Cybersecurity So Bad, It Makes You WannaCry

A screenshot of the warning screen from a purported ransomware attack, as captured by a computer user in Taiwan, is seen on laptop in Beijing.

A screenshot of the warning screen from a purported ransomware attack, as captured by a computer user in Taiwan, is seen on laptop in Beijing. Mark Schiefelbein/AP File Photo

Featured eBooks
Digital Transformation
Read Now

Federal IT Modernization Still a Major Challenge

Read Now

DHS’ next chapter as an enterprise services provider

Read Now

What's happening in health tech

Read Now
By John Breeden II

By John Breeden II

|

There are many interesting elements about the ransomware attack, the biggest being the tools to stop it were readily available.

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology and government. He is currently the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys

There are so many other topics I wanted to write about this week, like the new cybersecurity executive order, or the fact just a week after my last column on autonomous vehicles, another state is entering the long road toward deploying driverless cars. Gov. Andrew Cuomo announced New York is now accepting applications from companies interested in testing or demonstrating autonomous vehicles on public roads in that state. Moving right to the testing phase is pretty cool, surpassing other states that are still studying the issue. So, if you want to see driverless cars in the near future, I suppose New York is the place to be.

But plans for those columns got put on hold after the global cyberattack named WannaCry, among other monikers, expanded over the weekend. In an event destined to have its own Wiki page and maybe even a feature film, hacking tools stolen by the National Security Agency and published online were used to instigate what could eventually become one of the largest cyberattacks in history. Hackers used the NSA tools to craft a ransomware attack against a British health care system, which then rapidly spread to other companies and countries.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

There are many interesting elements about this attack, the biggest being the tools to stop it were readily available. Microsoft released a patch over a month ago to close the vulnerability WannaCry and the NSA tools exploited, yet it’s apparent many people, organizations and governments didn’t bother to deploy them.

I suspect the attackers never meant for their attack to become a global event. On the surface, other than using the NSA-provided tools, this was a run-of-the-mill ransomware scheme with a defined target and a reasonable demand of $300 per client for payment.

It wasn’t even that sophisticated, using TOR servers for command and control, which can be easily blocked by most enterprise security services or programs. The attackers probably wanted to get a quick payday from their ransomware, collect their money and then anonymously disappear. That they became infamous on the global stage won’t do them any favors.

It’s also interesting to note computers at Russian companies are reportedly being infected now. It’s well-known Russia does not hunt and prosecute most hackers within its borders so long as they don’t attack Russian systems, and especially Russian government systems.

Hackers who want to avoid upsetting their hosts often put code in their malware that keeps it from deploying if the native language on an infected system is set to Russian. In China, it’s not even technically illegal to attack systems outside of the country. So, either the hackers behind this attack are not based in Russia or China, or they never thought it could possibly blow back to them, and thus never bothered to add local safeties into their code.

With WannaCry, we have a hodgepodge of older attack techniques targeted at unpatched systems in a specific health care organization. But instead of a quick bit of extortion and a nice little payday, it instead turned into a global event.

This could only happen in an environment where cybersecurity is such a low priority within most organizations, and even governments, that attackers can’t even target specific groups without their malware spilling out across the globe.

The one silver lining is that as of this writing, no American government agency has reported being infected with WannaCry. Of course, the fact that the stolen tools used in the attack came from NSA doesn’t make us look too good, but at least we seem to be practicing basic cybersecurity.

Going back to that recent executive order on cybersecurity, it could not have come at a better time. While much of the order provides a framework for future improvements, one immediate directive was that, “each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity ... developed by the National Institute of Standards and Technology, or any successor document, to manage the agency’s cybersecurity risk.”

Some have criticized the framework for being too general about cybersecurity, although it’s being upgraded to version 1.1 to include advice about supply chain risk management, metrics accounting, identity management and access control. Those more advanced concepts, while important, were not required in this case. In an era where a low-level attack like WannaCry can affect, perhaps accidentally, organizations all around the world, a good starting point is exactly what is needed.

For the federal government, the fact that most of its agencies were following the NIST framework, even before the order, probably saved many systems from this most recent threat. The government could still be vulnerable to highly targeted attacks, with quite a few occurring recently, but at least we seem to be protected from the most basic of threats like WannaCry. And that’s a lot better than most organizations.

NEXT STORY: Why disclosure rules didn't prevent the WannaCry attack

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.