The WannaCry ransomware was developed at the cost of US taxpayers which ended up subsidising a massive global criminal operation. The National Security Agency built an exploit called Eternal Blue to remotely take over and control computers running Windows XP to Windows 2012.
The NSA is amassing zero-day vulnerabilities and the associated exploits. They fix the software vulnerabilities by reversing the traditional market incentives. The vulnerability targeted by WannaCry was for years of strategic importance for the NSA. The federal investigative agency does not know yet if the same vulnerabilities are being targeted by criminals to target American citizens.
It is important to note that the market for zero-day vulnerabilities should be regulated, however, as it is highly unlikely that there will be no consensus on this issue, so governments will continue to contribute to the success of attacks like WannaCry in the years to come.
Corporations like Microsoft try to discourage piracy by only providing patches to paying customers. Microsoft released a patch before the Shadow Brokers released the latest software exploits from the NSA featuring Eternal Blue. Microsoft also released a patch for Windows XP; though they were not obliged to do this since they had ended support for XP in April 2014. But Microsoft decided against making these patches available to users of pirated versions of their software.
User ignorance and poor security practices increased the scale of the attack, but even when our government knows that most Indians will not be able to afford proprietary software, it is strange it doesn't promote Free/Open Source Software (FOSS).
If ordinary people shift to FOSS, they could, for example, install the latest version of Ubuntu without paying and also get all the latest security updates.
There is no denying the fact that a ransomware can also knock down FOSS-based operating systems but they are less known in criminal markets. Also, their patches can be provided by multiple stakeholders, including governments.
Though, there are examples of very important projects like Open SSL with vulnerabilities like Heart Bleed that remained undetected and unfixed because everyone was hoping for someone else to do it.
However, in developing countries like India, taxpayer’s money can be utilised by creating government procurement for developers to shape the market.
