Almost exactly one year ago, the world experienced two destructive cyberattacks in which offensive cyber tools developed by the National Security Agency were stolen and shared with the public. In May 2017, the WannaCry ransomware hit over 300,000 computers in 150 countries. One month later, the NotPetya attack hit the computer systems of companies and governmental entities across the globe causing millions of dollars in damages. These attacks exploited numerous vulnerabilities, and have subsequently exposed the slow response time of targeted countries and the lack of effective information sharing mechanisms between responsible agencies, something which could have mitigated the severe damage caused by the attacks.
The interesting feature of these attacks is that those responsible—North Korea and Russia—used the leaked offensive tools originally developed by the NSA. The investigation into WannaCry ultimately revealed that the attackers had exploited a security vulnerability called EternalBlue, originally developed by the NSA. NotPetya used a variant of the same vulnerability, which is still wreaking havoc a year later. For example, in February 2018, security researchers at Symantec reported that an Iran-based hacking group had used EternalBlue as part of its operations.
This situation whereby technologically advanced countries are investing efforts in developing offensive cyber capabilities only to have these very tools stolen and reused raises three critical questions of urgent policy relevance.