LESSONS IN RANSOMWARE
The WannaCry ransomware was a derivative implementation of an exploit developed at the cost of the US taxpayer holding hostage mostly users of pirated and/ or outdated software across the world.
Let us first understand how the US taxpayer ended up subsidising this global criminal operation. The National Security Agency of the US government, like the intelligence and military agencies in most other nation states with an offensive cybersecurity programme is amassing zero-day vulnerabilities. Zero-day vulnerabilities are vulnerabilities in software that have not been disclosed publicly. The vulnerability targeted by WannaCry was for years of strategic importance for the NSA. They had built an exploit called Eternal Blue to remotely take over and control computers running Windows XP to Windows 2012.
In the big picture, through amassing hundreds of such vulnerabilities and their associated exploits, agencies like the NSA contribute to the fragility of our global information society. They reverse the traditional market incentives for fixing software vulnerabilities. While this strategy might provide the NSA an advantage during cyber attacks and cyber war—even the NSA does not know if criminals are using the very same vulnerabilities to target American citizens. This cyber-security challenge is currently being debated at many different national and international forums. The most important question is—should the market for zero-day vulnerabilities and exploits be regulated? If it is to be regulated, how should it be regulated? Unfortunately, it is highly unlikely that there will be consensus on this issue and therefore governments will continue to contribute to the success of attacks like WannaCry in the years to come.
Why did the criminals target outdated/pirated software? Corporations like Microsoft try to discourage piracy by only providing patches to paying customers. Microsoft had released patches mid-March around a month before the Shadow Brokers released the latest tranche of weaponised software exploits from the NSA featuring Eternal Blue. Additionally, Microsoft went out of its way to also release a patch for Windows XP; they were not obliged to do this since they had ended support for XP in April 2014. But Microsoft decided against making these patches available to users of pirated versions of their software. Of course, user ignorance and poor security practices have contributed greatly to the scale of the attack, but given that our government knows that most Indians will not be able to afford proprietary software, it is strange it doesn’t promote Free/ Open Source Software (FOSS). The promotion of FOSS is mentioned in the BJP manifesto for 2014. This is best achieved through vendor neutrality in government procurement and educational institutions. Otherwise, the state and academia end up as the sales teams of proprietary software firms. If ordinary people shift to FOSS, they could, for example, instal the latest version of Ubuntu without paying and also get all the latest security updates.
This is not to say there is no ransomware targeting FOSS (Android, flavours of GNU/Linux) or FOSSbased operating systems like Apple’s OS. But their limited market share results in fewer criminals targeting them. With FOSS, it’s also possible that resources needed to detect vulnerabilities and develop patches can be provided by multiple stakeholders, including governments. However, it is important not to forget that there is no guarantee that any of this will actually happen. There are examples of very important projects like Open SSL with vulnerabilities like Heart Bleed that remained undetected and unfixed. This was because everyone was hoping for someone else to do it. Economists call this the “tragedy of the commons”. However, in developing countries like India, government procurement can be used to shape the market, incentivising an ecosystem of developers with market incentives for contributing to FOSS projects. This is a better way to use taxpayer money!