Nation states, tech giants and everyday businesses – all should shoulder some of the blame for the WannaCry storm.
CBR, like many companies in the UK and worldwide, was on high alert yesterday with our IT team making it clear to unplug and then possibly burn our computers if we suspected infection from the WannaCry cyber attacks. Infecting over 230,000 computers across 150 countries and crippling, among others, organisations as big as the NHS and Telefonica, the WannaCry cyber attack made headlines across the world.
As is the nature of such news, the gaze has moved from the what and the where, to the who. Just today, I was asked by a colleague who was to blame for the attack – a question being asked in offices and boardrooms worldwide. As is again the nature of such news, the political landscape has informed opinions, with the blame being levied at North Korea. Although there has been a link found between WannaCry and the North Korea-aligned Lazarus hacking group, the evidence is not conclusive. Security firm Kaspersky Lab said that similarities between a version of the ransomware code and a programme used by the hacking group were “the most significant clue to date”.
North Korea, however, is not the only one in the line-up for the global attack, with high-profile individuals and companies going public with their accusations of blame. Take, for example, the letter Sir David Omand wrote to The Times, whereby the former GCHQ boss blamed Microsoft and its withdrawal of Windows XP support.
“Should Microsoft have stopped supporting Windows XP so soon, knowing that institutions had invested heavily in it (at the urging of the company at the time)?” Sir David asked in the letter.
The former spy chief alleged that the tech giant knew that public and private bodies were still heavily reliant on Windows XP when Microsoft withdrew its technical support in 2014. Sir David went onto criticise the tech giant’s response to the threat, saying that Microsoft did not devise protection for Windows XP until after the attack began.
“It would have been better if [the fix for XP] had been released a month earlier, when the company first became aware of the problem”.
It is however, easy to blame Microsoft. They are an easy scapegoat, especially for the governments and intelligence agencies who stockpile vulnerabilities. It was, after all, their unsupported operating system which came under attack. But let’s be reasonable, software cannot be definitively supported and there has to be responsibility on the side of the business or organisation which continues to run unsupported software or refuses to deploy patches. Microsoft did issue an emergency patch and provided end-of-life support for XP, as Cylance’s Malcolm Harkins points out.
“From an economics perspective, it is cost prohibitive to support something forever, so every organisation needs to stop support at some point in time to manage operating expenses. This is true for every organisation including Microsoft and anyone else. For example, you can’t drive a model T in to a Ford dealership to get it fixed … you do it yourself or find “speciality” service providers who can work to try to service it.”
So why would the former head of GCHQ be so bold as to blame Microsoft – after all it was an intelligence agency which ‘lost’ the vulnerability leading to WannaCry and GCHQ itself stockpiles vulnerabilities. Misha Govshteyn at Alert Logic thinks that only two parties are at fault in the WannaCry attack – the companies who continued to run unsupported software and the NSA for failing to safeguard their code. Commenting on Sir David’s letter, Govshteyn said:
“This is a classic game of news spin from all parties involved, but the GCHQ position is especially rich in alternative facts.
“Governments provide a mandate to our intelligence agencies to find and exploit security flaws. There is no reasonable argument that these flaws should be made public, as that would defeat the purpose of funding their discovery. The Intelligence Community is naturally motivated to keep these flaws secret as long as possible (though they failed in this regard).
“It’s equally unreasonable to criticise Microsoft for not supporting older versions of Windows longer. Doing so would not have altered this outcome, and WannaCry would be spreading as quickly as it is now. Fact is, supported or not, Microsoft issued a patch relatively quickly. Microsoft correctly determined that in this circumstance they need to support resolving this problem.”
When it comes to blaming anyone, the NSA must be put front and centre. It was their code which was leaked and their response to the leak highlighted a huge lapse in responsibility.
“If the NSA really wanted to be responsible, they would have contacted technology vendors shortly after they realised their toolkits were stolen. Doing so would have given technology companies more time to respond and consumers more time to patch,” said Govshteyn.
“Instead, NSA chose to play the game of chicken with Shadow Brokers and allowed, of all people, Julian Assange to be the disclosing party. This is the least defensible decision in this whole saga.”
This bold opinion is also shared by one of those under the blame spotlight – Microsoft. Microsoft President and Chief Legal Officer criticised governments for ‘stockpiling information’ about cyber security vulnerabilities. Referencing the fact that the CIA lost its stockpiled vulnerabilities and likening the loss to the US military having ‘Tomahawk missiles stolen’, Smith said:
“The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
Mr Smith went on to reiterate Microsoft’s call for a cyber Geneva convention – and maybe this is what can be learnt from the WannaCry chaos. Instead of trying to attribute blame, it would be far more productive to look at what can be done by government and industry to avoid a WannaCry 2.0.
“I wouldn’t criticise NSA or GCHQ … I do think, however, that this brings up the question of cyber vulnerabilities equities processes, and what “calculus” is used, and how, by a nation state to determine when the public is best served in working with the industry to close a found vulnerability or keep it for nations state purposes … more transparency/illumination there from all nation states would be good, since they all are involved in both cyber offensive as well as defensive efforts,” said Mr Harkins from Cylance.
Whilst the identity of the hacker or hacking group will fuel global headlines in the coming weeks, government and industry must take responsibility for their own failings in the WannaCry saga. Those running XP are now unfortunately aware of the risks in running old, unsupported software. The NSA, meanwhile, failed in their responsibility to keep vulnerabilities safe or secret, raising questions about the stockpiling of code by similar agencies like GCHQ. Cyber security is proving to be the wild west of the 21st century and many would second Brad Smith’s calls for some law and order with a cyber Geneva Convention.