WannaCry shows we need more cybersecurity defense, not offense

In the modern age, we find this truth to be self evident: today’s technology vulnerabilities are tomorrow’s safety threats.

Look no further than the WannaCry “ransomware” attack that started spreading this past Friday. The attack used a series of known digital security exploits and tactics to undermine emergency medical services and interfere with gas stations, schools, and thousands of other institutions around the world. It amply demonstrates the severity of the cybersecurity risks we now face — and how governments fail to protect us when they prioritize offensive cyber operations and surveillance over cybersecurity defense by withholding what they know about critical vulnerabilities from the companies that could patch them.

This has the most devastating impact on the most vulnerable people and communities around the world, who have the fewest resources to defend themselves. The fix for the WannaCry problem is complicated: it’s a systemic problem, and it requires a systemic solution. To keep us safe, governments, the private sector, and civil society will need to work together. Otherwise, we all lose.

Here’s how the WannaCry attack happened, and what we can do to help prevent another of its kind.

How we got here: the WannaCry attack

It all started with a “phishing” attack — an email that tricks the user into opening an attachment containing self-propagating malware. This is key for the WannaCry attack’s impressive scale and speed, and it is par for the course: research shows that most malware is delivered through email attachments and approximately 30% of phishing emails get opened. The WannaCry malware then locks systems using outdated and unpatched versions of Microsoft Windows. This is also common, with fewer than 40% of people who use Windows operating the most recent version. Once the systems are locked, the unknown attackers demand a bitcoin ransom to unlock them. This has led to hundreds of thousands of devices infected with malware, and in many cases, users have been unable, unwilling, or too slow to pay the ransom. Now many face the prospect of never recovering their files and restoring vital systems.

Why did the exploit exist to begin with? The U.S. National Security Agency (NSA) had kept the “ETERNALBLUE” exploit secret. It was stolen, and in April, the mysterious hacker group that calls itself The Shadow Brokers leaked it online. Microsoft had already issued a patch for the vulnerability — at least for some of the products — but that was only a month before the leak. This has given rise to speculation: Did the NSA inform Microsoft of the vulnerability, perhaps because they knew the exploit had been stolen? Microsoft has not denied this allegation.

How stockpiling vulnerabilities hurts us (and what governments should do instead)

The reason we’re all at risk right now is the NSA and its cache of weaponized vulnerabilities, used to conduct offensive cyber operations or intelligence gathering against foreign targets. The NSA is tasked with conducting these missions while also securing U.S. systems domestically. But when those two missions are at odds, far too often offense wins out over defense. Companies cannot patch security weaknesses that the government is hoarding. These vulnerabilities, stockpiled by the NSA, the U.K. Government Communications Headquarters (GCHQ), and other intelligence agencies, are also a “honeypot.” Groups like The Shadow Brokers and malicious attackers specifically seek them out for fame or profit. Even as the U.S. government claims to care deeply about cybersecurity, it also holds onto ETERNALBLUE and other exploits used to attack us, only revealing their existence when the damage is imminent.

There’s a start at addressing this problem in the U.S. The Vulnerabilities Equities Process (VEP) provides factors to guide the U.S. government on when to disclose a given vulnerability. But the process is opaque, and it appears that the government sometimes disregards it. Improving and codifying the VEP could help us avoid another WannaCry if we ensure that it is built on the presumption that vulnerabilities will be disclosed, not kept secret, particularly when there is a risk of considerable damage. As it stands, we’re seeing the human rights interests that the VEP currently considers come second to the perceived need for invasive offensive operations such as government hacking. This kind of hacking has its own risks. Government hacking tools can be compromised, re-appropriated, and misused by others.

At Access Now, we have called for a global ban on government hacking, and in the instances that a government conducts such operations, we argue for strict human rights limitations and protections for users, including transparency requirements and avenues for redress (see our white paper, A Human Rights Response to Government Hacking). When there is no accountability for government hacking, it gives rise to the existence of large vulnerability databases, developed and used in the dark. That’s what’s happening right now. Governments are engaging in offensive cyber operations like hacking largely or wholly without statutory safeguards in place to protect us. That has to change if we want to limit attacks like WannaCry.

How companies can help

Of course, not all responsibility lies with governments. Good security begins with the companies that develop and maintain the technology. In this instance Microsoft appears to have responded appropriately, patching the vulnerability and making a public call for governments to be more transparent. Microsoft first released a patch for ETERNALBLUE in March 2017, but only for the versions of Microsoft Windows it actively supports. It patched legacy systems only after the attack began, leaving people without the latest updates vulnerable. Microsoft has been clear that it won’t  support certain versions of Windows that many people around the world are still using. We need a conversation about how to make sure people nevertheless get essential security patches, including exploring how to create incentives for users to update to newer, more secure systems, and making versions of software that a company can no longer support open source, so others can improve and update it.

Systems administrators also have a role to play in keep end users safe. They must ensure good digital security practices such as making sure to use only supported technology, and training end users to protect themselves against attacks (especially phishing). They have to keep up with patches. Patching is not simple — paradoxically, they can expose vulnerabilities to hackers — and there are significant hurdles to updating the complicated systems at large institutions. Yet it must be done, and done well, to ward off attacks like WannaCry.

Self defense and next steps

Looking forward, governments, companies, and civil society can each step up to the cybersecurity crisis, in a variety of ways. We’ve addressed the bigger issues above, including improving vulnerability disclosure and putting limits on government hacking. There’s more.

Governments can fund public education and resource campaigns, particularly for the vulnerable users who have the fewest resources to upgrade to the latest and most secure systems. EUROPOL, for example, is working with private companies to promote knowledge and provide tools for victims of ransomware attacks.

We’d also like to see more collaboration among governments. The countries where people are suffering the most from the WannaCry attack — for instance, Russia, China, and the United Kingdom — are in some instances in conflict with other countries over offensive cyber operations, hacking, and surveillance. Yet they should be able to work together on defense from common cybersecurity threats, like the many risks associated with the Internet of Things (one such opportunity for collaboration might be at the Global Conference on Cyberspace, which takes place this November in India).

Civil society can also join the effort to support end users. Many organizations are publishing resources online to help victims or protect against the WannaCry attack. It’s worth repeating some of the basics here:

  1. Be aware of the signs of a phishing attack,
  2. Patch your systems, and
  3. Create secure backups.

If you support at-risk communities and you have questions about how to cover the basics, we encourage you to contact our 24/7 Digital Security Helpline.

Finally, security researchers play a vital role in the security of our systems and devices. We should all be thankful for the quick thinking of the security researcher who helped mitigate the impact of the initial WannaCry attack. It could have been much worse, especially if “zero day” exploits had been used in the attack. Indeed, that’s central to the point we’re making here. Government responses to attacks like this one have so far been tepid. Recent efforts to address cybersecurity have missed the mark or downright undermined security. The WannaCry situation may get worse and the next attack may be much harder to stop.

It’s time for a paradigm change, from prioritizing cybersecurity offense — like government hacking and surveillance — to prioritizing cybersecurity defense. Otherwise, governments will continue to put their own people in harm’s way.