James J. Ward, Blizin Sumberg ()
The cybersecurity news cycle that unfolded recently has been unlike any before it. WannaCry, once a National Security Agency cyberweapon, and more recently, a variant on the Petya ransomware with similar capabilities unleashed two separate global crises. In both, the ransomware infected hundreds of thousands of computers, phones and mobile devices in more than 150 countries. These were the first cybersecurity dramas to unfold in real time; network media outlets provided coverage as though it were an epidemic or a natural disaster. In a sense, they were both, demonstrating both the ease with which malware can penetrate seemingly critical infrastructure (e.g., the National Health Service in the UK or the DeutscheBahn railway system in Germany) and the helplessness of the average person to do anything about it.
Yet in another way, both ransomware outbreaks were more of a whimper than a roar. Of the many thousands who were hacked, a fraction of a percent actually paid the requested ransom of $300 in Bitcoin—around one tenth of 1 percent of affected users. One reason for this low percentage, perhaps, was the fact that ransomware typically attacked Windows XP, a 16-year-old operating system. Thus, the universe of potential victims was limited to those who had not updated their devices in quite some time. Another limiting factor was that Microsoft, this past March, had already issued a curative “patch” for the vulnerability that WannaCry exploited, shrinking further the universe of those who would initially be affected. Admittedly, the Petya variant that plagued Ukraine and parts of Europe worked around the patch, but the effects were limited nevertheless. Cybersecurity experts are engaging in some self-congratulations, positing that the attack was a bust, and that the world’s swift response stemmed the potential harms.
Perhaps the better explanation is that we were lucky. EternalBlue, the weaponized program stolen from the NSA, is a far more potent weapon than either the WannaCry or Petya attacks would suggest, and could have wrought a far greater degree of harm in the hands of different cybercriminals. It may be that those behind the ransomware attacks were insufficiently prepared for their success, or it may be that they were simply amateurs. The latter theory has some merit—the average Windows XP user is unlikely to know how to get Bitcoins (or, indeed, what Bitcoins are), and Bitcoin accounts themselves are easily monitored, making withdrawal of any ill-gotten gains risky. These ransomware attacks were not the work of criminal masterminds, it would seem. That is not to say the culprits were not wildly successful in their attack, merely that their financial gain was, fortunately, not proportional to the scope of the hack.
And that is the most frightening aspect of the entire saga. A hastily structured hack that was little more than a piggyback on the efforts of the Shadow Brokers brought the world to a standstill, threatening businesses and even lives. As always, the aftermath brings more questions than answers. Why, for instance, were government agencies tasked with safeguarding vital information—like the National Health Service—operating outdated software without critical patches installed? Why did it take a 22-year-old researcher in Britain stumbling onto a “kill switch” to stop the first iteration of WannaCry, when government clearly knew of the risk (having created it in the first place). When there is no “kill switch,” as with Petya, how will government and industry respond to avoid catastrophic consequences? And what lessons will cybercriminals learn from the less-than-thoughtful approach to ransom presented in the last weeks, by WannaCry in particular?
While we ponder those questions, there are some clear lessons to learn,
First, treating software update alerts as a pest to be ignored has now become extremely dangerous. Companies that lost valuable data may now face legal liability from clients and customers who might consider a failure to implement a critical security patch to be a negligent disregard for a known risk. Businesses can no longer claim that they were unaware of the dangers, because the law has now begun to presume that everyone knows the risks of cyberbreach.
Second, WannaCry and Petya prove the adages that a chain is only as strong as the weakest link, and the weakest link in a data security chain is very often the end-user. Ransomware spreads most easily across linked systems by users unwittingly transmitting it. Spoofing and phishing are not simply about stealing credit card numbers or data, they are about stealing access to systems. Without robust training, employees provide easy access points for cybercriminals and their malware.
Finally, WannaCry’s origin presents a cautionary tale about the disappearing barriers between ordinary cybercrime and the ongoing cyberwars. The NSA, Britain’s GCHQ, Russia’s FSB, China’s MSS, and their peer agencies each are working on their own tools to hack and disrupt, and each could just as easily be the root cause of a hack like WannaCry.
Although it is impossible for private citizens and businesses to stay ahead of state-sponsored cyberwarfare, even a recognition of the risks can help prevent the catastrophic consequences of being compromised. At the very least, businesses should recognize that the cyberwars are a reality and do what they can to avoid being caught in the crossfire.