The massive ransomware campaign, broadly referred to as WannaCry, makes use of a well-known technical vulnerability and at this stage does not indicate a clear link to any state actor. However, if attribution to a specific state or state-controlled actor is established, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations offers guidance for a response by the states affected, according to a group of NATO CCD COE researchers Tomáš Minárik, Raimo Peterson and Maarja Naagel. Furthermore, there is no silver-bullet answer to the question: how to assure that leaked vulnerabilities are not abused on a massive scale?
“From the perspective of international law, at this stage the information about the WannaCry campaign is not precise enough to come to a clear conclusion about the responsibility of any state. The individual criminal responsibility of the perpetrators of the campaign is obvious, but this is a matter of national criminal investigations and mutual legal assistance,” said Tomáš Minárik, researcher at NATO CCD COE Law and Policy Branch.
Unless the campaign can be attributed to any state by a clear link, state responsibility for the campaign does not arise, be it the state whose hacking tools were supposedly leaked, the state which might have supported the group involved in the leak, or the state where the criminals launching the WannaCry campaign are operating from.
According to recent reports by Kaspersky Lab and Symantec, there is a link between the WannaCry campaign and the Lazarus Group, which is in turn thought to be responsible for the 2014 Sony hack and the 81 million USD cyber heist at the Bangladeshi Central Bank from 2016. According to earlier news, it is closely affiliated with, or even identified as, the North Korean “Bureau 121”.
A Matter of Sovereignty?
“If attribution to a particular state can be established in this case, the legal qualification would be similar to some earlier cases linked to states: the WannaCry campaign would not reach the threshold of armed attack or use of force, nor could it be qualified as prohibited intervention, due to the lack of a coercive element with respect to a government,” concluded Minárik. “However, government systems were also affected by the operation (Russian Ministry of Interior systems were compromised), which could be considered as interference with ‘inherently governmental functions’. This would be a violation of sovereignty, and consequently an internationally wrongful act, according to Tallinn Manual 2.0 (see rule 4 commentary 15, and rule 14). As for non-government systems, the question of violation of sovereignty is not so clear-cut according to the Tallinn Manual 2.0, but if the ransomware disables systems in what is generally described as ‘critical infrastructure’, states might explore the option to invoke a violation of sovereignty,” added Minárik.
If they do so, they could use several legal avenues in the law of state responsibility to respond to the campaign, most important of which are countermeasures, which can be both cyber and non-cyber (for details, see rules 20-25 of Tallinn Manual 2.0). States can also invoke the plea of necessity, even if attribution is not conclusive, provided that they can prove the existence of ‘grave and imminent peril’ and will not ‘seriously impair an essential interest’ of third parties by the responsive measure (for details, see rule 26 of Tallinn Manual 2.0).
Nothing New from the Technical Perspective
The malware uses the Eternalblue SMBv1 vulnerability, which is publicly known since 8 April 2017 when it was made public by The Shadow Brokers group. Microsoft has released a critical patch MS17-010 a month before for all affected Windows versions starting from Windows Vista. Windows 10 is not affected in its default configuration. As Windows XP is not officially supported anymore, initially there was no patch released publicly for Windows XP until the outbreak of WannaCry ransomware. On 12 May 2017, Microsoft released the second critical patch for Windows XP since its End-of-Life in 2014, addressing the Eternalblue SMBv1 vulnerability. There is also an alternative way to harden the system by simply disabling the outdated SMBv1 protocol.
“From technical perspective there is little new to the WannaCry malware campaign. It does not introduce any new zero-day vulnerability, but rather makes use of a well-known vulnerability on unpatched and End-of-Life Windows versions in combination with Internet-faced open services which are usually considered as a serious negligence of system administrator,” said Raimo Peterson, Head of the Technology Branch at NATO CCD COE. “Seeing the affected organisations, it is probable that many of them have a very slow patch cycle (such as healthcare, telecom, manufacturing). Basic cyber defence practices like patching and not using End-of-Life software are effective against this malware,”concluded Peterson.
Stockpiling the Vulnerabilities
Microsoft’s Chief Legal Officer points out that ‘the stockpiling of vulnerabilities by governments is […] a problem’, drawing an analogy with a hypothetical case of ‘the U.S. military having some of its Tomahawk missiles stolen’. However, according to Lawfare, the NSA informed Microsoft of the vulnerabilities already in January 2017, so Microsoft had enough time to release a patch – which it did on 14 March 2017, before the NSA’s hacking tools were published by The Shadow Brokers on 8 April 2017. The WannaCry campaign started almost two months after the release of the patch.
According to rule 6 of the Tallinn Manual 2.0, a ‘State must exercise due diligence in not allowing its territory, or territory or cyber infrastructure under its governmental control, to be used for cyber operations that affect the rights of, and produce serious adverse consequences for, other States.’ Even if one disregards the conditions of the necessary level of harm caused by the subsequent abuse of the tool, or the lack of knowledge of the hack against NSA’s hacking toolbox, it can hardly be argued that the state hoarding the vulnerabilities has neglected its due diligence obligation, since it informed the software manufacturer in due time of the vulnerability.
Back to the Basics
It is unrealistic to ask states to limit themselves in hoarding vulnerabilities, or to expect that these vulnerabilities will not be leaked eventually and used by criminals or states alike. It is equally unrealistic to ask hardware and software developers to provide free lifetime cyber security support to their products. A question nevertheless remains, to which there is no silver-bullet answer: how to assure that leaked vulnerabilities are not abused on a massive scale? Campaigns like WannaCry should remind decision-makers of the importance of baseline cyber security, since in this case the victims could have prevented the spread of ransomware by fairly simple security measures.
This brief reflects the independent views of NATO CCD COE researchers Tomáš Minárik, Raimo Peterson and Maarja Naagel. This brief does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre), Sponsoring Nations and Contributing Participants of the Centre or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.