Seven months after the WannaCry ransomware ripped across the internet in one of the most damaging hacking operations of all time, the US government has pinned that digital epidemic on North Korea. And while cybersecurity researchers have suspected North Korea's involvement from the start, the Trump administration intends the official charges to carry new diplomatic weight, showing the world that no one can launch reckless cyberattacks with impunity. "Pyongyang will be held accountable," White House cybersecurity chief Tom Bossert wrote in an opinion piece for the Wall Street Journal.

But for some in the cybersecurity community who watched WannaCry's catastrophe unfold, North Korea isn't the only party that requires accountability. They argue that if guilty parties are going to be named—and lessons are to be learned from naming them—those names should include the US government itself. At least some of the focus, they say, belongs on the National Security Agency, which built and then lost control of the code that was integrated into WannaCry, and without which its infections wouldn't have been nearly as devastating.

"As we talk about to whom to attribute the WannaCry attack, it’s also important to remember to whom to attribute the source of the tools used in the attack: the NSA," says Kevin Bankston, the director of the New America Foundation's Open Technology Institute. "By stockpiling the vulnerability information and exploit components that made WannaCry possible, and then failing to adequately shield that information from theft, the intelligence community made America and the world’s information systems more vulnerable."

For many cybersecurity researchers, in fact, WannaCry has come to represent the dangers not only of rogue states using dangerous hacking tools, but of the US government building those tools and using them in secret, too.

Root Cause

WannaCry's origins stretch back to April, when a group of mysterious hackers calling themselves the Shadow Brokers publicly released a trove of stolen NSA code. The tools included an until-then-secret hacking technique known as EternalBlue, which exploits flaws in a Windows protocol known as Server Message Block to remotely take over any vulnerable computer.

While the NSA had warned Microsoft about EternalBlue after it was stolen, and Microsoft had responded with a patch in March, hundreds of thousands of computers around the world hadn't yet been updated. When WannaCry appeared the next month, it used the leaked exploit to worm through that massive collection of vulnerable machines, taking full advantage of the NSA's work.

Exactly how the Shadow Brokers obtained the NSA's highly protected arsenal of digital penetration methods remains a conundrum. But in recent years, two NSA staffers have been indicted for taking home top-secret materials, including collections of highly classified hacking tools. In one of those cases, NSA staffer Nghia Hoang Pho also ran Kaspersky antivirus on his home computer, allowing the Russian security firm to upload that trove of NSA code to its own servers, although the company insists that it subsequently destroyed its copy of the code as soon as it realized what it had scooped up. It's not clear if either of the two staffer's security breaches led to the Shadow Brokers' theft.

'To have a discussion about accountability for North Korea without the discussion of how they got the material for the attack in the first place is irresponsible at best, and deceptive at worst.' Former NSA Analyst Jake Williams

Despite those security breaches, Bossert's 800-word statement about "accountability" for the North Korea's hackers who created and launched WannaCry didn't once mention the NSA's accountability for creating, and failing to secure, the ingredients for that disaster, notes Jake Williams, a former NSA hacker himself and the founder of Rendition Infosec. "If someone blew up a bomb in New York City and the Syrian government had given them the fissile material to make it, we’d be holding them accountable," says Williams. "North Korea couldn't have done this without us. We enabled the operation by losing control of those tools."

In a press conference Tuesday, Bossert did indirectly acknowledge the role of the NSA's leak in making WannaCry possible when questioned about it. "The government needs to better protect its tools, and things that leak are very unfortunate," he said. "We need to create security measures to better protect that from happening."