The WannaCry Ransomware attack has spread throughout the world over the past week. Fingers are pointing at Microsoft for the vulnerability in earlier versions of Windows, at the NSA for creating the leaked exploit, and at North Korea for allegedly perpetrating the attack. There is blame to go around, but if we were to assess comparative fault the victim is also substantially to blame, for at least two reasons, one obvious and one less obvious:
First, the obvious reason: the attack affected older versions of Windows, including Windows XP, which has not been supported by Microsoft since 2014. However frustrating Microsoft’s update and support cycle might seem, and whatever transaction and opportunity costs are involved in switching an organization to a newer OS, it is negligent to continue using an outdated, unpatchable OS.
Second, the less obvious reason: the attack exploited Port 445, a networking port used by those older versions of Windows for peer-to-peer connections with printers and the like. A basic component of any cybersecurity compliance program — in addition to using updated, patched software — is to conduct regular port audit scans and to configure firewalls to block unnecessary ports. Given the low cost of this kind of precaution, failure to conduct port audits is almost certainly negligence.