith argued that the ransomware “provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem” and that “an equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”

Smith said Tuesday that Microsoft “helped disrupt the malware [the hackers known as the Lazarus] group relies on, cleaned customers’ infected computers, disabled accounts being used to pursue cyberattacks and strengthened Windows defenses to prevent reinfection.”

Facebook similarly said that it deleted accounts linked to the hackers and notified others who were in contact with those accounts.

The importance of private actions to the mitigation of the threats from North Korea illustrates what I have called the “public-private cybersecurity system” in the United States.

This system gives private parties a quasi-governmental role, casting them as crime fighters and national security defenders, and blurs the line between the government and the private sector in ways that raise important issues about accountability, transparency, and other public values.

As the WannaCry incident shows, threats to public values may come from governmental or private actors—and so can protective measures.

But figuring out how to manage public-private cybersecurity to best protect individuals, institutions, and society at large is becoming increasingly crucial as the blurring of public and private roles may now be close to explicit U.S. government policy.

At the White House press briefing, Jeanette Manfra, the Department of Homeland Security’s Assistant Secretary for Cybersecurity and Communications, said : “Our adversaries are not distinguishing between public and private, so neither should we.”

3. Did North Korea violate international law?

Once again, governments have missed an opportunity to clarify the bounds of international law in cyberspace.

Bossert’s op-ed and comments at the press briefing strongly condemn North Korea’s actions, but do not clarify whether the United States regards them as a violation of international law.

In a press release, the UK Foreign Office Minister for Cyber, Lord Ahmad of Wimbledon, issued a similar condemnation and said, “International law applies online as it does offline.” But he stopped short of saying that WannaCry violated international law.

States agreed in the UN Group of Governmental Experts that “[a] State should not conduct or knowingly support [information and communications technology] activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public” (para. 13(f)).

WannaCry clearly impaired the use of critical infrastructure: it severely disrupted the functioning of UK hospitals, among many other affected entities.

So were North Korea’s actions “contrary to its obligations under international law” or not?

The silence on the international law questions could mean that governments do not think that there was an international law violation. Or it could mean there is disagreement within different governments or between different governments about whether there was an international law violation and if so, which principle of international law was violated.

Yet another possibility is that states do agree that WannaCry violated international law, but are making a policy choice not to call North Korea’s actions a legal violation in order to avoid creating public expectations about the need for governments to respond. This may be particularly attractive for the United States, which escaped much of WannaCry’s impact.

Nonetheless, if international law is to develop, at some point states must determine and publicly explain how international law applies to attacks like WannaCry, the Sony Pictures hack, and Russian election interference.

By refraining from legal characterization of governments’ actions in cyberspace, states are missing the chance to develop international law, which could ultimately justify additional responses to bad actions by states, beyond just naming and shaming.

Kristen Eichensehr is an Assistant Professor at UCLA School of Law, Affiliate Scholar at Stanford Law School's Center for Internet and Society and Former Special Assistant to the Legal Adviser of the U.S. Department of State.