The recent cyber ransomware attack provides important opportunities for learning—really relearning—lessons about how to secure cyber networks. But first, it is important to separate what is known about the attacks from the hard truths about global cyber preparedness.
Recently, a piece of malware—the WannaCry virus—exploded on the scene with unprecedented speed and scale. The virus exploited a known security flaw in Microsoft XP operating software that spread to over 150 countries, infecting over two hundred thousand computers and locking the data of software users. The perpetrators of the attacks demanded a Bitcoin payment of $300 be deposited in exchange for unlocking that data. Failure to pay the ransom would result in the destruction of the data.
Information about the existence of the security flaw was purportedly contained in a U.S. National Security Agency toolkit that was inadvertently discovered. In March of this year, upon realizing the toolkit was compromised, Microsoft developed a patch for the sixteen-year-old software and made fixes available for free for the older XP systems.
But the use of ransomware to lockdown user data and extort a payment is hardly a new occurrence. In a twelve-month period ending June 2016, more than 50 percent of the organizations surveyed had been hit with ransomware. In the first quarter of 2016 alone, more than $209 million had been paid out. Despite these payments, slightly less than half of the organizations that paid the ransom were able to recover their data.
Of course the question on everyone’s mind is, who perpetrated such an act? The answer will likely take days and weeks to establish, and even then there will be uncertainties.
While clues are beginning to emerge, the situation remains ambiguous. The attack was not particularly sophisticated and was based on a known security flaw, not engineered specially for the attack. A wide range of actors—spanning from nation-states, to criminals, to individual hackers—could have been responsible.
A time stamp on the code—nine hours ahead of Greenwich Mean Time—suggests the creators could be in the Far East. The relatively large number of attacks in Russia would strongly indicate that it was not a Russian generated attack, either by the government or a criminal element. As law enforcement and intelligence agencies around the globe try to unravel the mystery, North Korea is being mentioned as the possible perpetrator.
The requested ransom payment was also an anomaly. The ransom amount was much smaller than the average. In 2016, the average ransom demand was $679, for the WannaCry virus, only $300. Furthermore, the method of payment to one of three Bitcoin purses, rather than each “infection” generating a separate Bitcoin purse was unique.
The failure to disable the now famous “kill switch,” which ultimately helped to contain the attack was curious as well. Was it done deliberately or an error by the perpetrator?
Examining WannaCry’s victims provides an important starting point for understanding how to reduce, if not prevent, such attacks. The victims were largely reported to be businesses and governments. In Brazil, Petrobas—the semi-public national petroleum company—was affected. In Russia, Germany and Spain, the train systems were affected. In Britain, the health-care system was largely taken offline. In India, power companies were affected. In China, railways, hospitals and government offices were affected.
Virtually all of these attacks involve critical national infrastructure. The implications are that nations around the globe are using outdated hardware and software and that security patches are not being updated, even when warnings about known insecurities have been given.
To rectify this, updating computer security is a must. Features enabling automated updates should be used to ensure that software is patched as soon as fixes become available. Anti-virus software should be installed and operational.
Block obsolescence for IT systems should be carefully managed. Hardware and software should be treated as expendable items. When security patches are no longer available, the systems should be replaced. Newer systems have better embedded security features. It is a telling observation that governments and businesses running obsolete systems were the targets of the WannaCry ransomware.
Individual users are the linchpin in cybersecurity and have a key role to play in their own cybersecurity. Surveys indicate they are concerned—that concern should translate into action. Most cyber insecurities occur when individuals open files from people or addresses they do not know or from malicious files with file extensions like “.exe,” “.vbs” and “.scr.”
Security will be more important as cyber becomes ever more entwined in individuals’ daily lives. With technologies such as autonomous vehicles, assured and secure cyber should be non-negotiable.
The outgoing ransomware attack serves as a reminder of the need for continued vigilance. Despite the disruption the WannaCry virus caused, the outcome could have been far worse. Even once this attack is declared over, history indicates that other attempts will follow and preparedness is crucial.
Daniel M. Gerstein works at the nonprofit, nonpartisan RAND Corporation and is an adjunct professor at American University. He was the undersecretary (acting) and deputy undersecretary in the Science and Technology Directorate of the Department of Homeland Security from 2011–14.
Image: Individual with laptop. Flickr/Creative Commons/Christopher Shirner