Everybody who depends on digital information systems, which is everybody, saw a few glimpses of silver lining from the WannaCry ransomware attack that took the planet by storm Friday.
For one thing, the attacks slowed, and there was no massive second wave. “The good news is, the infection rates have slowed over the weekend,” Tom Bossert, President Trump’s homeland security advisor, told reporters today. As of mid-afternoon, Bossert said, the attack had affected about 300,000 computers and systems in 150 nations – not dramatically worse than Sunday, when Europol reported that 200,000 computers in 150 nations had been frozen.
For another, many of the computers and systems that suffered the attack depended on pirated Microsoft Windows operating systems, which could not qualify for the patch the company distributed to legitimate users on March 14. The New York Times reported that Kaspersky Lab, a computer security firm in Moscow, said that China, India, and Russia were “among the countries most affected by the ransomware attack.” These countries are known to be rife with pirated software.
Other victims, notably Great Britain’s National Health Service, used computers equipped with legally purchased but older Microsoft Windows versions. Bossert said that British officials told him they had lost some phone and computer access but “extremely minimal disruption to patient care.”
Bossert said that relatively few U.S. computers and no federal systems had been affected. He did not rule out the possibility of a new round of attacks. He said that government cyber security specialists had spotted three new variants of the original WannaCry worm.
“The worm is in the wild, so to speak at this point, and patching is the most important message as a result,” Bossert said.
Defensive measures taken by U.S. corporations and institutions have “dramatically reduced the vulnerable population over the past three days,” Bossert said. “The only computers that can be compromised by the WannaCry or WannaCrypt virus are ones that didn’t have the latest security patches available from Microsoft.”
On Sunday, Microsoft, the information technology giant whose popular Windows operating systems harbored the flaw the WannaCry hackers exploited, pointed the finger at the National Security Agency.
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Brad Smith, Microsoft president and chief legal officer, charged in a blog on the company website. “An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”
Smith indicated that the National Security Agency knew of the Windows vulnerability but withheld that crucial information from the company so it could spy on hostile actors overseas. The company learned of the flaw and issued a patch March 14.
Speaking from the White House podium, Bossert defended the U.S. intelligence agency. “This was not a tool developed by the NSA,” he said.
But he didn’t deny that information allegedly stolen from the NSA and posted on the Internet last month by cyber thieves who called themselves Shadow Brokers exposed, among other things, the Windows security gap and gave the WannaCry hackers the means to develop their own ransomware to attack vulnerable Microsoft systems. “The provenance of the underlying vulnerability is a little bit less of a direct point for me,” Bossert said.
Microsoft’s latest comment, delivered today by email to The Cipher Brief, was terse and nonconfrontational:
Those who are running our free antivirus software or have Windows Update enabled are protected. Given the potential impact to customers and their businesses, we have also released updates for Windows XP, Windows 8, and Windows Server 2003. For more information, see our Microsoft Security Response Center blog; 'Customer Guidance for WannaCrypt Attacks.'
On Monday, the ransomware attack boosted stock prices of some publicly-traded cybersecurity companies, according to Reuters. Microsoft’s stock inched upward by five cents or seven-tenths of one percent, to $68.48, just short of the 52-week high of $69.71.
The crisis began at 4:07 p.m. Greenwich Mean Time Friday, when BBC News broke into a broadcast about the Pope’s visit to Portugal to report that “hospitals across England appear to have been simultaneously hit by a large scale cyber attack… many of the hospitals having to divert emergency patients.” The bug, identified as malware called WannaCry or WannaCrypt, shut down Britain’s National Health Service data system, which had not been updated with the Microsoft patch, and spread to other unpatched computers across Europe and Asia. The victims received digital ransom notes demanding payment of about $300 in bitcoins, a virtual currency that can preserve the attacker's anonymity.
“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” Microsoft’s Smith said in his Sunday blogpost. “This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world.”
General Keith Alexander, who served as NSA director from 2005 to 2014, told Suzanne Kelly, The Cipher Brief CEO & Publisher, that “more than 90 percent of everything we saw on [vulnerabilities] was pushed out to industry for patching.”
“Here’s the issue: pushing out a patch doesn’t fix the vulnerability,” Alexander added. “The companies have to apply that patch to their systems. Companies that don’t do that or don’t have the people to implement those patches - that’s the real risk. So, if everyone had patched their systems in March, this wouldn’t have spread within companies. Companies would still get hit by the phishing attack if they opened up a phishing email, but they wouldn’t get hit by the lateral movement, which is causing the most damage.”
Other industry experts expressed sympathy for the intelligence community’s desire to ferret out software security gaps and keep them secret and unpatched. The spy agencies have traditionally used such vulnerabilities against intelligence targets.
“This is a tough issue,” Todd Rosenblum, Senior Executive for National Security Programs and Strategy at IBM, told The Cipher Brief. “Our overseas intelligence collection apparatus relies on a wide array of tools to access information vital to our national security. Moreover, many U.S.-based companies are really multi-national companies with an operational presence in hard target locations. There are times that we must tilt toward preserving access to foreign intelligence information because of the nature of the information, its immediacy, and lack of other means to collect it.”
On the other hand, Rosenblum said, the intelligence agencies must recognize that “harming the business reputation of the U.S. is bad for our economic vitality.”
The WannaCry attack underscored a key question: can the government keep a secret? As Marshall Erwin, Head of Trust at Mozilla, told The Cipher Brief last month, “Instead of asking whether vulnerabilities can be independently discovered, the intelligence community should be asking whether they can too easily be stolen or leaked.”
Ultimately, said Nils Puhlmann, Co-Founder of the Cloud Security Alliance, it’s up to companies and individuals to protect themselves by installing patches and taking other computer security measures.
“It is an arms race,” Puhlmann said. “If we choose to do nothing, to not update and maintain our machines, to not pay attention to what we depend on, then we have already lost that race.”
And don’t wait for the government to solve the problem. By all accounts, the spread of the WannaCry attack was halted, at least temporarily, by a 22-year-old English computer researcher who calls himself MalwareTech and who works for Kryptos Logic, a Los Angeles threat intelligence company that tracks bot attacks. He told the British newspaper The Guardian that he looked at the malware code and noticed a connection to an unregistered domain. He bought the domain for $10.69, activated it and the attacks stopped. Apparently the domain acted as a “kill switch,” for reasons only the malware author knows for sure.
Elaine Shannon is a contributing national security editor at The Cipher Brief.
