Friday’s global attack on computers in some 150 countries was clearly a wake-up call. It took government systems offline, affected corporations of all kinds, took critical infrastructure systems out of service and even changed the agenda of the G7 meeting in Italy.
But, it was an attack carried out without much sophistication. The wave of infections was reportedly stopped by a security researcher more or less by mistake. And, the attacks used a vulnerability that was long known and addressed by the vendor – in this case Microsoft.
So why is it a wake-up call? Because if a non-sophisticated attack, utilizing an exploit easily disrupted, known for months, and with patches available, can spread to over 200,000 computers across 150 countries, what are we in for if the “big one” strikes?
Living in California, we always think about earthquakes. We prepare, we store food and water, our children practice in school. Yet when the first tremor over 4.0 strikes, we are all still surprised. None of these practices will really insulate us from the ‘big one,’ but they will simply make us more prepared, limit some of the damage done, and keep us vigilant.
Widespread computer attacks are similar. The private sector and governments have talked about the poor state of computer security and how unprepared everyone is for years. Awareness campaigns abound and every time there is a small tremor – to carry on the analogy - we are reminded to be better prepared. This Friday’s attack was a small tremor compared to what a ‘big one’ could look like.
But there is one major difference between earthquakes and computer security. We will never fully control forces of nature, but we can absolutely do more to increase our digital resiliency. Our dependency on technology has gone up exponentially over the years. Be it as a consumer or as a corporation, virtually nothing happens anymore without a piece of machinery that is somehow connected with other machines. But as our dependency on technology has gone up, we have not adjusted and matured.
When you need your car to drive to work every day, you make sure that it is dependable. You have regular oil services performed, you schedule inspections, you have the brakes maintained and you ensure the car will start on cold or hot days. You do all that because you depend on it.
But, somehow, we expect computers to be dependable without doing our part.
We ignore the warnings in our web browser that a site might be unsafe. We repeatedly delay pop-ups from software vendors that patches need to be downloaded. We let the machines we depend on so much become outdated relics – simultaneously expecting them to power on or be safe for us any time of the day or night. And, we go a step further in our own denial. We trust our computers to store our most private data – to manage our finances and serve as the backbone of our communication. Yet we do not maintain them.
Mature software vendors have spent a lot of money making their software more secure and dependable. There are whole teams working on communicating with customers, producing patches to take care of discovered vulnerabilities and even working with good hackers that find these bugs. All of these activities – and the money spent on them – have one goal: to keep the software maintained and secure.
Software will never be completely secure. That is the nature of it. It was created by humans and is often changed, sometimes several times a day. Yet software is, increasingly, powering the world. So how do we stay safe?
Let’s take a look at ourselves. What do we do to stay healthy? We eat well, we exercise, we brush and floss – we do what it takes to maintain balance and hygiene. Computers and software need the same attention.
Ignoring this is how we all enabled Friday’s attack – we were negligent. We assumed we do not need to maintain and pay attention to these machines that we rely on so much – machines that we trust – to some degree – with our whole life or our whole business.
There will always be cyber attacks. In fact, attackers also use software and they also update, patch and improve. So yes, it is an arms race. If we choose to do nothing, to not update and maintain our machines, to not pay attention to what we depend on, then we have already lost that race.
But the odds are in our favor. Most cyber attacks do not utilize the most highly sophisticated tools or information available. It would be too costly and difficult for most attackers. Most of the bad guys actually use old vulnerabilities that have long been fixed. Why? Because they can. Because we do not pay attention. And because it is easy and it works.
So after last Friday we all have to ask ourselves one simple question: why do we make it so easy?
