The world of information technology is reeling from last week’s massive ransomware attack that affected machines all over the globe. The WannaCry program is a malicious software that infects Windows computers taking advantage of a security flaw that was made public earlier this year by a hacking collective called the Shadow Brokers. The flaw is believed to have been created by the NSA to exploit a flaw in the Windows Server Message Block (SMB) protocol, which allows an attacker to gain control over the computer’s main functions. The WannaCry software infects computers and encrypts all of their contents, displaying a warning message telling users to pay a ransom in Bitcoin to regain access to their files. At the time of writing the spread of the malware had been devastating, infecting more than 230,000 computers in over 150 countries, and particularly affecting the UK’s national health service badly.
It is possible to learn many lessons from the attack. The security flaw was released over two months ago, which prompted a quick response from Microsoft to plug the exploit with a quick update. However, it has become clear that millions of machines were left unpatched, making it easy for hackers to target them and take control of the systems. People do not update their systems regularly, particularly old Windows systems that are still widely in use all over the world. Patching and keeping a system updated must become a priority of anyone with a computer, and businesses should be particularly held to account over failures to perform such actions.
The UK government has been particularly neglectful in this regard. It is incredible that hospital computers performing vital functions such as X-rays and storing test results were using outdated software and were left unpatched. It boggles the mind that any mildly competent IT department would leave such important services open to attack, and it tells a story of just how low of a priority cybersecurity is for many people in power. Things are even worse when we consider that the government was warned last year about precisely this issue, and still failed to take action.
The US government is guilty of making it easier for hackers to massively take advantage of security flaws by reportedly stockpiling such exploits to gain access to enemy systems. It has become clear that the NSA either created the EternalBlue flaw, or it learned about it and kept it secret until it was leaked. Either way, this shows a disregard for collective cybersecurity of monumental proportions. To stockpile vulnerabilities and keep them in less than secure locations is akin to keeping missiles where they can be easily taken by the public.
But perhaps one of the most interesting aspects of the WannaCry attack is that it serves as a reminder of why we should continue to deny those who favour the creation of government-mandated backdoors to technologies. If you recall, the UK government was very vocal not long ago about the fact that they do not have access to encrypted conversations from potential terrorists. The problem with that argument is that to gain access to those communications, you need some sort of backdoor that could very easily be leaked by hackers, just as the EternalBlue fault was leaked. The argument that only governments will use exploits has been shown to be the big fat lie that many of us warned against in the first place.
Perhaps the next time a terrorist atrocity takes place, politicians will not rush to score quick political points by asking for access to communications. If they do, we can point out to WannaCry as evidence of just how misguided they are.