Are Western security services undermining our digital security?
APC’s editor says the recent WannaCry attack has clearly demonstrated why creating encryption backdoors for law enforcement is a recipe for disaster.
Is the NSA to blame for the massive WannaCry global ransomware infection? That’s what Microsoft — whose Windows OSes were the target of the attacks — seems to be saying, as the tech giant came out swinging against the NSA and CIA for hoarding known OS vulnerabilities (see tinyurl.com/ apc443-wcry). And indeed, WannaCry did use two NSAdiscovered exploits as the engine for driving the malware — exploits which were leaked to the internet in April by hacker group the Shadow Brokers, which had previously been trying to sell its discoveries to the highest bidder. (Nobody took them up on the offer, which is why they were released for anyone with nefarious intent to make use of.)
To its credit, Microsoft had released patches for these exploits back in March, so both individual users and sysadmins have to take at least some share of the blame for WannaCry’s broad infection rate, which affected some 200,000 systems worldwide. Some 98% of the infected PCs were running Windows 7 — that’s not too surprising, given that it has the largest share of the market (around 48%) and the fact that is is still the most broadly-employed OS in businesses, which can often delay rolling out security updates to ensure they aren’t going to break anything.
If there’s a broad message to be taken out of WannaCry, it’s that — as inconvenient as they might often be — you should always install the latest OS updates for your devices. But it also entirely undermines US (and other) intelligence agencies’ frequent requests for backdoors into the products of Apple, Google and Microsoft to help with law enforcement. All three companies have recently stepped up their efforts to encrypt their products to better protect their customers from attacks.
We’ve built a world that’s heavily reliant on digital infrastructure — one that’s hard enough to secure without having to worry about deliberate holes in the defences. What’s to guarantee that, as with the NSA exploits at the heart of WannaCry, these backdoors won’t be discovered and exploited by hackers to the detriment of us all?