My job is to constantly think about cyber attacks — this is the first time I've been truly alarmed
I’ve spent nearly every moment of the past few years thinking about how to stop cyber attacks.
And this is the first time I’ve been truly alarmed.
Friday’s ransomware attacks that infected over 150 countries — most notably shutting down hospitals all over England — proved that a cyber attack can determine whether someone lives or dies.
Access to information is power, and if a cyber attack prevents hospitals from accessing records or life-saving care, the consequences are dire.
Many of us in the security industry have anticipated these dangers for a long time, but yesterday made our worst fears a reality.
The ransomware strain, known as WannaCry (or WanaCrypt0r and WCry and WCrypt), was deployed by unknown cyber criminals who used an exploit allegedly written by the NSA. This exploit was one of many uncovered and dumped for public use last month by the Shadow Brokers hacking group, widely believed to be connected to the Russian government.
Microsoft released a patch for the vulnerability in March, but clearly many organizations haven’t patched or are running older, unsupported versions of Windows.
We could spend the next days debating the nuances of why organizations, especially those in critical infrastructure, didn’t patch the vulnerability in time or why they run insecure software for critical functions. Each organization bears responsibility in their security failures.
But the more pressing issue is how so-called hacktivists, or in this case probably state-sponsored operators, are impacting our everyday lives and what we can do to stop them.
So far, the Shadow Brokers have claimed their behavior was virtuous — they were acting as hacktivists simply sharing what they say are NSA cyber capabilities with the public. What the Shadow Brokers’ exact motivations are for exposing a powerful cyber operations toolkit will be close to impossible to discern definitively, but the negative impact to the safety and security of the world has been made clear. They doubled down yesterday, notifying the world that they plan to release more allegedly NSA-developed capabilities on a monthly basis starting in June, including capabilities for Windows 10.
Leaking the information that the Shadow Brokers had widely cannot reasonably be called innocent hacktivism.
If the toolkit leak actually was intended as altruistic hacktivism, it was reckless at best. If the leak was something more, it only validates concerns over the alarming trend of information warfare (both information leaks and exploits) and what this means for our collective future.
Groups like Shadow Brokers — whether operating solely to spread information or for something more nefarious — are directly contributing to the weaponization of information that can cause physical harm like we saw this week.
To be clear, I am not suggesting that the Shadow Brokers built and launched this ransomware worm.
This attack fits the recent trend of criminal enterprises leveraging these now freely available capabilities with the M.O. of hacking and selling stolen information or launching ransomware attacks, a booming business for the attackers (ransomware alone took in an estimated $1 billion last year).
This tech transfer of nation-state capabilities only amplifies the Wild West of cybersecurity, where new weapons are being built every day and very few rules exist to govern actions or prosecute anyone who steps too far. Friday’s ransomware attack demonstrates how these issues actually impact matters of life and death.
So what can be done?
The scary thing is, individuals can implement all the best information security practices like strong passwords, two factor authentication, and encryption, but if large organizations fail to secure their systems, you can be in grave danger.
The proliferation of nation-state exploits and malware are making these kinds of attacks much more accessible to a broad range of criminal and state-associated groups. This means we’re only just beginning to realize the detrimental impact they will have, especially since there seems to be little consequences for the groups conducting this dangerous behavior.
Organizations must wake up to the modern realities of these attacks, assume they’re a target, and prepare accordingly. That means no longer viewing security as a check-the-box compliance exercise. Organizations must proactively and vigorously review their current security methods and ask themselves not if but when an attacker will get in, and whether they have the people, processes, and technology in place to combat it.
Attackers will continue to steal and deploy digital weapons against critical infrastructure so long as they see relatively little risk to their actions. I hope that the impact of this attack on human life will awaken us to the gravity of this issue. In other words, it’s time for everyone to be alarmed.
This piece was originally published in Business Insider.