On Friday, the world experienced the wrath of a
well-coordinated ransomware attack, known as WannaCrypt. The attack caused
Britain's NHS to cancel surgeries, a wide array of Russian and Chinese private
and public institutions to be crippled most of the day, and the rest of the
world to recoil in shock. How could a
single piece of malware that exploited a vulnerability identified long ago by
the NSA, and leaked last month by a group called the Shadow Brokers, wreak so
much havoc?
Before the malware could do damage in the United States, a
lone British researcher, known as "MalwareTech," serendipitously
identified its kill switch -- the registration of a domain name -- while on
vacation. The ease with which MalwareTech did this says a great deal about the
poor state of the global information security industry, and raises several
important questions.
MalwareTech analyzed the malware in a testing environment and
immediately noticed the code queried an improbable Internet domain name that
did not exist. Domain names often function as malware command and control
centers, so MalwareTech simply bought the domain name which triggered the kill
switch for WannaCrypt. This was incredibly lucky.
MalwareTech believes that the domain name was not intended as
a kill switch, but rather a mechanism by which the malware itself could
identify whether it was being analyzed.
If the domain name were active, the malware would assume it
was a false positive from a researcher dissembling its code, and WannaCrypt was
designed to frustrate such analyses by shutting itself down. The fact that only
a single domain name was coded into the malware meant that registering that
domain name had the effect of shutting down WannaCrypt worldwide. In short, WannaCrypt's creators were lazy,
and the world lucked out. If WannaCrypt could be shut down so quickly and
easily, why did it take so long for someone in this world to flip the kill
switch, and what does this say about the state of global cyber preparedness?
First, it shows that the information security industry views
cyberattacks more as a business development opportunity than as a chance to put
their collective heads together to eliminate threats. Though there are undoubtedly professionals
who share data unconditionally -- as MalwareTech himself did -- yesterday's
events make it clear that the efforts of the information security community
need greater alignment, and that the world cannot rely on a combination of
serendipity and lazy coding to prevent the next attack.
Second, we must ask whether WannaCrypt was merely a test of
readiness. Perhaps the kill switch existed not out of laziness but as a
deliberate act, one designed to test how long it would take to shut down the
attack. On the other hand, perhaps the
creators intended to gather intelligence on the extent and type of systems that
could be affected by malware targeting aged operating systems like Windows XP,
which developers do not regularly update or support. Alternatively, WannaCrypt
could have been intended merely to demonstrate the moral hazard of governments
that catalogue software vulnerabilities but do not notify software developers.
Thus, WannaCrypt illustrated exactly what could happen if these vulnerabilities
fall into the wrong hands.
WannaCrypt has generated much debate about the danger of
state-sponsored cyberattacks. As a staunch privacy and security advocate, I
believe the inclusion of government-mandated backdoors in applications or
operating systems that could allow unfettered access to personal data or
activities are not only unwise but entirely misguided. But if the 2016 election
has taught us anything, we cannot deny that we live in a time that requires
both offensive and defensive cyber capabilities.
Similarly, we cannot deny that we should be expecting more of
software behemoths like Microsoft. We live in the era of big data, where all
software is tracked. In the face of a software vulnerability that may bring a
portion of the world to a halt, we should expect more than the timely release
of a patch.
When critical systems rely on at-risk software, it is
reasonable to expect that software developers like Microsoft, not governments,
become more adept at notifying at-risk parties and ensuring systems become
properly patched. Long-winded blog posts, emails, and available updates are
unfortunately insufficient because many customers do not receive mainstream
support or may not even know they are in possession of a vulnerable system.
On April 8, 2014, Microsoft ended its support of the Windows
XP operating system on which WannaCrypt relied to propagate, and yet
institutions around the globe continue to use it. The world was quite different
three years ago: the Internet of Things was a nascent but growing concept.
Today the IoT is a major concern.
If we do not discover greater efficiencies to combat
pernicious threats like WannaCrypt, and if we countenance the creation and
abandonment of insecure software, we can expect to face a far greater cascade
of threats that have the potential to cause significant digital and physical
damage. And next time we may not be so lucky.
