If the hackers who crippled Baltimore city government computers used a cyberweapon developed by the National Security Agency, as the New York Times reported Saturday, the federal government bears some responsibility in helping to clean up the mess. Yes, the city should have updated its Windows systems with a security patch Microsoft released two years ago after a hacking group called Shadow Brokers leaked the tool. But that doesn’t absolve the NSA from blame. In seeking to keep a powerful offensive cyberweapon for itself, it risked national security rather than protecting it.
Some security experts take the opposite view (and some question whether the NSA tool, known as EternalBlue, was involved in a significant way — or at all — in the Baltimore attack). They argue that two years after the initial leak and a powerful wave of cyberattacks that followed, the city is at fault for failing to take a simple step to protect itself from the threat. We agree that Baltimore officials need to be held accountable for their investments in information technology and their cybersecurity policies and practices. But that doesn’t leave the federal government off the hook if EternalBlue facilitated or exacerbated the attack on the city.
Would a homeowner be at fault for a burglary if he failed to take the initiative to change his locks after the police developed a master key to open his old ones without the homeowner’s knowledge or permission, left it out where criminals could steal it and then continued to deny any involvement in the whole business? If that analogy sounds absurd, well, so does the actual string of events that brought us to this point.