MICHEL MARTIN, HOST:
We're going to spend some time now talking about cybersecurity. Recently stolen NSA tools have been used apparently in cyberattacks in Baltimore and North Carolina. Hackers used this software to interrupt digital infrastructure like government computers, and usually demand money to stop. That's today's topic in our regular segment called Troll Watch.
(SOUNDBITE OF MUSIC)
MARTIN: This is where we've been keeping track of cybersecurity attacks, as well as the themes, memes and conspiracies being pushed by bots and trolls. Joining us now to talk more about this is Thomas Rid. He is a professor of strategic studies at Johns Hopkins University, where he teaches about cybersecurity. Professor Rid, welcome. Thanks so much for talking to us.
THOMAS RID: Thank you. Hi.
MARTIN: Let's walk through the facts that are known. So as I understand it, the NSA develops certain hacking tools, and somehow or another, they lost control of them. They were leaked, stolen somehow. And they started showing up in the summer of 2016. Is that right?
RID: Yeah, that is correct. The NSA lost control over its crown jewels of hacking tools at some point, presumably in early 2016. And the leaks started in August 2016 in a drip-drip fashion. So over the next half year, a number of hacking tools appeared in public. And this caused huge havoc worldwide.
MARTIN: Do we have any sense of who is behind the attacks?
RID: It's important to understand that the hacking tools became public, so anybody could use them. The first actors to use them were intelligence agencies - first, the North Koreans, then Russian military intelligence in the summer of 2017. But now criminals and opportunistic hackers are using these tools as well.
MARTIN: One of the ways that this has become public is that Baltimore, Md., has been struggling with a cyberattack that has affected thousands of government computers and a number of important government operations. This is what was reported in The New York Times. The New York Times reported that the attack has interrupted real estate sales, water billing and things of that sort. How is something like this addressed? I mean, obviously these hackers are demanding money. So what happens? Do governments actually pay these people?
RID: We need to take one step back. The specific vulnerability to a computer system that was used in this attack has actually been fixed already in early 2017. But the problem is that a lot of firms, city governments, organizations don't actually patch their systems regularly because their IT budgets are too low. So that means that high-value targets have probably already fixed that hole in their security, but a lot of other targets haven't, which is why we now see criminals use these vulnerabilities against cities and other targets.
MARTIN: Should the NSA be held responsible for this? I'm just wondering. The fact that this crown jewel, as you put it, was leaked or stolen and became public, is that their fault?
RID: This is a great question. Actually, there's controversy. So initially, losing control of this hacking tool - and really, thousands of others - was clearly the NSA's fault. But at some point, I guess, their responsibility for criminals reusing what has become public is diminishing. But the problem here is that the U.S. government - first Obama, then the Trump administration, and of course, also Congress - have never addressed the underlying extraordinary leak that took place that is known as Shadow Brokers, which is arguably the worst security breach the NSA has ever suffered - even worse than the Snowden leak.
MARTIN: It just seems remarkable that something that has such significance and such a power to disrupt people's lives hasn't gotten more attention. Does it seem strange to you?
RID: Well, you know, the story is quite complicated. But I think we have to do better and really understand the Shadow Broker's leak, it's reuse. This is ultimately an attack, if we take the whole thing, that has caused tens of billions of damage to the world economy - billions.
MARTIN: As you would imagine with the upcoming presidential elections in this country, many people are concerned about cybersecurity. And the question becomes if routine government operations and those of private industry can be disrupted, then what does this say about our ability to guard our elections? What do you think it says?
RID: Again, we have to be very specific here. And it is possible to defend yourself if you're just a private citizen or if you have a small company. It's possible to patch your systems, to update the system to the most recent software, to use a number of security products that protect you, even against high-profile targets. But of course, we have to be on guard and get to the bottom of these most difficult and most complex cases. And this is certainly at the top of that list here.
MARTIN: That's Thomas Rid, professor at Johns Hopkins University, where he teaches about cybersecurity. Professor Rid, thank you so much for talking to us.
RID: Thank you. Transcript provided by NPR, Copyright NPR.