In relation to the WannaCry virus, which infected more than 230,000 computers in 150 countries, we asked Keir Giles, the director of the Conflict Studies Research Centre (CSRC) in Cambridge and Dan Lohrmann, the former CSO of Michigan about cyber security, viruses, and what to do.
One of the most important questions of cybersecurity is how to make individuals, governments, and companies understand the importance of protection of computer networks. Attacks akin to WannaCry can even be useful, as Dan Lohrmann put it, since they are featured on the news, reaching hundreds of thousands of people, so they can function as a wake-up call. He added that WannaCry can even be understood as a form of practice by some governments, which revealed the vulnerable parts of their infrastructure. Keir Giles voiced a more skeptical opinion when it comes to changing the digital habits of people – he does not see the possibility of the large majority suddenly changing their digital security approach. Since this specific virus could only penetrate a system if they were not updated regularly the message of the attack is not exactly new: patch your computers! Secondly, although the virus affected critical infrastructure as well (most devastatingly that of the British National Health Service – NHS) but these were no more than collateral damage, they did not serve as primary targets.
This is supported by the fact that the attack itself was not really revolutionary from a technical aspect. Ransomware takes one’s data ‘hostage’ by encrypting it and only ‘lets it free’ (decrypt) for payment. In Keir Giles’ opinion, if there is something new about this attack, then it is the appearance of different factors together (near zero- day vulnerability derived from leaked NSA tool kit) and the speed and size of its spread. This, however, is ‘not surprising, as it was attacking a very extensive network.’ Dan Lohrmann agreed, adding that from a professional-technical perspective, this was in no way a ‘sexy virus.’ He pointed out, however, that numerous sources point to the NSA as the source of the virus’ ‘DNA’. This means that the cyberattack showed us what can happen if the cyber arsenal, developed by governments, is turned against their creators.
Considering that the virus affected so many countries, from Russia to the United Kingdom, one might inquire whether an agreement about cyber warfare–a Cyber Geneva Conventions–is materializing. Dan Lohrman described international regulation as something inevitable but emphasized that it will not happen without serious ‘encouragement.’ This ‘encouragement’ would be a cyber Pearl Harbor or cyber 9/11; something which will set states into motion. However, Lohrmann emphasized that the WannaCry attack, no matter how wide it was, was not yet a cyber Pearl Harbor. Keir Giles added that although China and Russia were pushing for international regulation for quite a while now, in their dictionary controlling cyber comes together with the control of information – which is unacceptable in Western countries. This difference is visible in the European Union’s recent regulation on personal data protection (EU GDPR) and the cybersecurity law of China, which is much closer to the censorship on the internet than anything experienced in Europe. (Although the UK’s Surveillance Act smacks of a China-like restriction on privacy. – later addition)
WannaCry was stopped thanks to a glitch in the way it was written. It certainly has filed new interest in vulnerability management and good patching. However, it is important to think about Dan Luhrmann’s summary: “WannaCry was an alarm. It will be interesting to see whether people hit the snooze button.”
This article appeared in Magyar Nemzet, 07/06/2017, original article and translation by Károly Gergely