The worldwide cyber attack that began last Friday and goes by the name of “WannaCry” has highlighted the need for governments and businesses to strengthen their security infrastructure, in addition to calling attention to the need to mandate security updates and educate lawmakers about the intricacies of cyber security.
At last count, WannaCry had affected more than 230,000 users in some 150 countries. Prominent among the victims of the attack are the National Health Service (NHS) in the U.K., which found many operations disrupted and had to divert patients to other facilities, Spain’s telecom company Telefonica, U.S.-based FedEx and organizations in South America, Germany, Russia and Taiwan. Aside from FedEx, the U.S. was surprisingly spared, thanks to an alert researcher who discovered a “kill switch,” or a way to contain the spread of the attack. The hackers behind the attack have been demanding ransoms of $300 in bitcoins from each affected user to unscramble their affected files with threats to double that if payments are not made within 72 hours.
Meanwhile, threats of similar – or perhaps worse – attacks have continued to surface. “This was not the big one. This was a precursor of a far worse attack that will inevitably strike — and it is likely, unfortunately, that [the next] attack will not have a kill switch,” said Andrea M. Matwyshyn, professor of law and computer science at Northeastern University. “This is an urgent call for action for all of us to get the fundamentals finally in place to enable us to withstand robustly this type of a crisis situation when the next one hits.”
The WannaCry attack targeted users of Microsoft Windows XP, which Microsoft had discontinued and stopped putting out patches for in 2014. “It shows the dangers of using outdated software,” said Michael Greenberger, law professor at the University of Maryland and founder and director of its Center of Health and Homeland Security. “As the devastation of these events takes place, you are going to see more insistence on the following of practices that keep software updated,” he said. “Mandating that certain software be [updated] may sound rough to the ear, but when you see people dying on the operating table because the software is inadequate, [such mandates will] become much more acceptable.”
“This was a precursor of a far worse attack that will inevitably strike — and it is likely, unfortunately, that [the next] attack will not have a kill switch.” –Andrea Matwyshyn
Matwyshyn and Greenberger discussed the emerging approaches to preparing for future cyber attacks on the Knowledge at Wharton show on Wharton Business Radio on SiriusXM channel 111. (Listen to the podcast at the top of this page.)
Matwyshyn noted that “security researchers are absolutely critical to the safety of our future systems.” She pointed out that in the U.S., the attacks were contained because of the efforts of such a researcher. The researcher, tweeting as @MalwareTechBlog, said the discovery was accidental, but that registering an unregistered domain name used by the malware stops it from spreading. “This one person, with an expenditure of approximately $11, saved many from being attacked by this ransomware,” said Matwyshyn.
Meanwhile, the NHS in the U.K. continues to grapple with the crisis, even as it installs the requisite software updates on its computer systems. Microsoft on Friday released updates for computers that use the Windows XP, Vista, Windows 7 and Windows 8 operating systems.
High Cost of Delays
Matwyshyn worried about organizations not heeding the urgency of the current situation, and therefore delaying the required updates. “There is a real risk that there are some businesses or other system administrators who might be living under the proverbial rock who won’t engage with the urgency of the situation, and we will see a stream of infections to come,” she said. Greenberger agreed about the dangers facing slow responders. “We’re going to see more; we’re going to see worse, and when we do, the remedies will be much more demanding.”
According to Matwyshyn, the WannaCry attack brings fresh urgency to Microsoft’s call for a Digital Geneva Convention, or an equivalent of the treaties signed after World War II to ensure humanitarian treatment of civilians and other prisoners during times of war. Microsoft wants a formal, international agreement on digital security because of what Matwyshyn termed as “the problem of reciprocal security vulnerability.” That refers to the difficulty of differentiating between a security problem in the public sector and one in the private sector, she explained.
International agreements may also deter errant governments from causing such attacks. In fact, the WannaCry hack appears to have been engineered by North Korea. On Monday, Neel Mehta, a security researcher at Google’s parent company Alphabet, found similarities in the codes used in a WannaCry variant and the 2014 attack on Sony Pictures and a 2016 attack on a Bangladeshi bank, the Wall Street Journal reported. Those attacks were attributed to a North Korean hacker organization called Lazarus Group. Security firms Kaspersky, Symantec and Comae Technologies later said they, too, found such similarities that pointed suspicions at Lazarus.
The latest attacks also reveal the risks posed by governments in managing security threats. The attacks have been traced to the leaks earlier this year of a collection of hacking tools that the U.S. National Security Agency had put together. “Microsoft’s position appears to highlight that … the means of digital compromise that are leveraged by governments also impact the private sector and have follow-on consequences,” Matwyshyn said. Added Greenberger: “The good news is, because large corporations are driving discussions on this subject, it takes the issue out of the hands of nation-states, and the chances of getting agreements are much better.”
Matwyshyn also emphasized the need to get the private sector up to speed with the patching cycles and the risks they face, with a particular emphasis on industries that are not traditionally technology-driven. She noted the risks to human life, especially as thousands of medical operations were disrupted in the U.K. “Unfortunately, mass death is an inevitable consequence of this type of future attack,” she warned.
According to Matwyshyn, the security response calls for nothing less than a top-down effort from the C-Suite, “where security is treated as a fundamental piece of the structures within a company, because information security is only as good as the weakest link.” She said companies must have chief security officers and vest them with sufficient powers and social capital to be able to articulate needs in terms of staff, training or other investments.
“Mandating that certain software be [updated] may sound rough to the ear, but when you see people dying on the operating table because the software is inadequate, [such mandates will] become much more acceptable.” –Michael Greenberger
“This attack demonstrates the degree to which cyber security has become a shared responsibility between tech companies and customers,” noted Brad Smith, Microsoft president and chief legal officer, in a blog post.
A Call for Mandates
Greenberger called for government mandates on security updates, adding that he often sees much “lip service” paid to ensuring adequate security but little in the way of real action. The government must disallow the use of certain types of software and require users to certify that they comply, and assistance must be provided to smaller entities that don’t have the resources, he said. “It can’t be an unfunded mandate.”
According to Greenberger, lawmakers, too, are ill-equipped to prepare adequately and in a timely fashion to future threats. He recalled that he had encountered those obstacles to counterterrorism measures on Capitol Hill before 9/11 occurred. “A calamity happens, and it does [get the requisite attention],” he said. He noted that in dealing with state legislatures, the lack of sophistication in dealing with such problems is “really quite remarkable,” and he suggested the need for the requisite education and training or whatever else it takes to bring lawmakers up to speed with the requirements.
Matwyshyn pointed out that another problem is “we have a rudimentary understanding of the scope of the problem.” She noted that the ways in which numeric indexing of security vulnerabilities are created are not keeping pace with the reality of the known vulnerabilities. “We need to figure out the basic infrastructure around identifying, numbering and getting the word out about the vulnerabilities that we know to exist,” she said. “We don’t even have that in place yet.”
Indeed, the World Economic Forum’s Global Risk Report 2017 had highlighted cyber security as a top risk factor. “Today’s technologies enable data to be immediately leaked over, say, a Twitter feed,” Howard Kunreuther, co-director of the school’s Risk Management Center, which prepared the WEF study, told Knowledge at Wharton previously. “How safe our technology is, is going to be an important risk for us to consider.”