With more than 200,000 victims in 150 countries, the WannaCrypt ransomware attack can teach us what we’re missing in the fight against breaches.
Imagine sitting in front of your computer and seeing that annoying yellow warning triangle flashing in the corner of your eye. You ignore it and keep working or watching YouTube videos. But the flashing sign gets slightly more aggressive, morphing into a pop-up prompt asking you if you want to restart your computer now or later so it can install the latest updates. You select “later” and keep on typing, filing, data entering, searching, clicking, tweeting, streaming.
But by the next time you open your computer to pick up where you left off, that pop up isn’t asking you to update your software — it’s asking you for money.
That’s an oversimplification of what happened across the world Friday when access to computer files for car manufacturing plants, hospitals, telecom companies, postal courier services, and homes were all frozen by a ransomware attack that exploited a security vulnerability in Microsoft Windows. That vulnerability was discovered by U.S. intelligence agencies and stolen by hackers during a government breach earlier this year. Microsoft released a security patch for the vulnerability two months ago.
Microsoft’s president and chief legal officer Brad Smith spoke out on the cyberattack in a blog post published Sunday, calling for “collective action” to keep consumers’ data safe.
“This attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect,” Smith wrote. “As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past.”
Now, Smith isn’t saying victims got what they deserved or are somehow responsible for the illegal and malicious actions of hackers. In fact, he criticizes the U.S. government for collecting information about the vulnerability in the first place. The attack, he wrote, is “another example of why the stockpiling of vulnerabilities by governments is such a problem.”
“Good security comes from being open about failures and attacks so that we can all benefit and then collectively learn from them.”
“The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world,” he wrote. “We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
Microsoft isn’t alone in its thinking that everyone — consumers, governments, and tech companies — needs to come together to better protect against massive cyberattacks like the one last week.
Alex Rice, the chief technology officer at HackerOne, a San Francisco-based security firm that practices “white hat hacking,” or hacking with a conscience, echoed Microsoft’s sentiments in an interview with ThinkProgress back in March, saying the government was “irresponsible to stockpile that much information and not have an immediate plan of action for what happens if it all gets leaked.”
“I think one of the things that continually surprises me is just how surprised everybody is,” he said. “Any organization that thinks they are immune to these types of breaches is just living in a world that isn’t reality. And so policy has to be crafted and constructed in a way that the assumption that data breaches like this are in the realm of possibility.”
“Our information is now in so many places, how do we take the level of security that exists at Google or Amazon and make sure it can proliferate to everywhere our information is stored?”
The intelligence community certainly isn’t immune. Rice spoke with ThinkProgress shortly after the breach of CIA tools and data published by Wikileaks in March. At the time, the CIA chose not to publicly comment on the breach beyond a boilerplate deflective response: “We do not comment on the authenticity or content of purported intelligence documents.”
The data trove contained everything from hacking methods for various devices to malware, which could seriously compromised the agency’s intelligence gathering abilities. But beyond that, the breach was core-shaking because it disturbed Americans’ sense of security and safety, begging the question: If the CIA can’t protect itself or us, who can?
Rice said that the key to better security is buried in societal and institutional culture. And without changing how consumers and governments think about their roles, the risks will persist and grow.
“The barriers to overcome are more cultural and institutional than policy driven. There are enough frameworks through which enough information sharing can occur legally and safely. But it’s not, so then the question is why. Do we need a bigger stick? Should there be a bigger policy stick to mandate and enforce sharing, similar to the California breach notification laws? Should there be something similar for vulnerability breach notification laws?”
“We’re a long way away from being able to rest easy.”
According to Rice, when it comes to security breaches — particularly with intelligence agencies, but even within companies — there’s “an air of silence and secrecy” that breeds misinformation and can hamper safety.
“Good security comes from being open about failures and attacks so that we can all benefit and then collectively learn from them,” Rice said.
The extent of Friday’s massive cyberattack’s fallout hasn’t been fully quantified. Tom Bossert, White House homeland security adviser said last week’s global cyberattack is being investigated, and urged people and businesses to update to the latest version of Microsoft Windows on Monday. Bossert also emphasized that computers with pirated versions of the operating system are at risk because they don’t always get security updates.
The attack came just a day after President Donald Trump signed a cybersecurity executive order that directed every government agency to evaluate its vulnerabilities and prepare a plan to prevent and mitigate cyberattacks by August — an objectively solid first step.
Rice said that there’s only so much the public can do outside of using products from companies with good cyber practices. But the ultimate goal is to close the gap between companies such as Google, Amazon, and other tech giants who have well-developed cybersecurity programs and protocols and companies that are lagging behind.
“There are pockets of organizations that are really doing this well. Chromebooks and Chrome, iOS, Andriod are far more secure now than a few years ago,” Rice said. “Those learnings haven’t really spread to everywhere our information is stored. Our information is now in so many places, how do we take the level of security that exists at Google or Amazon and make sure it can proliferate to everywhere our information is stored?”
The answer is complicated and somewhat opaque: A combination of government agencies, along with companies big and small, sharing everything they learn with one another and creating ways for the public or security experts to report potential vulnerabilities. But there’s at least some hope things will eventually get better.
“We’re a long way away from being able to rest easy,” Rice said with a wry laugh. “But I don’t think it’s a lost cause. We’ve seen very very powerful progress despite the seemingly increasing frequency of breaches.”
What we can learn from ‘the big one’ — a cyberattack that stopped everything was originally published in ThinkProgress on Medium, where people are continuing the conversation by highlighting and responding to this story.