Sunday May 21, 2017

The future of ransomware and the networked world

Last week's "WannaCry" ransomware attack crippled hundreds of thousands of computers worldwide.

Last week's "WannaCry" ransomware attack crippled hundreds of thousands of computers worldwide.

Listen 23:02

Since we recorded the interviews for this story, experts have agreed that very few of the computers that were affected by the WannaCry ransomware were running the Windows XP operating system. The web story has been updated to reflect this.


It was a cyberattack felt around the world.

Last week, the "WannaCry" ransomware attack infected hundreds of thousands of computers.

The malware crippled numerous large computer networks, especially in Europe and Asia.  Renault cars, the Russian Internal Affairs Ministry and Spanish telecom giant Telefónica were among the targets.

Britain's National Health Service was severely hit, causing people to miss cancer treatments and other critical procedures.

Many of their files were remotely encrypted, and could only be accessed once a ransom was paid in Bitcoin to the perpetrators of the attack.

warning

A screenshot of the warning computers attacked by WannaCry displayed.

But beyond the headlines of the past week, it's a chilling example of a shadowy potential future, where international cyber-espionage meets international cybercriminals.

The thing is, WannaCry wasn't the original work of some rogue cyber-extortionist. Some of the code for the malware -- which exploited a flaw in WIndows operating systems -- actually came from what you would probably think of as a first bastion of cyber-defence: the US National Security Agency.

And this has experts in cyber-warfare, like Queen's University's David Murakami Wood, extremely concerned.

David Murakami Wood

David Murakami Wood.

"These vulnerabilities were being secretly held by the NSA. Companies were not informed of these vulnerabilities, companies whose operating systems were implicated… and therefore they were not able to fix them," David explains.

The reason why the NSA and other security agencies do this, he says, is so they can have an advantage over other organizations they consider to be a risk, or enemy.

But that contradicts their purpose. "The main job is the security of their citizens," he says. "And if they're undermining that by storing vulnerabilities, they're failing at their first job. They're putting attack over defence."

The particular code used in the attack was stolen from the NSA and published online in April, underscoring David's contention that the agency ought to spend some time shoring up the security of its own network.

"They're putting everybody at risk," he says, especially, in this case, people in the UK needing medical care. "The last time  I checked, Britain was an ally of the USA."

"If those vulnerabilities had been publicized and patched, none of this would have happened." he adds.

Microsoft had already issued security patches to fix the vulnerability back in March, so if users kept your updates current, WannaCry wouldn't have affected computers running Windows 7, 8, and 10.

So, what to do about all this? One proposal, put forward by Microsoft president Brad Smith, is to borrow a model from international law.

He proposed creating an international agreement, similar to the Fourth Geneva Convention, that makes it illegal to attack non-combatants and ordinary citizens during conventional war. In this case, it would apply to malware and other forms of cyber-weapons.

It's an idea that UBC historian Heidi Tworek agrees with. She would like to see security agencies required to share flaws they discover in operating systems with the makers of those systems, and an outright ban on states using malware to disrupt other countries' networks.

Heidi Tworek

Heidi Tworek.

She adds that like most international treaties, it would be difficult to negotiate, and that technology companies such as Microsoft and Apple would have to be included in the discussions. But it's becoming an issue too difficult to ignore, she says.

"It's not just a 'your computer is shutting down' inconvenience - if it's something that's shutting down hospitals like in the UK, this is really about people's lives."