For over twenty years, experts have warned of a “Cyber Pearl Harbor.” Like the Dec.7, 1941 attack, this cyber-attack would both create tremendous damage and galvanize organizations, particularly in the US, to improve computer and information security. For nearly as long, other experts have spoken against this scenario, positing alternative scenarios and analogies. All-in-all, there’s been a widespread belief that the most advanced countries and organizations were living in glass houses. This weekend’s relatively quick and broad spread of the WannaCry ransomware harkens back to the global spread of the Morris Worm, ‘I Love You’ and ‘Melissa’ in the last century.
What we’ve seen isn’t the kinetic damage some experts were expecting. In some ways, it’s a global pandemic. Like a pandemic, the damage was in lost productivity and the availability of people and systems. By Sunday night the ransomware first widely reported in the UK National Health Service had spread to some 200,000 organizations in over 150 countries. One early estimate pegged the damage at $8B in actual damage and lost productivity. Look at the affected organizations, from Chinese gas stations, to Russia’s Interior Ministry to the aforementioned NHS, and rail systems in Germany and Russia, FedEx in the US and more; we can expect the final tally to be tens of billions. The latest reports say actual payments are much less than $100k.
Much like a pandemic, the vaccines that we had available beforehand didn’t get to everyone. In fact, until this weekend, a significant number of systems couldn’t truly be vaccinated – their operating systems were too old, and no longer supported from a security perspective.
Unlike pandemics created by the random mutation of viruses, WannaCry is the result of vulnerabilities created by people, used, and eventually shared to an even broader audience. The security industry knows that criminals copy; they copy code, they copy methodologies, they copy vulnerabilities. News stories often highlight the danger of copycats when some new attack and vulnerability are found. This round of ransomware is the beginning of a new round of similar attacks. Many in the industry predicted that ransomware would be a continuing trend in 2017, the twist here is in new mechanisms for spreading the ransomware, derived from expert efforts that were supposed to remain secret.
This feels more like the alien invasion of Independence Day with the ransomware taking up station in organizations around the globe. Sure, it’s not alien, and it didn’t come from outer space. WannaCry is impacting everyone, rich, poor, mature cyber program or not, organizations that aren’t directly affected are still impacted by their trading partners and customers. This wasn’t the opening shot in a cyberwar against the US or US institutions. Instead of an attack on critical US infrastructure, the WannaCrypt ransomware spread globally and viscerally demonstrated the world’s dependence on technology.
With our global dependence on technology, we need some global norms and expectations. The Law of the Sea, the Geneva Convention, the League of Nations, the United Nations, and the Nuclear Non-Proliferation Treaty emerged through history as mechanisms for countries to work together to limit the most brutal aspects of war, weaponry, and disagreements between nations. We need a similar mechanism among nation-states to address the challenges of cybersecurity. We have already seen that there is no Mutually Assured Destruction in cyberspace. And, assuming the various rumors of Russian leaks of US hacks have fueled the spread of this ransomware to Russia, there may be some poetic justice. We need more than poetic justice. People everywhere need to understand the rules of cyberspace going forward as our dependence on technology continues to grow exponentially.
Well before this weekend, Microsoft proposed a set of principles for a Digital Geneva Convention. The ideas here are worth debating, in the US and the UN as we see how the world’s dependence on technology continues to grow. The challenges of cybersecurity will not be easily addressed, and like piracy on the high seas, there may always be some rogue actors with the willingness and ability to create significant damage. By working together on a set of principles by which nation-states and their agencies operate, we might potentially accommodate both the necessary insights of espionage and the legalism of fighting crime. If we can’t, we risk a continued cycle of escalation among law enforcement, criminals, and the spies of various nationalities.
Meanwhile, we’ve learned that organizational vaccinations work. Groups that focused on core capabilities like patching, backups, and current operating systems were largely unaffected. And organizations focused on the NIST Framework by identifying and protecting critical assets, implementing advanced detection capabilities are finding they can manage the risk of even sophisticated actors through quick response and planned recovery. The right investments on an information security program pay off in the ability to manage risk when the inevitable cyber incident demands a response.