The UK government has a strategy, and the US has taken the first stepby David Omand / May 18, 2017 / Leave a comment
Last week, malware released by criminals caused global chaos by locking down computers, denying users access to vital—in some cases lifesaving—data and demanding a ransom for returning systems to normal. In the UK, notable victims were many NHS trusts, which were forced to shut down their entire IT systems. Worldwide, the WannaCry ransomware affected more than 150 countries. The perpetrators are unknown, with some experts pointing the finger at North Korean hackers.
But there are deeper lessons here for governments fighting the growing cyber-threat. How did these criminals discover how to infect computers so effectively? The answer is troubling. The attack was possible due to a flaw in Windows, exposed in March when a number of stolen hacking tools—one of which exploited the vulnerability—were leaked by the hacking group The Shadow Brokers. These tools were allegedly developed in the United States by the National Security Agency (NSA) for intelligence gathering.
The Shadow Brokers emerged last summer and have leaked stolen NSA tools before. Its origins are unclear, but Edward Snowden tweeted in August 2016 that “circumstantial evidence and conventional wisdom indicates Russian responsibility.” If so, this is an example of the kind of “weaponised information” operation in which Moscow now specialises. But once the tools have been leaked, anyone can make use of them—and Russian computers have been hard hit by the ransomware.
The fact that hackers were able to penetrate NSA security to steal the toolkit in the first place is deeply troubling and the release of the tools onto the web deeply irresponsible. Last week, President Donald Trump signed an executive order on cybersecurity for federal networks and critical infrastructure. This was timely recognition of the need to improve the security of US government agencies, following a string of disastrous hacks. These include the 2015 breach of the Office of Personnel Management, in which the personal details of federal employees—including those in the intelligence community—were compromised, probably by Chinese hackers.
In this respect, then, the lesson may have been learned. But another question remains: after an intelligence agency discovers a flaw in widely used software, what should it do? Telling the relevant company means a patch can be issued to safeguard…