Ransomware attack: Amidst the chaos, the blame game begins
The first wave of the ransomware attack that engulfed businesses around the world last week has apparently now passed, although it's quite possible more infections will occur.
But the post-mortem on how it happened -- and how to stop it happening again -- has only just begun.
With this one, there's plenty of blame to go around.
Clearly most of the blame must go to the shadowy malware developers who created the ransomware in the first place. They have caused havoc worldwide, with the cruellest impact on the many patients who have had their treatments delayed and operations cancelled. For these people to be put at risk because of a squalid get-rich-quick scheme, which seems to have raised just a few tens of thousands of dollars, is utterly beneath contempt.
But there are a host of other factors that made it easier for WannaCry (a.k.a. WannaCrypt) to do as much damage as it did.
WannaCry would never had been as invasive had it not been turbocharged by the so-called EternalBlue exploit.
EternalBlue had been dumped online by the ShadowBrokers, a group that's allegedly linked to Russian intelligence.
The ShadowBrokers had themselves stolen these tools from the US National Security Agency (NSA), which presumably developed them for espionage purposes.
Dumping these tools online after they failed to sell them to the highest bidder was a hugely reckless act, probably designed to embarrass the NSA and be a nuisance. But once such dangerous software is made public, it's impossible to know how it will be used -- and now Russia is one of the countries worst hit by WannaCry.
Dumping the tools was clearly rash -- but should the NSA have developed them in the first place? Intelligence agencies have a long history of spotting weaknesses in software, and while most are turned over to software vendors to fix, they keep a few back to make it easier to sneak into the computer systems of rival states. So flaws that could be fixed remain open.
Don't stockpile vulnerabilities
As Microsoft's president Brad Smith said, the WannaCrypt attack "provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem". These exploits have a habit of leaking into the public domain and cause widespread damage, he said.
"An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen," he said, adding: "This most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today -- nation-state action and organized criminal action."
Former NSA-contactor-turned-whistleblower Edward Snowden was more succinct, tweeting: "Despite warnings, @NSAGov built dangerous attack tools that could target Western software. Today we see the cost."
Others have made a similar point: "While GCHQ cannot be blamed for the NHS's reliance on out of date software, the decision that the NSA and GCHQ have made in keeping this vulnerability secret, rather than trying to get it fixed, means they have a significant share of the blame for the current NHS ransom," said the Open Rights Group.
A fix for the software vulnerability made public by the ShadowBrokers had been available since March for modern versions of Windows, but it's clear that not every organization had updated their systems to protect against it. Not everyone has the time to patch every vulnerability, and some take their time with updates in case a patch breaks something else.
Don't use out-of-date Windows
But for older versions of Windows -- like the venerable Windows XP -- there was no patch, because Microsoft no longer provides security updates for it (Windows XP first went on sale in 2001). As WannaCry spread, Microsoft did issue an emergency patch for XP and other out-of-support Windows versions, and the crisis will surely reopen questions about how long Microsoft should support old versions of its software.
It's well known that the NHS and other organisations still have PCs running XP. Older operating systems become ever riskier to use when connected to the public internet, and the WannaCry episode is just one example.
Why do some organisations stick with XP? Some of these PCs may be running XP-specific software for a particular task; others may not be internet-connected and are therefore somewhat less vulnerable. But it's often an issue of cost, with organisations unable to afford to upgrade hardware and software -- especially in the healthcare sector, where there are always plenty of competing areas for funding.
In hindsight, such penny-pinching may not have been the wisest move. Already politicians are arguing over whether a lack of funding was to blame for the NHS being hit quite so hard by the ransomware.
Similar arguments will be taking place inside many organisations. Meanwhile, intelligence agencies need to reconsider how they use software vulnerabilities. Microsoft's Brad Smith is right that this latest ransomware attack should be a wake-up call to governments and industry. Much now depends on how they respond.