WannaCry attack a wake-up call
At a time when hyper-targeted phishing attacks and sophisticated government-sponsored assaults represent the cutting edge of the battle over cyber security, the spread of the WannaCry ransomware looks like a blast from the past.
At a time when hyper-targeted phishing attacks and sophisticated government-sponsored assaults represent the cutting edge of the battle over cyber security, the spread of the WannaCry ransomware looks like a blast from the past.
The malicious code, which was transmitted rapidly around the world on Friday, took advantage of a flaw in commonly used software — in this case, the Windows operating system. Computer worms like this first drew attention to the vulnerabilities of connecting to the Internet nearly two decades ago.
The WannaCry infection stood out from earlier attacks for the speed with which it spread, and the way that the code was used to lock down infected computers until their users paid a ransom. It is a wake-up call at a time when the fight for cyber security already looked perilous.
The attack followed the leak earlier this year of a batch of cyber weapons built by the United States National Security Agency (NSA). One of them, according to computer security experts, provided the blueprint for the latest malware.
If so, that is a serious black mark for the security services. It is unrealistic to expect agencies like the NSA to voluntarily give up their cyber offence, particularly when their adversaries are likely to have similar digital armaments. But a stronger public debate is needed about what these weapons are for, how they are being protected and how they might be used.
Not only is it unclear what software is being stockpiled or how it is being protected, but there is no disclosure about whether — or how — the weapons are actually used.
The second notable point about the WannaCry worm is that it was able to spread so far, and so fast. For Microsoft, that makes it an uncomfortable reminder of how devastating even one software vulnerability can be.
The company acted quickly to produce a fix for versions of the software it no longer supports, such as Windows XP. But successive generations of the operating system have been found wanting.
Windows 10, launched in 2015, was not vulnerable to the ransomware and is widely viewed as a big step forward in safety — but it will be many years before all the older software is retired.
Stronger incentives are needed to prompt users to replace rather than patch out-of-date pieces of code like Windows XP.
Microsoft should do everything it can to move users on to newer, safer software.
When it comes to current software, effective carrots and sticks are needed to persuade companies, governments and individuals to do what everyone knows needs to be done: Patch their computers when a flaw is discovered.
Stronger rules are required to force companies to disclose when they have succumbed to a cyber attack, and penalties may be needed to encourage us all to be better cyber citizens.
Many pieces of digital equipment — like the MRI scanners used by the United Kingdom’s National Health Service, which run Windows XP — cannot be upgraded as easily as a PC. The severity of last week’s attack shows that a concerted effort is now well past due.
This is reminiscent of the millennium bug, another serious threat that forced an overhaul of many computer systems at the end of the 1990s.
Today’s cyber security crisis is starting to look every bit as serious, and it demands an equally sweeping response. Governments and companies alike must invest the time and money to keep us safe.
Though damaging, the WannaCry worm was not the worst that could have happened. It could have been used to wipe out the data on computers it infected. The ransomware has been a costly nuisance. Next time, we might not be so lucky.