Editor’s Note: Alexander Urbelis is a lawyer and self-described hacker who has worked as a graduate fellow in the Office of General Counsel of the Central Intelligence Agency and as a law clerk at the US Court of Appeals for the Armed Forces. He is a partner in the Blackstone Law Group and CEO of a separate information security consultancy. Follow him on Twitter @aurbelis. The opinions expressed in this commentary are his own.
Alexander Urbelis: The ransomware attack that affected tens of thousands of computers worldwide is a wake-up call
The world cannot rely on a combination of serendipity and lazy coding to prevent the next attack, he writes
On Friday, the world experienced the wrath of a well-coordinated ransomware attack, known as WannaCrypt. The attack caused Britain’s NHS to cancel surgeries, a wide array of Russian and Chinese private and public institutions to be crippled most of the day, and the rest of the world to recoil in shock.
How could a single piece of malware that exploited a vulnerability identified long ago by the NSA, and leaked last month by a group called the Shadow Brokers, wreak so much havoc?
Before the malware could do damage in the United States, a lone British researcher, known as “MalwareTech,” serendipitously identified its kill switch – the registration of a domain name – while on vacation. The ease with which MalwareTech did this says a great deal about the poor state of the global information security industry, and raises several important questions.
MalwareTech analyzed the malware in a testing environment and immediately noticed the code queried an improbable Internet domain name that did not exist. Domain names often function as malware command and control centers, so MalwareTech simply bought the domain name which triggered the kill switch for WannaCrypt. This was incredibly lucky.
MalwareTech believes that the domain name was not intended as a kill switch, but rather a mechanism by which the malware itself could identify whether it was being analyzed.
If the domain name were active, the malware would assume it was a false positive from a researcher dissembling its code, and WannaCrypt was designed to frustrate such analyses by shutting itself down. The fact that only a single domain name was coded into the malware meant that registering that domain name had the effect of shutting down WannaCrypt worldwide.
In short, WannaCrypt’s creators were lazy, and the world lucked out. If WannaCrypt could be shut down so quickly and easily, why did it take so long for someone in this world to flip the kill switch, and what does this say about the state of global cyber preparedness?
First, it shows that the information security industry views cyberattacks more as a business development opportunity than as a chance to put their collective heads together to eliminate threats.
Though there are undoubtedly professionals who share data unconditionally – as MalwareTech himself did – yesterday’s events make it clear that the efforts of the information security community need greater alignment, and that the world cannot rely on a combination of serendipity and lazy coding to prevent the next attack.
Second, we must ask whether WannaCrypt was merely a test of readiness. Perhaps the kill switch existed not out of laziness but as a deliberate act, one designed to test how long it would take to shut down the attack.
On the other hand, perhaps the creators intended to gather intelligence on the extent and type of systems that could be affected by malware targeting aged operating systems like Windows XP, which developers do not regularly update or support.
Alternatively, WannaCrypt could have been intended merely to demonstrate the moral hazard of governments that catalogue software vulnerabilities but do not notify software developers. Thus, WannaCrypt illustrated exactly what could happen if these vulnerabilities fall into the wrong hands.
WannaCrypt has generated much debate about the danger of state-sponsored cyberattacks. As a staunch privacy and security advocate, I believe the inclusion of government-mandated backdoors in applications or operating systems that could allow unfettered access to personal data or activities are not only unwise but entirely misguided. But if the 2016 election has taught us anything, we cannot deny that we live in a time that requires both offensive and defensive cyber capabilities.
Similarly, we cannot deny that we should be expecting more of software behemoths like Microsoft. We live in the era of big data, where all software is tracked. In the face of a software vulnerability that may bring a portion of the world to a halt, we should expect more than the timely release of a patch.
When critical systems rely on at-risk software, it is reasonable to expect that software developers like Microsoft, not governments, become more adept at notifying at-risk parties and ensuring systems become properly patched. Long-winded blog posts, emails, and available updates are unfortunately insufficient because many customers do not receive mainstream support or may not even know they are in possession of a vulnerable system.
On April 8, 2014, Microsoft ended its support of the Windows XP operating system on which WannaCrypt relied to propagate, and yet institutions around the globe continue to use it.
The world was quite different three years ago: the Internet of Things was a nascent but growing concept. Today the IoT is a major concern.
If we do not discover greater efficiencies to combat pernicious threats like WannaCrypt, and if we countenance the creation and abandonment of insecure software, we can expect to face a far greater cascade of threats that have the potential to cause significant digital and physical damage. And next time we may not be so lucky.