The WannaCry Takeaway: Federal Governments Let Us Down


Posted on by Tony Kontzer

If you WannaCry now, just wait. You may WannaCry a lot more down the line unless federal governments do a much better job of protecting their critical IT systems. 

The WannaCry ransomware outbreak that first hit the U.K.'s National Health Service and subsequently spread around the world, infecting a Spanish telecom company, a Russian cell phone carrier, French automaker Renault and countless other organizations, may have been a harbinger of things to come. 

A 22-year-old British researcher has been able to provide some relief from WannaCry with an accidental "kill switch" in the form of a Web address he registered. But not only are the perpetrators trying to overwhelm that kill switch with a distributed denial-of-service attack, but experts warn that future copycats are likely to take advantage of the Microsoft vulnerability that allowed the attack to happen in the first place. 

What makes the attack so alarming isn't just the scale and speed with which it spread to hundreds of thousands of Windows machines. The fact that a combination of hubris and inaction in the federal governments of both the U.S. and the U.K. allowed the attack to happen in the first place should be a wake-up call to the rest of the world. 

Simply put, WannaCry was made possible by government haughtiness. On the surface, the U.K.'s decision to let a security contract that provided patch updates from Microsoft expire created the vulnerability that the attackers exposed. But what may have made it all possible was the National Security Agency's arrogance: For five years, the NSA had been using a powerful cyber espionage tool called EternalBlue to hack into Microsoft systems, and it kept the existence of EternalBlue secret despite fears of what it could do if it ever got into the wrong hands. 

Despite internal pressure to share information about EternalBlue with Microsoft so that the company could shore up any backdoor vulnerability, the NSA never did so, and those fears were realized with the arrival of WannaCry on May 12. Security experts believe an anonymous hacker group called the Shadow Brokers stole the malicious code used to unleash WannaCry from the NSA, and that it originated from EternalBlue. 

"You had somebody stealing you blind," Keith Alexander, who served as the director of the NSA from 2005 until 2014, told the Washington Post. "The government has got to do better than that." 

Ouch. 

Coincidentally, the day before WannaCry hit, President Trump issued an executive order that addressed the feds' less-than-stellar IT security track record, making the directors of every federal agency responsible for cyber security, and mandating that every security system be moved to the cloud. (While no one has suggested that the Trump administration had knowledge that EternalBlue had been compromised and that a significant global security breach might be in the offing, the recent revelations regarding the President's transgressions in his relations with Russian officials certainly provides reason to wonder about the timing of the cyber security executive order). 

While there is across-the-board bipartisan agreement that the Feds' cyber security efforts need to be significantly improved, response to Trump's mandate, which first calls for a plethora of reviews, was less than enthusiastic. It's clear that its many critics feel it doesn't go far enough, or fast enough. 

"We do not need more reports, assessments and reviews," Sen. John McCain, R-Ariz., said in a statement. 

James Clapper, former director of national intelligence, told the Senate Armed Services Committee on cyber policy and strategy that new policies are only effective if they're adequately enforced and funded, and that he expects "the accompanying authorities and resources will not match" the Trump directive's "bold goals." 

Meanwhile, Michael Daniel, who served as cybersecurity coordinator in the Obama Administration, told Reuters that Trump's directive was "a plan for a plan." 

The unavoidable truth of the whole affair is this: If IT security in the business world was run so tentatively, and inattentively, as federal governments appear to manage it, we'd all be waking up every morning to empty bank accounts, hugely inflated credit card balances and hijacked social media pages. 

At least there's a bit of good news for WannaCry victims. There are free tools available that might be able to decrypt machines that were forcibly encrypted in the attack, so long as infected systems haven't been powered down or rebooted, and assuming users have administrative-level access to those systems. 

But even if some systems are recovered without paying a ransom, affected organizations may not be so lucky next time. And make no mistake; there will be a next time.

Contributors
Tony Kontzer

, RSAC

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs