We are fielding a number of inquiries on the recent ransomware situation affecting computers globally. Our point of view is that (a) the rapid and wide spread of the malware clearly illustrates the risks of widely-interconnected systems, and (b) much if not most of the pain is very avoidable.
To recap: an exploit of Microsoft Windows named EternalBlue, thought to be developed by a branch of the U.S. National Security Agency (NSA), was leaked or stolen, and on May 12 became the basis for a cybercriminal spread of ransomware – a demand for money in exchange for restoring attacked computers. Systems whose organizations had not installed Microsoft's Windows security update of March 14, 2017, were affected by the attack.
Now, we see many asserting that only “urgent collective action” can protect the world from future cybersecurity attacks. Such simplistic and “expert” suggestions do not solve the longer-term or core underlying issues. The problem with the Internet is that since no one owns it, no one is responsible when something goes wrong. And what goes wrong tends to go wrong on the edges – in this case on legacy unpatched operating systems - and then spread into core systems and operations from there.
But there’s plenty of finger pointing anyway. Microsoft softly accepts some responsibility for the problems, pointing to the thousands of engineers it has on security as evidence it is doing all it can. And it’s done more – back to that in a second. But it directly challenges its customers and governments to do better. It’s calling for a “Digital Geneva Convention” that would obligate treaty government signers to certain behaviors.
Speaking of governments, the US NSA is the target of much blame. It, along with many other national intelligence agencies, develops and refines malware as part of a two-pronged cyberattack strategy - to understand and defend against such, and to exploit them to pursue national defense interests. The NSA’s Equation Group is believed to have developed the exploit, then apparently had it stolen (perhaps by a nation-state) and published by a group known as the Shadow Brokers. Governments also have policies they don’t enforce. For example, the European Union (EU) has asked its members to assess cybersecurity of critical infrastructure, but few have done so.
Those running out-of-date and/or non-updated Windows versions are also being blamed for the outbreak. They are accused of knowingly running insecure operating systems, not securing networks, and not training employees in basic cybersecurity. Ironically, reports indicate few are paying the ransom. The “actual ransom” Twitter feed shows a bot that’s watching the three Bitcoin wallets associated with the ransomware. As of this writing, about $72,000 is paid.
Figure 1. Who is Affected by Ransomware
We assert that what makes ransomware and other worms/viruses work is usually an organizational choice. For example, Britain’s NHS decided to keep thousands of XP desktops and Windows 2003 servers running. Their motivation may have been a lack of budget to spend on upgrades; if so, they gambled on outdated software, and lost.
That being said, we get it. We understand why organizations do not upgrade every system every time. There are circumstances that make it impossible to upgrade every instance in every machine everywhere. Given the organic nature of enterprise system growth and topology, it’s likely that there will always be an NT Server running, somewhere.
But events like the WannaCry ransomware attack are going to keep happening, and - we expect - with increasing frequency and effectiveness. Given the often-unknown extent of interconnectivity between governmental, enterprise, personal devices, and the Internet of Things, any outdated OS is an increasingly exploitable entry point into most aspects of most systems. Recall that the massive 2013 Target stores credit card breach occurred via a networked heating/cooling control.
Frankly, the WannaCry event should be a wake-up call regarding how preventable so many cyber-attacks really are, and how readily compromised most traditional perimeter defenses are in the interconnected world. In engineering, we are taught by example how so many preventable disasters began with small, readily-fixed, often-overlooked failures in relatively minor components that are taken for granted. Even ancient parables teach us how simple it can be to trace disaster to the preventable failure of the simplest, most common, component (e.g., “For want of a nail…”). When it comes to cybersecurity, we know that the weakest link will always be found and exploited; when it comes to cybersecurity experience, we know that will too often be something, somewhere, that was overlooked or ignored.
IoT Security Challenges and Opportunities
ISG Insights Digital Disruptors Report - Cyber Deception Platforms Show Promise
Cisco's Ransomware Defense – Looking Beyond the FUD