The global WannaCry ransomware attack, which crippled hospitals, government organizations, companies and individuals around the world, didn’t have to happen. It was no grand technological feat perpetrated by genius hacker masterminds. Instead, it took advantage of the lazy, patchwork way organizations handle security and the seamy roles that the National Security Agency (NSA) and big tech companies play in undermining security in the internet age.
And that, in fact, is a piece of good news. Because it means that stopping the next global malware attack needn’t be impossible. Here are five steps that can do it.
1. Ban the NSA from stockpiling vulnerabilities
The ransomware attack was built on top of a hacking tool built by the NSA and stolen and released publicly by a group called the “Shadow Brokers.” As The New York Times notes, the attack, “appeared to be the first time a cyberweapon developed by the N.S.A., funded by American taxpayers and stolen by an adversary had been unleashed by cybercriminals against patients, hospitals, businesses, governments and ordinary citizens.”
The NSA tool and ransomware exploit software vulnerabilities in various versions of Windows, including Windows XP, Windows 7, Windows 8 and Windows Server 2003. This is how the NSA does much of its work: finding security holes in operating systems and then devising software to take advantage of them.
When it finds these holes, though, it often doesn’t tell software makers such as Microsoft about them. Instead, it stockpiles many vulnerabilities. That way the NSA’s hacking tools will be more effective, because companies won’t have patched the vulnerabilities. The Obama administration made a deal with the NSA forcing the spy agency to disclose some, but not all of, the vulnerabilities to companies. The WannaCry ransomware attack was based on one of those stockpiled vulnerabilities.
Microsoft President and Chief Legal Officer Brad Smith criticized the NSA for this in a blistering blog post. He wrote: "The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits." He followed that by asking that a Digital Geneva Convention be convened, “including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”
He’s absolutely right. Government agencies need to be banned from stockpiling vulnerabilities. The moment they find any, they should alert tech companies, which could then write a patch to close the hole.
2. Require companies to issue security patches to everyone, not just paying customers
Back in March, Microsoft issued a security patch to close the hole that the WannaCry ransomware ultimately exploited. The company was almost certainly alerted by the NSA to the vulnerability after it realized the Shadow Brokers had stolen hacking tools that took advantage of it and might release them publicly.
Microsoft later released another security patch to close the hole, after WannaCry had been released and done damage. The company was lauded for doing that, because it made the patch available to anyone running XP, even though XP is no longer supported by Microsoft.
That was the right thing to do. But it should not be just a one-off; it should be standard operating procedure. Even though XP isn’t currently supported by Microsoft, the company still issues security patches for it, but only to companies willing to pay the extra money for that service. Those patches should be made available to everyone for free, not just companies that can afford them. Microsoft’s Smith says that the WannaCry attack should be a wake-up call to governments to change their behavior. I agree. But it should be a wake-up call to Microsoft as well.
3. IT staff should face consequences over attacks that could have been prevented
The WannaCry global attack revealed a surprising level of incompetence in IT staffs around the world. Security patches were available before the attack that would have made their companies secure against the threat. The most basic thing an IT staff can do is to keep a company secure, and one of the most basic ways to do that is to make sure that security patches are applied as soon as they are issued.
If IT staff can’t take that simple action, they should face the consequences, up to and including firing.
4. Embrace automatic updates
Plenty of people scream because they don’t like that Windows 10 automatically applies updates to their computers. It’s time for them to get over it. Windows and all operating systems should apply security updates automatically, for the same reason that all children should be immunized — keeping everyone safe requires a kind of herd immunity. No computer is an island; any computer that gets compromised can be used to launch attacks on other PCs.
So stop complaining about automatic security updates. Feature updates that contain no security features should be allowed to be put off. But when it comes to security updates, they should be automatically applied, although users should be allowed to choose the time they’re installed.
5. Governments must cut down on piracy
China was hit particularly hard by WannaCry because a vast amount of its Windows software is pirated, and pirated software typically doesn’t get security updates. The problem isn’t just that the government doesn’t enforce piracy laws. The government flaunts them, and it uses pirated software itself. Government-run colleges, law-enforcement agencies, oil and telecom companies and more use pirated versions of Windows. Russia was hit badly as well, and for the same reason.
A study by the BSA Software alliance found that in 2015, 70% of all software in China and 64% of all software in Russia wasn’t properly licensed. In a prescient finding, the BSA noted, “An analysis done as part of BSA’s new Global Software Survey finds that the higher the rate of unlicensed PC software, the higher the likelihood that users will experience potentially debilitating malware.”
The upshot? Governments worldwide need to cut down on piracy if they want to stop the next global malware infection.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.