A year and a half after North Korea and Russia each tinkered with a stolen US hacker tool and wreaked global havoc, the world’s governments are at an impasse about how to stop it from happening again.
Fifty-one of the world’s governments — including the United Kingdom, the US’s top ally in cyberspace — signed an agreement last week to work together to “prevent the proliferation of malicious online programmes and techniques,” among other means of promising to try to help secure the internet. But some of the top-tier cyberpowers in the world — the US, Australia, and Israel — declined to go along, as did the US’s top cyber adversaries — China, Iran, North Korea, and Russia.
It wasn’t mentioned in any of the official languages of the agreement, but looming large behind it is the creation and abuse of an elite hacker tool called EternalBlue. Designed by the US National Security Agency, it’s extraordinarily effective at breaking into older, unpatched versions of Windows. In 2016, a mysterious entity calling itself "the Shadow Brokers," whose real identity is conspicuously still unknown, obtained and released EternalBlue to anyone who cared to visit its blog.
The NSA told Microsoft about the tool soon after it leaked, but plenty of people around the world either don’t update their computers or used older, pirated versions of Windows. The next year, both Russia and North Korea used EternalBlue to create the two most destructive cyberattacks to date. Both were versions of a ransomware worm — a piece of malicious software that both holds a computer hostage and spreads to others. North Korea’s, known as WannaCry, crippled the UK’s National Health Service. Russia’s, NotPetya, was aimed at Ukraine but resulted in international shipping company Maersk and pharmaceutical giant Merck being completely hobbled for days. There were countless other victims.
Microsoft President Brad Smith in large part blamed the NSA for creating the tool and not immediately telling the company about such a powerful exploit of its flagship program. Since then, he’s heavily lobbied countries to the cause of cyberweapon regulation, similar to the Paris call.
Speaking at the Web Summit in Portugal last week, Smith urged the world to “build on the Fourth Geneva Convention of the last century, a convention that called for governments to pledge, as they did, that they would 'protect civilians even in times of war.'”
The US, whose publicly known cyberattacks are far more precise and tailored, unsurprisingly focuses more on punishing countries like North Korea or Russia for being reckless. In recent years, the country has increasingly taken to sanctioning those countries, filing criminal charges against the individual hackers who create malicious programs, and isolating that activity by sometimes convincing its four closest allies in cyberspace — Australia, Canada, New Zealand, and the UK — to join it in calling out the countries responsible.
But the United States did not join the agreement to try to stop the proliferation of such malware, even though most of its cyberspace allies did — only Australia did not. Why remains unexplained. A State Department spokesperson said the US is committed “to many of the policy priorities articulated” in the agreement and will “continue to support many of the overarching policies put forth,” but couldn't offer a rationale for the US decision not to sign on.
Klara Jordan, director of the Atlantic Council’s Cyber Statecraft Initiative, suggested the US may simply prefer to continue to push for a UN-wide agreement on regulation. “It may be just that they prefer to work in other fora that the US government spent years building up and supporting,” she told BuzzFeed News.
Others said it may simply be the Trump administration's dislike of multilateral agreements. “My guess is that the current US government is mostly being ornery,” technologist and Belfer Center research fellow Bruce Schneier told BuzzFeed News. “Also, that most of the really aggressive countries in cyberspace — US, Russia, China, and so on — are keeping their options open."