Held at ransom: on the recent ransomware attacks
The malware attack this weekend must hasten moves towards global rules on cyber threats
The menacing spread, starting last Friday, of the malicious software WannaCry, which has since infected thousands of computer systems in 150 countries, is a frightening reminder of the vulnerabilities of a connected world. The cyber-attackers who unleashed it, as yet unknown, have essentially used chinks in Microsoft’s outdated software to remotely gain access to computers of unsuspecting users so as to lock them out of their files. These attacks have been in the nature of what are called ‘ransomware,’ wherein attackers demand a ransom (usually in Bitcoins, which are tougher to trace than regular currency) to decrypt the files they have force-encrypted. Cyber risk modelling firm Cyence estimates the economic damage to be $4 billion, a figure that may not seem daunting for a global-scale disruption such as this one. But its spread has exposed the lack of preparedness among government and private institutions. The list of unsuspecting users who fell prey to the malware includes the U.K.’s National Health Service, German transport company Deutsche Bahn, courier delivery services company FedEx and carmaker Renault. Only some weeks earlier Microsoft had made available a patch to remove the chinks, something that raises doubts over whether even large institutions are complacent on cyber risks. That governments across the world went on alert after the outbreak of the global ‘epidemic’ is some consolation. So is the fact that Indian institutions have been largely unscathed by the malware until now. Things, however, could have been worse had a British researcher not registered a domain name hidden in the malware, thereby accidentally stopping its spread as also its momentum.
While the state of preparedness is a cause for worry, the likely origin of WannaCry forces stakeholders to revisit a long-standing and uneasy question regarding the actions of governments. WannaCry has its origins in a tool developed by the National Security Agency in the U.S. that was dumped online by a group called the Shadow Brokers. A few days after the malware started spreading, Brad Smith, President and Chief Legal Officer of Microsoft, wrote on his blog that governments should treat it as “a wake-up call” and “consider the damage to civilians that comes from hoarding these vulnerabilities.” His point to governments is this: report vulnerabilities to vendors rather than exploit them. The U.S. assesses the balance between cybersecurity and national interest through what is called the Vulnerabilities Equities Process, wherein a review board makes a final decision on whether a ‘vulnerability’ needs to be reported or retained. President Donald Trump’s views on this process are not clear. Cyberthreats are only likely to grow, and the world needs to push for global rules on such issues. It is more than obvious now that cyber vulnerabilities have massive global implications.