The WannaCry ransomware attack raised perplexing questions, such as who was behind it, how did it get unleashed, and why the code was configured the way it was. The malware exploited vulnerabilities in Windows 7 that the US National Security Agency (NSA) apparently knew about for a few years.
At some point, these vulnerabilities were either leaked or electronically stolen, and in March, an entity known as ShadowBrokers made them public. Microsoft very soon released an update that removed the vulnerabilities. Windows systems have the capability to automatically install updates, but in many corporate set ups, the auto-update is disabled to give IT departments more control over company machines. This left many machines vulnerable to the attack.
This is where the discussion moves out of the realm of the purely technical and becomes a matter of public debate. Despite the best efforts of software companies, their products will have flaws, including security weaknesses. Rigorous testing would prevent many exploits, but it takes too many resources to consider every possibility.
So, independent security researchers, commercial security companies and intelligence agencies such as the NSA specialise in trying to find weaknesses that were missed. Some researchers privately notify software makers when they find a vulnerability, but there are also companies that sell them; selling can be lucrative. It is believed that the FBI paid $9,00,000 to a private company to access a locked iPhone. Intelligence agencies and even police departments have been collecting vulnerabilities known as “zero-days”. Clearly, the motivation is to protect national interest and public safety, yet it is worth asking what the trade-off is.
Security expert Bruce Schneier has criticised governments for hoarding zero-days. He argues that it is better for the common good to disclose the vulnerabilities before someone else uses them for ill. The WannaCry incident seems to bear this out. Policymakers need to dig into the claims that zero-days are effective at preventing terrorism and crime.
Disclosing vulnerabilities doesn’t help much if the software creators don’t take timely action. In general, large corporations such as Microsoft, Google or Apple have reacted quickly. They can do more to publicise vulnerabilities and fixes and highlight the risk to customers if they do not update.
Finally, a failure to update systems poses a real issue. Those individuals and organisations that did not apply Microsoft’s update were taking a risk; whether the reasons were cost, lack of attention or negligence, their actions had an impact on others. The reasons for making computer software up to date are the same as vaccinating a population against diseases. Policymakers may want computer owners to take the same approach.
One curious aspect of WannaCry is that once it enters a computer, it tries to connect to a domain on the internet, and if it succeeds, it stops its activity. An alert cybersecurity researcher created that domain and helped slow WannaCry’s spread. Researchers are puzzled why this “killswitch” was left in the code. What’s worrisome is that perhaps a future variant of ransomware will try to send contents of the disk to a remote server before locking the computer, thereby stealing sensitive health or financial details, embarrassing photos or vital state secrets.
The targets may react to the ransom part of the attack and fail to see the data theft. This may have already happened. In response to an RTI, the RBI said that at least one bank was attacked by ransomware last year. If data-stealing malware targets computers in a corporate or government network, the real damage is not to the owners of the computers but the people whose data is exposed. In the case of government secrets, the entire country may be worse off.
Since the attack, the government has downplayed the effects on Indian systems. No private companies have disclosed that they were affected. However, there are many cyber attacks on a global scale and it stretches credulity to believe that Indian systems are somehow spared. The government wants to promote Digital India and internet companies want Indians to use their services and spend money online. For that, they need to build and keep the public’s trust.
One way to do that is by being forthright and owning up to mistakes or breaches. It would demonstrate a level of responsibility and sophistication that people can respect.