The WannaCry worm proves that our collective response to cyber threat continues to churn ineffectively in the same futile rut while threats multiply and grow increasingly serious by the day. Channeling Hobbes, government must assume the role of the Leviathan, establishing a monopoly on cyber violence, in this nascent global commons. We must get behind a strategic embrace of computer security or the Internet will keep breaking.
The worm’s success is yet another clear signal that today’s security model isn’t working. Institutional failure to address security risks have/will continue to have the same pervasive impacts in government, industry, and at home with no respite in sight, no one in charge, and no one accountable for fixing the mess.
The ubiquity of such attacks challenges our internal/international legal framework. (The military and Intelligence Community should not be operating within the United States.) And it crosses our traditional fault lines (ensconced in US law) between corporate, military, legal, and law enforcement organizations. Senior leaders in each of these government fiefdoms tell me that the pan-government table top exercises held to understand and clear the fog around the “who’s in charge” questions assume away all the relevant risk. This is done in order to arrive at prearranged conclusions that won’t rock the boat between all the various stakeholders. The cyber problem is so much greater than a traditional geographical battlespace because it requires a complete strategic rethink of warfare as these kinetic, civil, intelligence, and international equities collide.
Microsoft has declared WannaCry “is a wakeup call.” Add the concomitant coverage in the press, and people being put at risk in hospitals and it makes you think that this incident marks a new chapter in cyber risk. Add in the second Wikileaks dump of the Vault 7 attack files and we have a perfect media storm of NSA toolkits, CIA attack techniques, likely North Korean mischief, chronic government underspending here and abroad, and the resulting health care service outages and outrage to feed the news cycle. The political, fiscal, and productivity impacts of the WannaCry worm highlight that the cyber risks currently accepted by corporate and government risk officials are not tenable.
This malware is particularly lively in large organizations whose legacy systems and limited security budgets provide clear skies for exploit and it could have been worse if not for an enterprising 22 year-old who helped save the world by finding and sharing its Kill Switch. Unfortunately, nastier and more effective worms and viruses and other tools are likely on their way and will wreak greater havoc. So let’s step back and ask what makes this crisis different?
The answer, sadly, is — NOTHING.
A quick review:
- Ransomware (whereby software encrypts your computer and demands you pay a ransom for a decryption key) has been on the rise for several years. Everyone from Grandma to your insurance company has been hit and they have often (quietly) paid up to get back the family album or their health records.
- Sure, WannaCry is linked to the purloined NSA toolkit. It is a variant of the WeCry exploit from February of this year and a patch has been available from Microsoft since mid-March.
- Organizations with older equipment or legacy software often have a, “don’t fix what ain’t broke” culture of accepting risk because implementing a patch can be expensive and disruptive (trying to figure out why your 15 year-old patient scheduling system stopped working, for instance) and the potential real world impact outweighs the perceived risk.
- The (allegedly) North Korea-linked team (the people behind the Sony hack, South Korean Banking attack, etc…) seeks to foment misery again,
- The cure of installing up-to-date systems is perceived to be more expensive than compliance until the bill comes due — just ask the UK government as it reels under the revelations that the government funded NHS deemed that using post end-of-life (and hence unfixable) Windows XP machines.
The next question is: what are we doing about it? The answer for most large organizations is largely tactical – patch, update, scan, repeat. The strategic gaps induced by relying on individual organizations providing security for key services cannot be addressed by existing methods.
The institutional security risks highlighted again by WannaCry were mirrored in previous “wake up calls” such as the OPM hacks, Wikileaks — heck, just take your pick of Anthem/Blue Cross, the French election, etc… And these risks will only increase as vulnerable infrastructure increasingly underpins our daily lives. Our military is racing to understand and dominate the military aspects of the cyberspace domain. However, the seemingly endless policy churn around Cyber Command, Strategic Command, NSA, DHS etc. means that lines of authority, funding and staffing clouds the likelihood of anyone actually taking charge and solving the problem.
A new approach is needed to enable innovation in the way security is encouraged and delivered with both carrot and stick. Government can help force the creation of a new infrastructure but it is industry that possesses the innovation, human capital, and speed to come up with the solutions. It will take international public/private partnerships that we haven’t seen since the likes of since the Marshall Plan.
John Quigg, a retired Army lieutenant colonel, was one of America’s first cyber warriors. He now works for Spurrier Capital Partners, a New York investment bank.