Angry About WannaCry?

You're yelling at the wrong people.

Following the leak of NSA spying tools by Shadow Brokers in April, the bad guys took that code and modified it slightly to create this variant called WannaCry and spread it to computers around the world.

It is simply one of many forms of malware, and in its present attack style and what is referred to as a “payload type”, it is known as ransomware. Ransomware locks down all the files on an infected computer until the victim is paid the ransom amount.

WannaCry takes advantage of vulnerabilities in Microsoft Windows, which most people do not bother updating with the latest security patches that are designed to protect against attacks like these.  While applying a security patch may appear obvious to an outside observer, the reason companies avoid applying patches is because they create a complicated impact on other systems that depend on Windows.

The failure of companies to update their systems has been a well-known security exposure for years. But, the risk was relatively low before the NSA got sloppy with their secrets.

Now, everyone is at risk and it’s not just businesses. Many consumers with older PCs have disabled their automatic updates due to the annoying nature of re-booting and configuration details that most folks just don’t want to deal with. This is the point at which the notion of self-driving cars makes me smile.

So far, the attack has affected 150 countries, and over 200,000 computers. The impact to hospitals was instructive in that it should provide a peek into what the future might look like. Operations were cancelled, drug delivery was suspended and ambulances were diverted.

Imagine what might happen if the same code were used in a more serious and targeted attempt to disrupt infrastructure operations instead of trying to collect a few bucks from some hapless corporations. Imagine a dam immediately releasing its entire contents or a power grid being shut down for months or air and seaports being closed indefinitely.

Or, perhaps closer to this particular attack, a hospital held ransom against the threat of shutting down all emergency equipment. These are not far-fetched, future-science scenarios. This is very real and very current. People will die.

As you read this, the hackers are firing up new versions of the malware that cyber security organizations will try to detect, counter and eradicate. But, in spite of the billions we spend each year on cybersecurity defense, it is clear who has the upper hand here. In fact, compromises of machines and networks that have already occurred will not yet have been detected, and these existing infections will continue to spread.

You might be asking why this is.

The answer can be found in a combination of complexity, denial and corporate and institutional bureaucracy. The cybersecurity problem is complex. The IT systems at risk are complex. The threats are complex. Most businesses and most consumers have yet to be successfully breached, so not unlike insurance, the cost of protection unless mandated by law, can easily be avoided.

As a result, most businesses tend to ignore the risk they don’t understand and have deferred the expense and trouble of properly securing their IT environments against modern cyber-attacks.

Our government agencies are so heavily siloed to guard against job threatening review that they are virtually impossible to drag into any sensible approach to an over-arching cybersecurity strategy.  The asymmetrical gaps in economics, technology, education and information are the result of our failed approach to dealing with the issues on a national level.

Hackers require very little financial resources to execute a malware attack. $50 on the dark web will get you a malware kit and a service that will even run it for you. You just sit back and collect the bitcoins. Or, watch as the power grid shuts down. Yet protecting against these threats cost us north of $75 billion in 2016. It’s like ringing a doorbell with a Tomahawk missile.

The technology is readily available and super-simple. It gets even simpler when our national intelligence agencies allow it to leak out everywhere. People engaged in cybercrime know everything about the state of our defenses in both the private and public sectors. You don’t have to be a rocket scientist to figure this stuff out. On the other side, we seem to always be surprised at the latest cyberattack.

The bad guys have been studying hacking techniques and approaches for years – both North Korea and Iran have formal educational programs with thousands of skilled graduates operating in the wild. We have nothing close.

But somehow, with all of this in the background, we end up with a presidential order that fails to address any of the fundamental problems, fails to call for any meaningful action, fails to involve anyone in the private sector and calls instead for studies and initiatives and reviews and more analysis and recommendations over the course of a year.

As long as we continue to ignore the threat and take non-steps, the WannaCRy attack will look like child’s play in a couple of months.

?What do we do then? Another study?