-- The extensive damage done by the WannaCry cyberattack reveals persistent problems that governments and companies have failed to address despite repeated warnings.
There are four big takeaways:
As a member of the President Barack Obama’s Review Group on Intelligence and Technology, I recommended (see: The NSA Report, Recommendation 30) a policy of telling software makers about vulnerabilities in 2013. I came to the conclusion that the costs to our corporations and governments of having these vulnerabilities used against us far outweighed the benefit of having NSA secretly using them to collect intelligence. WannaCry proves that point.
The Obama Administration said it accepted that policy recommendation, but clearly there was a problem in its implementation which needs to be rectified.
Second, this would not have happened if NSA had been able to protect its own software. The attack tool used in the WannaCry attack was developed by NSA and then was somehow stolen and posted on the Internet for all to see and some to use.
Despite the lessons learned from the Snowden affair, the NSA’s repeated inability to protect itself from the theft of its internal documents and tools is placing the networked world at risk. This problem must now be addressed urgently by the Director of National Intelligence and the White House.
Third, many companies and government agencies are still running software (Windows XP for example) that is no longer supported by Microsoft and is riddled with vulnerabilities that hackers can use. In the U.S., most companies have the more modern, more secure versions, but many U.S. government agencies are still running software from the 20th century.
It is time for a complete refresh of government software similar to the effort in 1999 to prevent the “Y2K” software vulnerability from disrupting networks at the turn of the millennium. That effort was expensive and a new refresh now will be even more costly, but it is equally necessary.
Fourth, companies and government agencies ignored Microsoft’s clear warning to fix the vulnerability that WannaCry exploited. The software maker issued a critical “patch” two months ago. Many network administrators want to test a patch before they deploy it and that delays implementation, but it should never delay it by more than a few weeks. In the case of a critical patch, it should be a matter of days.
CEOs and board members do not like to get into the weeds of their networks’ management, but they need to understand issues like “patch” policy. They need to know when their systems are at risk and for how long.
Whoever sent WannaCry into cyberspace may not have done it for the money. Thus far, they have collected relatively little money, far less than they have cost companies and governments. The attackers may have done it to teach us some lessons like the four points above. Do you think we will learn those lessons this time? Past experience suggests we will not.