SBA

IT’s Armageddon

I usually write IT Matters the week before you see it in print, so right now we’re in the immediate aftermath of the WannaCry ransomware outbreak. As you will have heard in other reports, WannaCry was a ransomware which used a viral spreading mechanism called EternalBlue originally engineered by the United States National Security Agency (NSA) to propagate across networks of computers running Microsoft Windows. Other than its use of this new spreading mechanism the WannaCry ransomware is unexceptional, but its effects have been remarkable. 

Closest to home the UK NHS was badly affected, with around a fifth of UK NHS hospital trusts having to withdraw key services and cancel most appointments and operations whilst they cleaned, recovered and patched their computer systems. Further afield many substantial and sophisticated organisations, including telecommunications providers, railway operators, airlines and governments, fell victim to the malware. It  is estimated that around 300,000 computers were infected across 150 countries. As I write both private sector IT security companies and state intelligence agencies are stringing together the clues which they hope will lead them to the perpetrators.

WannaCry was incredibly harmful and expensive. It will have cost a large amount in IT overtime for organisations around the world to update their Windows computers irrespective of whether they were victims or not, but far importantly it deprived a huge number of people of the healthcare and other national infrastructure services on which they depend. It is very probable that vulnerable people died as a result of delayed emergency responses, reduced service capacity, medical record non-availability and telecommunications failures, and it is certain that many planned medical procedures, including those for critically ill patients, were significantly delayed. 

In this respect WannaCry was a tiny taster of the Cyber War doomsday scenario which IT security experts have been warning about for several years - including the US Department of Homeland Security and the NSA (Oh! the irony),  and the UK Government Communication Headquarters (GCHQ). The fear of national governments is that cyber attacks may be used to disable or subvert key infrastructure services including energy supplies, telecommunications, transport and health for a prolonged period, thereby disrupting or disabling a nation. Any of these scenarios would cause public unrest and panic, significant economic disruption, and could therefore be used as a social or economic weapon or as a disabling prelude to prevent effective defensive reaction to the opening phase of a military attack or invasion.

On Friday 6th May, a week before the WannaCry ransomware, an American national newspaper, USA Today, reported that 

‘Recently the Department of Homeland Security’s National Cybersecurity and Communications Integration Center issued a disturbing report disclosing a sophisticated and widespread series of cyberattacks.

Numerous sectors have been hit, the report says, including “Information Technology, Energy, Healthcare and Public Health, Communications and Critical Manufacturing” since May of 2016 and perhaps even earlier.’

The DoHS report goes on to give more information about these attacks, many of which are nothing to do with ransomware, instead they appear to be systematic infiltrations to steal information and gain system administration control over critical systems. 

Many politicians, senior IT executives and business leaders have been in denial about the real risks and impacts of cyber attacks and cyber warfare for years - a combination of ignorance, wishful thinking, the cost of cyber security measures and inability to admit their impotence. The WannaCry ransomware outbreak has on balance probably been a good thing in giving those people who control the priorities and budgets of critical services a harsh dose of reality. In the immediate aftermath it is clear that leaders’ attitudes are moving from “cyber defences are too expensive and it probably won’t happen to us” towards “what do we need to do to prevent this happening again?”. 

However harmful and expensive the WannaCry outbreak may have been, it was in the potential scale of cyber warfare a trivia. Over the course of a day or two it infected around 300,000 computers globally each of which immediately announced to its owners that it had been infected - unlike a human virus there was no incubation period before symptoms became visible. By the middle of the first day IT teams and cyber security experts around the world were battling to stop it spreading. Imagine if it had been quietly spreading and infecting computers for a couple of weeks before disabling them all at a specified time? We could easily have been faced with thirty million computers around the world all crippled within a few minutes, and all the computer backups for the past week also infected. WannaCry was a wake up call, if it had been written slightly differently for the purpose of cyber warfare instead of a relatively trivial criminal extortion it could have caused a prolonged national or global crisis.

Leaving aside the morality or wisdom of the creation of new computer virus mechanisms by nation states for the purpose of cyber espionage and warfare - and certainly the USA is not the only country with a stockpile of these, consider the consequences. 

WannaCry was not targeted at a specific nation. With a small change to the code it easily could have been made specific to the UK, or Germany, or the USA or any identifiable country. It was inefficiently distributed, with a small change it could have been made to distribute itself silently, only activating at a later date or on command once it had penetrated a sufficiently crippling proportion of target computers. It was also inefficient in damaging the computers it infected, its major action was to encrypt users data files when it could have been engineered to destroy the complete configuration of those computers and the networks to which they were attached. 

It’s harsh to say “think yourselves lucky” to the many people who have been affected by WannaCry, but to the directors and IT leaders of the organisations hit by the malware, to the politicians and national security organisations of those countries like the UK which were badly affected - “Hey guys, you had a lucky break”. 

There will be other criminally-motivated attacks which will be better engineered, bigger and more damaging than WannaCry - Cyber Security experts have already found new variants of the ransomware which show the perpetrators attempting to improve on the 12th May version. There may be terrorist or nation state attacks which could be massively bigger but targeted against specific nations - imagine if Islamic State decided to attack the UK and USA. 

Our only strategic defense, nationally and in our businesses, is to step up our approach to building computer networks, operating systems and software on the basis of Secure By Design. By default, out of the box, most desktop computers, servers and network devices are insecure; they are configured so that it is easy for users to “plug and play”, and many of the interfaces they offer in order to enable communication with other devices have been designed and tested to enable specific capabilities, without the designers and testers considering how they could be subverted or exploited and protecting against those potential misuses. Secure By Design requires us to reverse this approach, and design computer systems, software and networks from the outset to prevent malicious use. 

It will take a long time, the world’s computer experts cannot magically fix all code, some of which was designed decades ago, in weeks or months. It will be many years before the cyber threat is effectively mitigated, and as I have written previously our current defences will be increasingly tested by automated hacking tools and will increasingly need “next generation” cyber security systems based upon artificial intelligence to compensate for the many vulnerabilities in current systems. 

In the meantime, we must make do with today’s technology and accept that we are going to spend a lot of money and effort on our cyber defenses to compensate for its inbuilt flaws. The hacking group which stole the NSA’s EternalBlue viral spreading mechanism claims it has many more such tools stolen from the NSA and has announced that it is planning to gradually sell them off month by month starting in June, in their words “like wine of month club”. We have been warned.