WannaCry Attack Just a Taste of New Age Cybercrime
Defense systems are rapidly succumbing to malware proliferation — government failing to act
Following the leak of NSA spying tools by Shadow Brokers in April, the bad guys took that code and modified it slightly to create a variant called WannaCry — and spread it to computers around the world.
It is simply one of many forms of malware, and in its present attack style, what is referred to as a “payload type,” it is known as ransomware. Ransomware locks down all the files on an infected computer until the victim pays the ransom amount.
WannaCry takes advantage of vulnerabilities in Microsoft Windows, which most people do not bother updating with the latest security patches, which are designed to protect against attacks like these. While applying a security patch might appear obvious to an outside observer, the reason companies avoid applying patches is that they create a complicated impact on other systems that depend on Windows.
The failure of companies to update their systems has been a well-known security exposure for years. But the risk was relatively low before the NSA got sloppy with its secrets.
Now, everyone is at risk, and it’s not just businesses. Many consumers with older PCs have disabled their automatic updates due to the annoying nature of rebooting and overly complicated configuration details. This is the point at which the notion of self-driving cars makes me smile.
So far, the attack has affected 150 countries and over 200,000 computers. The impact to hospitals was instructive in that it should provide a peek into what the future might look like. Operations were canceled, drug delivery was suspended, and ambulances were diverted.
Imagine what might happen if the same code were used in a more serious and targeted attempt to disrupt infrastructure operations instead of trying to collect a few bucks from some hapless corporations. Imagine a dam immediately releasing its entire contents, a power grid being shut down for months, or air- and seaports being closed indefinitely.
Or, perhaps closer to this particular attack, a hospital held ransom against the threat of shutting down all emergency equipment. These are not far-fetched, future-science scenarios. This is very real and very current.
As you read this, the hackers are firing up new versions of the malware that cybersecurity organizations will try to detect, counter and eradicate. But, in spite of the billions we spend each year on cybersecurity defense, it is clear who has the upper hand here. In fact, compromises of machines and networks that have already occurred will not yet have been detected, and these existing infections will continue to spread.
You might be asking why this is.
The answer can be found in a combination of complexity, denial, and corporate and institutional bureaucracy. The cybersecurity problem is complex. The IT systems at risk are complex. The threats are complex. Most businesses and most consumers have yet to be successfully breached, so not unlike insurance, the cost of protection — unless mandated by law — can easily be avoided. As a result, most businesses tend to ignore the risk, which they don’t understand, and have deferred the expense and trouble of properly securing their IT environments against modern cyberattacks.
Our government agencies are so heavily siloed to guard against job-threatening review that they are virtually impossible to drag into any sensible approach to an overarching cybersecurity strategy. The asymmetrical gaps in economics, technology, education, and information are the result of our failed approach to dealing with the issues on a national level.
Hackers require very few financial resources to execute a malware attack. Fifty dollars on the dark web will get you a malware kit and a service that will even run it for you. You just sit back and collect the bitcoins. Or, watch as the power grid shuts down. Yet protecting against these threats cost us north of $75 billion in 2016. It's like ringing a doorbell with a Tomahawk missile.
The technology is readily available and super-simple. It gets even simpler when our national intelligence agencies allow it to leak out everywhere. People engaged in cybercrime know everything about the state of our defenses in both the private and public sectors. You don't have to be a rocket scientist to figure this stuff out. On the other side, we seem to always be surprised at the latest cyberattack.
The bad guys have been studying hacking techniques and approaches for years — both North Korea and Iran have formal educational programs with thousands of skilled graduates operating in the wild. We have nothing close.
But somehow, with all of this in the background, we end up with a presidential order that fails to address any of the fundamental problems, fails to call for any meaningful action, fails to involve anyone in the private sector, and calls instead for studies and initiatives and reviews and more analysis and recommendations over the course of a year.
As long as we continue to ignore the threat and take non-steps, the WannaCry attack will look like child's play in a couple of months. What do we do then? Another study?
Steve King is the COO and CTO of Netswitch Technology Management.