The city of Baltimore had more than two years to defend itself against the attack, and it’s officials’ fault they dropped the ball, according to NSA cyber chief Rob Joyce.
It’s unreasonable to get mad at someone for spoiling a movie that came out more than two years ago, and a National Security Agency official thinks the same logic should apply to cybersecurity exploits.
Rob Joyce, the NSA’s top cyber policy adviser, on Thursday rebuffed blame after one of the agency’s cyber weapons was used to hold Baltimore’s computer networks for ransom, arguing the attack would’ve been avoided if the city was more proactive with its digital hygiene.
“NSA shares the concerns of all the law-abiding citizens around the world about the threat posed by that criminal, malicious cyber activity, but the characterization that there’s an indefensible nation-state tool propagating ransomware is simply untrue,” Joyce said at a cybersecurity conference hosted by CrowdStrike.
On May 7, hackers reportedly used an NSA tool called EternalBlue to freeze thousands of the Baltimore government’s computers. The attack shut down email and disrupted numerous government services, and it could ultimately cost the city more than $18 million to recover.
EternalBlue, which was stolen during a 2017 breach at NSA, exploited a previously disclosed bug in a Microsoft software package. The company issued a patch for the vulnerability more than two years ago, but because Baltimore never updated its software, the city remained susceptible to the attack.
After the breach that let EternalBlue loose on the public, Joyce said the agency took significant steps to ensure government and industry had the resources they needed to fend off the weapon. Officials worked to bring attention to the patch and took “a variety of actions to secure national security systems and provide assistance to ... U.S. government partners,” he said.
Still, NSA can only do so much on its own, and the onus falls on organizations to heed the agency’s warnings, according to Joyce. Digital adversaries will constantly change their methods of attack, he said, so companies and governments need to be proactive if they want to keep themselves safe.
“Focusing on a single exploit, especially one that has a solution through a patch that was issued years ago, is really shortsighted,” he said. “Vulnerabilities will continue to be found. Doing the basics is required for responsible network administration.”