Three Questions on the WannaCry Attribution to North Korea

Publication Type: 
Other Writing
Publication Date: 
December 20, 2017

The Trump Administration this week formally accused the North Korean government of responsibility for the WannaCry ransomware attacks that hobbled hundreds of thousands of computers “in more than 150 countries” in May 2017. The accusation came first in a Wall Street Journal op-ed by U.S. Homeland Security Advisor Tom Bossert Monday night. At a press briefing on Tuesday, Bossert explained that North Korea’s “malicious behavior is growing more egregious, and . . . [t]he attribution is a step towards holding them accountable . . . .” He noted, “We do not make this allegation lightly. We do so with evidence, and we do so with partners. Other governments and private companies agree. The United Kingdom, Australia, Canada, New Zealand, and Japan have seen our analysis, and they join us in denouncing North Korea for WannaCry.”

The attribution is in many ways unsurprising. Private companies alleged North Korean involvement within days of the ransomware’s spread, and the Washington Postreported in June that the National Security Agency had concluded that North Korea was behind the WannaCry worm.

Nonetheless, the attribution raises several important questions.

1. Where’s the evidence?

Attribution by op-ed doesn’t lend itself to technical detail. Prior U.S. attributions, particularly the attribution of the Sony hack to North Korea three years ago, have come in for criticism for providing insufficient detail to support accusations, and this attribution is the least-supported to date. When asked in the press briefing about the basis for the U.S. accusation, Bossert said, “What we did was, rely on — and some of it I can’t share, unfortunately — technical links to previously identified North Korean cyber tools, tradecraft, operational infrastructure.”

This may be sufficient given the accusations against North Korea by the private sector, and even the UK government, over the last few months. But it does little to set an example or establish an evidentiary best practice for states to follow in attributing future cyberattacks to states or state-sponsored actors. It is especially unlikely to satisfy states that pushed for a statement in the 2015 UN Group of Governmental Experts report that “accusations of organizing and implementing wrongful acts brought against States should be substantiated.”

Read the full post at Just Security