As businesses wake up to the possibility that the WannaCry ransomware tool will spread beyond the already estimated 200,000 computers already infected across Europe, experts are calling for a stronger public-private partnership on cybersecurity. The wake up call from this latest attack: there was a patch that would have shored up the vulnerability.
Just a day before the attack, President Trump signed an Executive Order on cybersecurity. But Congress has yet to find the right balance between the public and private sectors that would make information sharing about patches and threats far more effective.
Cipher Brief CEO & Publisher Suzanne Kelly spoke with former Director of the National Security Agency General Keith Alexander about the attack, how businesses should be thinking about it, and the larger cost of not coming up with a public-private partnership on all things cyber.
Suzanne Kelly: Given your experience as both the head of the NSA, and what you’re doing now with your own cyber company, you have a lot of experience recognizing certain symptoms of cyber attacks right off the bat. What were you thinking when you heard about this ransomware attack last week?
General Keith Alexander: Here’s what I thought first: this has been largely touted as the year of ransomware, so we shouldn’t be surprised to see an increase in these ransomware attacks. I suspect we’re going to see more of these attacks throughout the rest of the year – criminals using Wannacrypt or things like that, to encrypt your computers for ransom. What this current attack is doing is using phishing to gain entry into your systems and lateral movement within a network to attack a large number of systems. They are attacking companies throughout the world. It is a huge, global issue.
Kelly: Let’s talk big picture for a second. Security experts suspect that Russia was behind, or aided in, the recent leaking of hacking tools. If that’s true, and this latest attack emanated from Russian hackers, how should we think about that? Does it mean that it was a miscalculation on Russia’s part to leak the exploits, or should this be interpreted as a sign that perhaps Russia was not behind the attack? How are you thinking about it, given your experience?
Alexander: I think there are two parts to this issue. The first is the perception that Russia might help leak the tools and they threw them out there to embarrass the U.S., especially with our allies in Europe. If that’s the case, then an unintended consequence is that by throwing these tools out publicly, their own people are the ones who are picking them up and using them. And it’s interesting because when you look on the map, Russia is getting hit the worst from this ransomware attack. The second part of this issue is I do think Russia has been behind a lot of the related leaks, and I think from their national perspective, it’s been to push their agenda to create a bigger divide between Europe and the U.S. As our government gathers the information they need to understand who did this and why, I think that the government—on both a classified and declassified level—needs to reach back out to those that did this and hold them accountable. I suspect the leaks were facilitated in part by the Russian government, but that these attacks are an unintended consequence.
Kelly: What does this tell us about zero day exploits? If this attack was launched out of a stolen NSA trove of leaked tools, as some have reported, then how should we be thinking about that? If the government knew about the vulnerability, should they have widely shared it? How should the government walk the line between identifying and exploiting those vulnerabilities for national security purposes and then the responsibility to share that information if it can be used against the private sector? Is there a ‘duty to warn’ in cyber?
Alexander: I am not going to comment on any specific tools or leaks, but I can say that we had two seniors at NSA who worked out a relationship where more than 90 percent of everything we saw on zero days was pushed out to industry for patching. It didn’t go to industry directly from NSA, it went through the right DHS channels to get to industry. It is important to note that before those tools got out publicly, Microsoft actually pushed out a patch to fix those vulnerabilities in March, so that’s a step in the right direction. So the government was ahead in getting that information to the security vendors.
Here’s the issue: pushing out a patch doesn’t fix the vulnerability. The companies have to apply that patch to their systems. Companies that don’t do that or don’t have the people to implement those patches – that’s the real risk. So, if everyone had patched their systems in March, this wouldn’t have spread within companies. Companies would still get hit by the phishing attack if they opened up a phishing email, but they wouldn’t get hit by the lateral movement, which is causing the most damage.
Kelly: Are U.S. companies prepared for something like this and will it get worse before it gets better?
Alexander: The companies that I work with have CISOs, solid IT and cyber personnel, and I think really understand the importance of patching. That doesn’t mean that somebody won’t answer a phishing email. I suspect that this attack will spread much wider on Monday.
Kelly: Do you believe that overall, there is enough of an understanding among C-suites and in board rooms, of the risks and implications of something like this? Are their heads in the right place? How much heavy lifting is still required?
Alexander: Up front, most of the boards and C-Suites I talk to understand the risks and are increasingly focusing on this specific issue. Larger companies can afford the IT and cyber expertise they need. But small and midsize companies cannot, and that’s a real problem. The solution is to come up with comprehensive cybersecurity solutions for all companies, including small and midsize companies, that can protect them from attacks like this. What this also really gets to is the need for a public-private partnership, a relationship between government and industry that works so that when industry starts to get hit by something like this, they can quickly share information with other companies and with the government about where its coming from and the government can help take steps to mitigate the threat. I think that’s what we have to do. It’s part of the strategy everybody sees, it’s just something we haven’t implemented yet, and we have to get on with that.
Kelly: It’s been so difficult to get comprehensive movement in Washington on a public-private partnership when it comes to cyber though.
Alexander: The Executive Order came out last week from the White House, and that’s a critical step forward. We’ve had hearings in Congress on cybersecurity, and they understand the magnitude of these specific issues. They recognize they’ve got to take action. I think people are busy addressing other important issues. I think they understand the importance of the issue, it’s just everything seems to be a priority and nothings a priority and the consequence is, you’re going to get caught flat-footed. You’re going to have increasingly significant attacks in cyber space, so we have to get out in front of it.
I do think the people they have in the White House, Tom Bossert and Rob Joyce, are really good. The President has put quality people in these positions and they’ve already been meeting with both the public and private sectors, and I think that’s a step in the right direction. We’ve got to do a lot more.
Kelly: What advice are you offering in this situation, to U.S. businesses?
Alexander: Two things: I think one they should ensure they have the patch implemented first. They should be working 24/7 to get that done. The second thing is that they should train their people on how to identify phishing emails. It is really important to apply patches, train your people, get good cyber capabilities. We also need to develop the right relationships between government and industry so security experts can see where the attacks are coming from and they can work together to stop them. Both the government and industry have proper roles to play here, and, especially if the attack comes from overseas, that’s where the government must come in.