A former senior National Security Agency official who consults with the agency told NBC News that it's true, as cybersecurity researchers report, that the WannaCry ransomware epidemic is the result of a software vulnerability identified and stockpiled by the NSA. And it became public when it leaked as part of the Shadow Brokers disclosures.
The NSA releases 90 to 95 percent of the software vulnerabilities it discovers, he said, but it sits on the rest for use in hacking and spying activities. In other words, it doesn't tell Americans about software holes that make them vulnerable -- so it can exploit those weaknesses to spy on foreigners.
In this case, after the leak, the NSA warned Microsoft and other companies, the official said. Microsoft released a patch in March.
But not everybody patches, and those running outdated systems may not even be able to.
The former official said some people would like the NSA to alert industry to every software hole it finds. But then, he said, the NSA would lose intelligence collection. And hackers would still find holes to exploit, because such holes are inevitable.
That said, he praised a new system in the UK, where spies sit with private researchers and share vulnerabilities in real time. That doesn't mean the Brits don't keep some secret, he added.
He sees a Russian hand in the Shadow Brokers disclosures, which would be ironic if true. Russia has suffered heavily from the ransomware attack because it uses pirated and outdated software.
