The U.S. National Security Agency could have headed off the global ransomware attack that has crippled hospitals, train stations and other infrastructure around the world, according to Edward Snowden, the former CIA contractor and whistleblower.
“They knew about this flaw in U.S. software, U.S. infrastructure, hospitals around the world, these auto plants and so on and so forth, but they did not report it to Microsoft until after the NSA learned that that flaw had been stolen by some outside group,” Snowden said Monday.
The fugitive former private security contractor made his remarks during a speech on privacy and security delivered via satellite from Moscow to a Washington, D.C., conference on big data. The conference, organized by a former Google executive, Travis Jarae, founder and CEO of One World Identity, has drawn 800 industry experts from data collection and cybersecurity firms, as well as government lawyers, to discuss questions about online identity, security and privacy.
Snowden in 2013 downloaded and then publicized an estimated 1.7 million documents related to global and domestic U.S. surveillance programs, which the Pentagon has said is the largest trove of American secrets ever purloined. Federal prosecutors subsequently charged him with theft and Espionage Act violations. Since 2013, he has been living in Moscow.
Beamed by satellite onto huge screens in the Ronald Reagan Building and International Trade Center, a federal building a few blocks from the White House, Snowden blamed the NSA for the unprecedented power of the so-called wannacry virus, which is being blamed for the world’s biggest cyberattack, affecting 150 countries so far. Among the affected in the U.S. have been Fedex and Nissan; in China, colleges and gas stations; in India, the state police; in Russia, the Central Bank, Russian railways and the Interior Ministry; and in the U.K., at least 16 National Health System hospitals.
It is still unclear who released the virus or exactly why.
“Had the NSA not waited until our enemies already had this exploit to tell Microsoft, [so that] Microsoft could begin the patch cycle, we would have had years to prepare hospital networks for this attack rather than a month or two, which is what we actually ended up with,” Snowden said.
Members of the audience submitted questions to the 33-year-old. One asked for his “number one piece of advice” for balancing privacy and security. Snowden said companies should opt for the “bare minimum” in determining what information they harvest and save about customer behavior, and urged them provide users with an “opt-out” from data collection upfront. He accused companies that say they are collecting data to improve products and services of using “a legal fiction” to collect data in order to monetize it, generating an extra source of revenue.
He compared the psychological effects of unchecked mass data collection to an errant high school kid being threatened that certain behavior would remain on his or her record. In a world of mass tracking and commercial and government data collection, he said, “you have a permanent record” that can never be erased.
“A child that’s born in this world won’t have the same benefit you had of saying something stupid that they can move on from,” he said. “When people can be tracked and have no way to live outside this chain of records, what we have become is a quantified spiderweb. It’s a very negative thing for a free and open society. Now, everybody in the world will think twice before they even open their mouth. That is a very, very dark future. But it’s not inevitable. You should reflect: Is that something we can do? Or should do?”
More from Newsweek