WannaCry, WannaPout?

WannaCry affected 150 countries with a widespread malicious ransomware attack, creating extensive disruption amongst critical infrastructure. The attack, it is suggested, originated in North Korea, suggesting state-sponsored assault. Despite this, it could have been prevented. The attack revealed numerous issues with the current laissez-faire attitude towards cybersecurity. In this piece, we suggest there is an infrastructure of ‘responsibility’ to guide appropriate vigilance via key stakeholders; government, business, and individual users.

At the most important level of the responsibility spectrum, critical infrastructure management lacks the attitude of urgency so desperately needed. Currently, the National Cyber Security Centre (NCSC) is the lead agency in managing threats to the UK cyber infrastructure. Their two main reactions to the ransomware attack were to ‘limit the spread and impact of the attacks that have already occurred’ and advise ‘a number of easy-to-implement defences against ransomware which very considerably reduce the risk of attack and the impact of successful attacks.’

Protection against these attacks are largely reliant on the end-user’s ability to stay up-to-date with their own IT, which at best is unpredictable from person to person. For critical infrastructure management, it should remain central to operations to maintain a healthy level of review and risk assessment in order to protect efficiently against exploitation or oversight. The Centre for the Protection of National Infrastructure (CPNI) advocates for ‘supply chain’ protection methodology, which justifies the onus of cybersecurity on the end-user. Ransomware is particularly effective at revealing the vulnerability of supply chain reliance; it relies on the fact that a percentage of end users are not vigilant.

It should be the focus of Governments across the globe to inform and remind employees in the public sector to update their software, as part of a mandatory practice across the various institutions. Nonetheless, the ransomware attacks have only disrupted lower level infrastructure, which serves as a warning to agencies with classified or sensitive data; invest time in protectionist data practices.

Underlying this vulnerability is the question of Bitcoin, the payments requested by the ransomware perpetrators. Utilised as an e-currency, reflecting the use of real money in the virtual realm, questions the ethics of payment systems. Just as sterling is used to pay for criminal activity, as does Bitcoin. It may be suggested that this debate is too-little-too-late, and Bitcoin has already entrenched itself over the past decade as a currency with very real value.

The second major stakeholder in the chain of cybersecurity are the staff on the ground. WannaCry’s widespread affect has revealed the deficit of knowledge in staff using the computers, or more pervasively, a huge oversight in IT departments not ensuring the latest updates are downloaded. Specifically, lack of employee training was the second largest reason the ransomware was so effective. When faced with the nuisance of updating systems, an ‘it can wait’ attitude is enveloped by not only staff at the institutions targeted, but by the majority of computer users.

Finally, the chink in the armour should have been managed far more effectively. Both Microsoft and the NSA are at fault; the former due to the lack of knowledge about their own bugs, and the latter for keeping the vulnerability a secret. Here Microsoft has a strong case, as the attack can be attributed to a lack of communication. Microsoft could have provided an update far sooner for Windows 7 (the system that 48.5% of the attacks targeted).

These trends all point to the harsh reality that a change in the status quo attitude towards cybersecurity needs to change, on all levels of the ‘responsibility’ spectrum. Supply chain methodology is only efficient if significant amounts of review and communication are exercised. WannaCry didn’t just reveal severe vulnerabilities in systems, it’s forced us to rethink how to deal with cybersecurity in a borderless domain.