WannaCry was your fault too
May 2017 began with a big bang. It saw the broadest cyber-attack the world has ever seen, striking hundreds of thousands of computers worldwide in only a couple of days. The attack took multiple computers hostage, and while the attackers who remain unknown and at large demanded a ransom for their release, hospitals and air carriers were forced to shut down for hours. The attack exploited an old communication protocol vulnerability that had been stolen and leaked from the NSA some months ago.
So who’s at fault? Easy, right? Those who unleashed the attack, obviously.
But isn’t that taking the easy way out? Blaming the bad guys? Of course I’m not suggesting they’re not culpable at all — after all, they launched a vast cyber-attack against the world. But feasibly, there are others who are also responsible for its success. I think it’s clear now, within limitation, the attack might have failed or perhaps could have been mitigated. So who else is culpable?
First on the list is the easy scapegoat — those responsible for securing their organizations and networks. The attack was effective on old or unpatched Windows only. Some of which had achieved their lifespan some time ago. A couple of groups dominate this category within those responsible for the security of their organizations:
The Ignorant Defender
The first segment is certainly those comprising the lazy and the ignorant — those who lack a certain level of knowledge and understanding. To the lazy and to the ignorant, I suggest you take a long, hard look in the mirror and ask yourselves whether you’ve had enough, or can you keep taking the heat until the end of time? If it’s the former, I guess it’s time to take things into your own hands and change the way things function around there.
The Risk-Taking Defender
The second segment constitutes those who didn’t upgrade or patch because of financial or operational considerations. Updating systems such as control systems, manufacturing lines, heavy infrastructure etc. is a financial burden and requires an abundance of resources including R&D and integration. Often, updating is too costly so systems are left to age. There’s also risk involved in changing a system planned for an older OS — it just may not work. These are all legitimate considerations… but if you decide not to upgrade or update, reasonable risk management requires alternative measures be taken to ensure the security of these older systems. If you’ve made the conscious decision to linger on the old OS, that’s fine. But compensate at the network level. Wannacry (so successfully) was based on exploiting an old protocol that’s hardly in use today, certainly not on the open Internet. If you were a victim of Wannacry, it’s because you left a door open somewhere. If you forgot it was open, you shouldn’t be surprised the chill was able to enter.
It seems for some of the organizations hit, responsibility can be divvied out to those employed to ensure their security. It’s about taking some of the fundamental and best known patching measures (at least when it’s a critical urgent patch) to close old protocols on the network (the protocol Wannacry exploited is around 30 years old). If there’s a legacy the system cannot do without, institute additional monitoring and other measures such as access lists on the FW or switch, patching of gateways etc. indeed, relatively straight forward security measure could have left Wannacry crying outside alone.
In referring to the ‘Facilitators’, I direct my claim to the people I believe have the responsibility of raising awareness and alerting on a specific threat. Their refraining enabled the attackers to take advantage of the broad lack of awareness.
The Root Facilitator
Now we’re getting to the gist of my contention. After we’ve pointed fingers at the lazy, the ignorant and the careless, and thus amassed much of the responsibility for the success of Wannacry onto the victim, we’ll divvy out the blame again; this time with a badge of honor in the chain of responsibility. Yes. It’s the NSA itself (for this specific case; other cases may involve other security/intelligence agencies).
Wannacry was developed and launched based on cyber capabilities held by the NSA and leaked by WikiLeaks. Yep, you got it right. Once WikiLeaks published these capabilities they became everyone’s game. Anyone could deploy NSA’s cyber capabilities once revealed to the world. By way of side note, Microsoft was responsible enough to release a critical and urgent patch once the capability was published (alongside any other company that patched their system in time and was ultimately protected). But the question remains: wasn’t it the NSA’s responsibility to share with the world the potential meaning of the leak? Cyber experts no doubt understood the implications. But they are but a fraction of the global population.
Imagine a dangerous biological weapon was stolen and published that would allow anyone to manufacture and deploy it. Isn’t it obvious the party from which it was stolen (assuming a governmental agency) had the responsibility to alert the world, offer a solution and raise awareness to the potential threat?
When it comes to cyber weapons, why isn’t this obvious? The NSA possesses, and most likely still possesses dangerous cyber capabilities. I’m not suggesting they relinquish these capabilities; they need them to achieve their goals and complete their missions. Such is the world today. But once something like that gets out, shouldn’t the NSA share the possible implications? Aren’t they responsible for rousing the lazy and the carless? Could they have raised awareness regarding the potential use of the leaked capabilities so that the risks were known beyond cyber circles?
The NSA didn’t embrace their responsibilities. Okay. What about other national-level cyber defense agencies? Israel has the National Cyber Bureau and the National Cyber Security Authority. They are the professionals at the national level. They undoubtedly saw the WikiLeaks publications. They’re run (I hope) by serious cyber experts. Didn’t they understand the possible repercussions of the leak? Why didn’t they share, explain, or raise awareness of the specific threat? What were they waiting for? Like Israel, the US has Homeland Security agencies, the FBI etc. European countries each have their independent bodies as well as a joint EU cyber authority.
My belief is that national authorities often embrace the regulative tools approach. It’s easier. It exonerates their responsibility. They issue a regulation and it becomes the public’s responsibility to comply. But I think they have a basic responsibility to help the public understand and be aware of the more specific threats. Especially when all it takes to engage a threat is reading WikiLeaks. No high-end intelligence efforts required.
Perhaps just perhaps, if they had, this column may not have been news worthy.