Seven months after the WannaCry malware attack infected and held ransom thousands of computers worldwide, Homeland Security Adviser Tom Bossert announced Tuesday that the U.S. is officially attributing the cyberattack to the North Korean government.
“After careful investigation, the United States is publicly attributing the massive WannaCry cyberattack to North Korea. We do not make this allegation lightly. We do so with evidence and we do so with partners,” said Bossert, adding that the U.K., New Zealand, Australia and Japan have seen the analysis and agree with the attribution.
There were hints that North Korea was responsible for WannaCry within weeks of the ransomware’s spread, though experts warned against jumping the gun on attribution.
According to Bossert, who originally announced the U.S. decision to blame North Korea in a Wall Street Journal op-ed, the attribution took as long as it did because the U.S. wanted to be certain they were absolutely correct in their intelligence before going public.
“I think the most important thing is to do it right and not to do it fast,” said Bossert. “We took a lot of time to look through classified and sensitive information. I think ultimately at this point if we had gotten it wrong it would have been more of a damage to our reputation and national security than it would have been a boon to do it quicker.”
“We’re comfortable, in this case though, in saying that it was directed by the government of North Korea,” he continued. “We’re also comfortable in saying that there were actors on their behalf, intermediaries, carrying out this attack, and that they had carried out these types of attacks on behalf of the North Korean government in the past.”
Though WannaCry was a ransomware virus, Bossert added that the likely motivation of the hack was to sow discord and mayhem, as those who did pay the ransom did not get access to their systems back, and were quick to tell others not to bother paying the ransom.
Bossert did not say whether the U.S. would be taking any action against North Korea after the attribution.
“We don’t have a lot of room left here to apply pressure and change their behavior,” said Bossert, adding that any more sanctions would only be likely to starve the people of North Korea and not change any behavior. “I hope that they decide to stop behaving badly online. I’m not naïve. I think they will continue to deny and believe they are beyond repercussions.”
Though cyber experts have criticized the NSA for the hack, due to WannaCry’s similarity to a hacking tool developed by the agency, Bossert was adamant that the U.S. government was “not at all to blame” in the cyberattack.
Bossert and Jeanette Manfra, assistant secretary for DHS’s Office of Cybersecurity and Communications, called upon the private sector to continue the level of partnership that prevented the U.S. from being impacted as much as other countries in the WannaCry attack.
“WannaCry is a great example of how this partnership works,” said Manfra. “By mid-afternoon, I had all the major internet service providers either on the phone or on our watch floor, sharing information with us about what they were seeing globally and in the United States.”
“I call today and the President calls today on the private sector to increase its accountability in the cyber realm by taking actions that deny North Korea and the bad actors to launch reckless and destructive cyber acts,” said Bossert.
Manfra also announced that DHS would be expanding its efforts in protecting against cyberattacks to beyond voluntary information sharing with the private sector.
“To ensure adequate security in the private sector, DHS plans to move beyond only offering voluntary assistance to more proactively becoming the world leader in cyber risk analysis and intervening directly with companies when necessary,” said Manfra, adding that DHS has issued specific alerts to the private sector on the attack vectors and malware used by North Korea-sponsored hackers. “Our goal is a cyber environment where a given threat such as a malicious email can only be used once before it is blocked by all other potential victims.”
Manfra also challenged the private sector up its standards for cybersecurity.
“We see some gaps between what an entity might consider as adequate security for themselves or their sector and what is in the public’s interest,” said Manfra. “The American people depend on critical services and functions such as electricity, a stable financial system and dependable communications, all things that enable our modern way of life. Many of these are run by the private sector.”