“Can I sue the NSA?” A colleague asked. This started me down the rabbit hole of how we treat and demand accountability in cyber security as opposed to, for example, with biological weapons.
There are two nonlegal aspects of the question I’d like to explore:
This past week a new worm (WannaCrypt) was spreading on the Internet. Acting as ransomware, it encrypted thousands and thousands of computers world-wide, including reportedly causing almost 20 NHS hospitals in the UK to cease operations.
This is when my colleague Amitai Dan asked on Facebook: “Can I sue the NSA?”
I was fascinated with the question. I tagged some of my specialized cyber security attorney friends. You can find one of these legal answers written down by Mark Rasch, here. However, in this post I want to go in a different direction.
When the NSA lost its cyber weapons in a leak, published by Shadow Brokers, it may have been treated as a critical event, but did people suffer personal consequences? Did the head of the agency?
When the Flame APT was discovered, and was found to be a 20 megabytes full toolset, with very little thought given to OPSEC and its own security, I’m sure it was a critical event for whatever intelligence agency was behind it, but was the head of that agency fired?
If this was a virus escaping from a biological research facility, would the response have been the same?
Cyber security is a new field, and we are just starting to explore what it means. We now acknowledge “cyber weapons” should be treated as such, and are even exploring their export restrictions in Wassenaar. But we are not yet at a place where we understand we are not playing computer games.
I don’t necessarily blame the NSA for what happened, I do however see a pattern of accounting and responsibility being introduced to the equation. It is a fascinating view of things to come.
My take is we should probably thank the NSA for their hard work and understand that they were acting responsibly in their actions along-side Microsoft, but the question itself is legitimate and should be asked.
Some other friends such as Dave Marcus and Allison Nixon raised the point that we are victim blaming. Perhaps even if the NSA, Microsoft, or even the NHS were sued — Regardless of if they should or shouldn’t be — We are in fact victim blaming.
Here is a screenshot of a doctor speaking of what happened (I can’t verify the screenshot is real) — Careful reading this, it has some profanity:
The #1 people to blame are the people who released this worm. And we should remember that. Perhaps we need to force cyber security by law, and perhaps it is a corporate governance issue.
Perhaps, the NHS should be held accountable for not spending on cyber security. Perhaps even, they should be held accountable for ignoring a threat. In security, it is hard for people not to say “why have you not patched? You brought this on yourself.”
Victim blaming is not necessarily the situation here, as one does not necessarily excuse the other.
Regardless, they are a victim of a cyber attack, and we do in fact rush to victim blame in cyber security. This is not our regular and immediate default in other cases, and we should spend some time thinking on that.
Gadi Evron.(Twitter: @gadievron)
#Law #NSA #NHS #victimblaming #doublestandards #wannacry #flame #Wassenaar