As these devastating global ransomware attacks illustrate, cybersecurity is not an issue that can be ignored. Any time a device or system is connected to the Internet, it is a potential target. What was once just another lucrative means of extorting money from Internet users, ransomware is emerging as a preferred tool for causing widespread disruption of vital services such as hospitals, banks, shipping, or airports. Attacks are growing more sophisticated and more enduring, with longer term damaging effects and wider impact. Ransomware exploits the slow pace of security patching, systems that are dependent on old software, and poor backup practices. It also provides a smokescreen for other nefarious acts including stealing data and credentials, or even wiping data. So, the name “ransomware” becomes illusory: what we are really dealing with is “hydraware.”
Also, as the recent attack demonstrates, one security vulnerability in just one piece of software can wreak havoc across multiple critical government and business services. Information security experts have traced the “patient zero” in Petya/NotPetya to poisoned update servers for M.E.Doc, (accounting software developed by a Ukrainian company). This tactic is not new: as recently as May update servers for Handbrake, a a free and open-source transcoder for digital video files, were compromised with Proton malware, designed to scoop up the keychain (including all passwords) for future attack. These attacks underline how essential it is that vendors secure and monitor their software update servers.
Additionally, researchers tracing the progress of the Petya/NotPetya malware observed that it exploited user administrative privileges to gain access to credentials, which it used to infect other devices on the network. A timely reminder that giving users administrative privileges means a compromised device could more readily infect others in the network.
There are three other aspects of these attacks that should be called out – software patching, security vulnerability disclosure, and attribution.
Both the WannaCry and Petya/NotPetya malware exploited a security vulnerability in Windows OS known as “EternalBlue.” WannaCry should have been a warning to patch urgently, and many did. However, others did not. Why? Industrial systems may use legacy software. Enterprises may have poor software update policies, may be using unlicensed software, or old devices that cannot use supported software. Some of these scenarios are easy to fix than others. But, a good place to start is shortening the software update cycle for as many devices and systems as possible to improve the “herd immunity” of devices connected to the Internet.
While the EternalBlue security vulnerability was known at the time of the attacks, it was originally a zero-exploit held by the NSA, revealed to the public by ShadowBrokers. Imagine if it had not been exposed earlier in the year – how much worse might have the attacks been? These attacks bring to light the dangers of hoarding zero-day exploits and the importance of responsible security vulnerability disclosure.
Imagine you discovered that your neighbour forgot to lock their door, would you tell them? What if it was the door to their bank vault or medical file? Would you keep that information to yourself, planning to enter at your leisure when no one was looking? Or, would you help them secure their door? Or worse, were you hoping that only you will be able to try the handle when you decide you want something?
States have a vested interest in strengthening the security of the Internet and the devices that connect to it. Without the Internet, there would be no digital economy. Yet, anytime there is a known security vulnerability, it’s like leaving the door unlocked, hoping no one will try the handle. ZeroDay vulnerabilities might initially seem like attractive tools in the fight against cyber criminals, but as long as they exist they pose a real and imminent threat to hundreds or thousands of innocent users. And, as we saw with WannaCry and Petya/NotPetya, exploits of software security vulnerabilities can have real life consequences such as delays in medical treatment, suspension of banking operations, and disruption of port services.
Criminals will always search for any way in, but state actors have a responsibility to secure the Internet, not to weaken it. They should both practice and encourage swift responsible disclosure of security vulnerabilities so they can be patched everywhere. In the end, it’s about making sure we do all that we can to protect citizens online, and out in the world.
A number of security researchers speculate that the Petya/NotPetya attack was a state-sponsored attack on the Ukraine. If this is correct, it raises questions for which no one has an easy answer – Is attribution possible? When does a cyber attack rise to the level of an act of war? What should be the appropriate response? According to a statement from NATO’s Cooperative Cyber Defence Centre of Excellence, “NATO’s Secretary General reaffirmed on 28 June that a cyber operation with consequences comparable to an armed attack can trigger Article 5 of the North Atlantic Treaty.” In a recent speech, UK Defence Secretary Sir Michael Fallon clearly signaled that offensive cyber is part of their arsenal, and cyber attacks could be met with attacks by land, air, sea or cyber. A clear signal that cyber warfare could spill over into the realm of military warfare. Keep in mind too that Petya/NotPetya caused disruption and harm beyond Ukraine, across the world. If the target was Ukraine, the collateral damage was extensive. How might the “non-target” countries react? And, where might that take us?
These are not problems we can solve alone. However, it is clear that Internet security must be a priority, and deliberate acts to undermine it must be off limits. We must tackle Internet security from all fronts by ensuring: security vulnerabilities are identified early and responsibly disclosed; devices and systems are patched; security experts are able to coordinate and act; critical services have built in redundancy; and, users are alert to phishing and other types of social engineering.
Only through this type of collaborative security will we create an Internet we all can trust.