OPINION: Last weekend’s global ransomware attack, “WannaCry”, has raised many questions – from quirky economics questions such as “Is $300 just the right amount for a ransom?” to “Should we pay the ransom?” What we do know is that the malicious software has now spread to at least 150 countries, with reports of serious impacts on the National Health Service (NHS) in the UK, and a range of other government and private sector activity, including reported impacts on big companies like Telefonica, FedEx Corp. and the French car manufacturer Renault.
New Zealand appears to have avoided the worst effects so far, with Russia, India, Spain, Taiwan and Ukraine some of the most affected countries. The computer worm, which locks up computers until a ransom is paid, is expected to infect millions more computer systems in the coming days through newly emerged variants, and will likely cause direct and indirect costs running into the billions of dollars globally.
There are some basic but important lessons that we can learn from the attack, even at this early stage. First, there are still many computers using Windows XP, which was discontinued by Microsoft since 2014. Discontinuation means that in the time between 2014 until now, there have been no security updates to patch the holes discovered in the system – leaving open doors for hackers to enter into. What is truly scary is that 95% of ATMs in the world are still running Windows XP. Imagine the field-day the hackers can have when they can access the ATMs. In fact, the late Kiwi hacker Barnaby Jack demonstrated how to spew cash from the ATMs through a simple hack at the hacker conference Black Hat 2010. In the last few days as a global response to the attack, Microsoft (finally) released software updates for all old Windows systems including Windows XP and Windows 2003.
This brings us to the second point. When it threatens their business reputation, software companies can offer software updates to very old software just to save the day (and their reputation). Microsoft has successfully demonstrated their true capability in doing just that.
Third, despite the importance of data, many people do not back up their data in external hard drives, cloud computing environments such as Dropbox, or other computers. This basic human flaw has been a huge enabler of these types of ransomware attacks.
Fourth, attributing attackers is a difficult problem in cyber space. That said, the WannaCry hackers may not be as sophisticated as the original writers of the USA National Security Agency (NSA) cyber weapons this ransomware is based upon. When the vigilante group Shadow Brokers released the leaks about these NSA cyber weapons, it was only a matter of time before some malicious party modified this software into a malware. This has happened in the past with other global attacks such as the Blaster worm more than a decade ago.
In WannaCry, hackers left behind a few trails, such as a URL which serves as a kill-switch to stop the spread of the ransomware, and patterns which shows a certain style of software coding. Some researchers from Google suspect that this is linked to North Korea, due to the coding style bearing similarity to the notorious Lazarus group, responsible for hacks into South Korea (2013 DarkSeoul operation) and the Sony Pictures hack in 2014.
These issues aside, the crisis demonstrates the dangers posed by a growing tendency in national security establishments to develop “cyber weapons” that can be used to disrupt and destroy computer systems, and the corresponding need for enhanced global co-operation on cyber security threats.
Since the terrorist attacks on 9/11, the NSA has taken a lead role in developing offensive cyber weapons to deploy against foreign adversaries. This has been widely revealed through leaks by WikiLeaks, Edward Snowden and others. The problem is these capabilities can be hacked themselves. As with most weapons, they can also be used back against us and we witnessed this irony in WannaCry.
The proliferation of malicious cyber tools from states to non-state actors is as much of a danger as the collateral damage that malicious software can cause. The malware used in the infamous Stuxnet attack against Iranian nuclear centrifuges, likely by the US and Israel, spread to more than 60 countries and is still being modified and used for malicious purposes. It is very difficult to isolate targets when using offensive cyber capabilities without that malware spreading and/or being reverse engineered. Those states that are at the cutting edge of developing malicious cyber tools should expect to become more likely targets for hackers themselves.
Another major problem, which can only be solved by global cyber co-operation, is information sharing. In the case at hand it appears that the NSA knew about the existence of the Windows software vulnerability that has been so ruthlessly exploited, but did not disclose that information until it was too late. The need for governments to share information with the private sector and vice versa also happens too slowly in many cases. This lack of trust and transparency has been a feature of the way cyber security has been dealt with and has precluded effective cross-sector responses to cyber security issues. A global information sharing platform may be needed to immunise the impacts of these types of cyber attacks.
A final problem is the lack of global investment in cyber security in both the government and private sectors. The political row that has erupted in the UK over investment in NHS digital infrastructure is noteworthy in this context. When public sector organisations are starved of funding there is little incentive to invest in upgraded software and hardware. If some NHS computers were not operating on outdated Windows XP operating systems then the effects on the NHS’s ability to keep frontline services running, including X-ray and chemotherapy services, might have been less severe.
The New Zealand government has done a great job in that respect by recognising the need for sustained funding for cyber security research such as STRATUS ) and has taken big strides in recent years in enhancing our own cyber security capabilities and institutions, including the recent establishment of our own national Computer Emergency Response Team (CERT NZ). However, these kinds of cyber attacks cannot be dealt with by countries working in isolation. The global ransomware attack demonstrates a pressing need for global solutions.