North Korea, the NSA, Microsoft and consumers have all been blamed for the enormous cyber strike. Do we need a Geneva Convention for digital warfare?
O oops, your files have been encrypted!’ This message, which first appeared on a Microsoft computer somewhere in Europe at around 8am GMT on May 12, soon spread to every continent in the world. Users were asked for a ransom of $300, to be paid in bitcoin, to recover their documents; after three days the fee would double. In the UK, hospitals were forced to postpone surgeries and chemotherapy sessions; in Russia, the ransomware infected the interior ministry; in Taiwan, the state-owned electricity company reported that 800 of its computers had been attacked. By May 16, the worm had infected at least 300,000 computers in more than 150 countries. Kaspersky, a Russian cyber security firm, described it as “dizzying… the largest ransomware infection in history”.
Ransomware may have entered common parlance this week, but as an online hazard it is nothing new, dating back to 1989. Recently though, advances in encryption and the rise of cryptocurrencies, which allow money to be transferred anonymously, have helped online bandits develop powerful new ways to extort individuals and businesses, often for large sums. Presciently, Symantec predicted in April that “ransomware looks set to continue to be a major source of concern globally in 2017.”
As attacks go, this one did not ask for much money. At $300, the ransom was less than a third of the average sum demanded in 2016. In total the hackers made no more than $70,000, a White House security adviser said on Tuesday. What made WannaCry different was the virulence with which it spread from computer to computer.
One reason was that it incorporated a cyber weapon developed by America’s National Security Agency (NSA). Known as Eternal Blue, the tool was stolen by the Shadow Brokers hacking group (possibly Russian, possibly an NSA insider in the Edward Snowden ilk) earlier this year. At that point the NSA is thought to have alerted Microsoft to the fact it had identified a flaw in Windows, and the firm released an update to plug the hole. On older computers, however, the process is not automatic, leaving users who did not apply the patch at risk when the worm started to do the rounds. Organisations such as the UK’s National Health Service were especially vulnerable because Eternal Blue exploited networks of computers.
$4 billion: the economic loss inflicted by WannaCry, according to Cyence, a cyber risk analysis firm based in California.
After Shadow Brokers leaked Eternal Blue online in April, it was used to create WannaCry, the worm that wreaked havoc this week. The culprit is yet to be identified but several breadcrumbs lead to Pyongyang. Researchers spotted similarities between the WannaCry software and tools previously used by Lazarus, the hacking group thought to be behind last year’s Bangladeshi central bank heist and the 2014 attack that forced Sony Pictures to cancel the premiere of ‘The Interview’, a film ridiculing Supreme Leader Kim Jong-un.
One thing worrying boffins and politicians is that the attack could have been a lot worse. The initial version of WannaCry included a ‘kill switch’ that allowed a 22-year-old British researcher who spotted the flaw to stop it spreading simply by buying an Internet domain name for $11. Matt Suiche, founder of Comae Technologies, a United Arab Emirates-based cyber security startup, told The World Weekly he had later stopped a variant of WannaCry from infecting another 50,000 computers by registering a second domain name.
Who is to blame?
As WannaCry wormed its way around the world, so did the blame. Consumers who did not update their security, including firms and governments, were at least partly responsible (though it emerged that Microsoft had charged up to $1,000 for users of older Windows versions to apply the patch). As Emily Parker, a former US State Department official and an expert on the Internet, pointed out in a well-timed book review, “cyber battles can seem confusing, technical, and shrouded in secrecy, perhaps better left to the experts. But cyber security is everyone’s problem now.”
In the UK, censure was mainly directed at Jeremy Hunt’s Department of Health after a winter of discontent in the underfunded, understaffed NHS. He had recently been warned that hospitals were using obsolete computer systems.
Meanwhile, Russia and China, so often accused of cyber malfeasance by the US, pointed to the NSA. "Once they're let out of the lamp, genies of this kind, especially those created by intelligence services, can later do damage to their authors and creators," President Vladimir Putin said at a One Belt, One Road conference in Beijing.
The White House defended the NSA, pointing out that the tool had not been created to hold data to ransom and claiming that it was just one small part of the eventual WannaCry software. But Microsoft was just as critical. In a strongly-worded blog post, Brad Smith, the company president, likened the loss of Eternal Blue to the military having some tomahawk missiles stolen and argued that the attack showed the perils of stockpiling vulnerabilities and weapons.
What everyone agrees on is that the cyber threat is here to stay and action is needed at every level, from individual computer users to the UN, to prevent worse attacks in the future. As the world goes digital, the danger of a calamity mounts. A 2015 report by Chatham House, for example, found that nuclear power stations in the UK had grown more vulnerable as they became more reliant on computer systems. In April, the G7 published a declaration reiterating the “necessity” for increased international cooperation in cyber space, and Mr. Smith is calling for a Digital Geneva Convention.
“This was not the big one. This was a precursor of a far worse attack that will inevitably strike - and it is likely, unfortunately, that attack will not have a kill switch,” said Andrea M. Matwyshyn, professor of law and computer science at Northeastern University in Massachusetts. “This is an urgent call to action for us all to get the fundamentals finally in place to enable us to withstand robustly this type of a crisis situation when the next one hits.”
It could come at any moment: a second weapon developed by the NSA is reportedly already available on the dark web.