WannaCry? Tears of frustration, maybe

When you think about “the big one” in cybersecurity, you might call to mind the Target breach of 2013, the Anthem breach of 2014, and so on.  Although this year isn’t yet halfway through, the worldwide WannaCry malware attack that began last week might be significant enough to merit that position, when we think back on this in the future.

A pernicious attack that, as I said, has made news all around the globe, this particular bit of ransomware first struck the UK’s health service as one of its early victims, before spreading and surging.  As of now, the total number of machines affected totals about 200,000.  Ordinarily, such a sum of infected machines might not gain the momentous attention this story has.  However, it isn’t simply the number of machines that made this newsworthy.  For one thing, its scope of over 100 countries and 150,000 organizations signals hackers ramping up their game.  In addition, UK hospitals have been among the primary targets, putting lives at stake as the hospitals have to deal with locked systems affecting critical patient care.

What’s really damning (and frustrating) is the original source of this attack: an exploit discovered by the NSA and stored away for its surveillance potential.  Only one problem.  Remember the recent NSA hack, which resulted in a stolen cache of the agency’s documents online?  Yeah, this was part of it.  The hacking group known as Shadow Brokers, who released the cache, made the details of WannaCry public.

Condemnation of the NSA for hoarding such a dangerous tool has been swift.  Since the ransomware only runs on Microsoft platforms, it’s not surprising that the tech giant is not pleased.  The company’s chief counsel, Brad Smith, decried the agency’s irresponsibility.  “An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen,” he analogizes.  “We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” he says, adding that “this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem.”

This is not the first time the NSA has blundered in this regard.  When the Heartbleed bug hit, they reportedly had known of it for two years prior, but kept it under wraps from vendors until it was too late.  Once more, history repeats itself.

As of now, and despite a temporary solution, there is no way to fix a computer or network infected with WannaCry.  All that can be recommended is the same advice as always.  If you receive a message with an attachment you weren’t expecting, even if it looks legitimate, hesitate to click on it.  Of course, if it doesn’t look legitimate, definitely don’t click.  Don’t fall for phishing.  For employees, once the bug is in one machine, it can easily spread across the whole network.

If there is to be a silver lining to this incident when all is said and done, perhaps the governments of the world really will, per Smith’s recommendation, treat it as a wake-up call.  “They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world,” he says, calling for a “Digital Geneva Convention” to govern these issues.

For as long as government agencies continue to stockpile, sell and exploit these dangerous viruses, rather than report them to vendors to put them on guard, this kind of mess will just keep happening.