Responding to cybercrimes
The particularly nasty computer program dubbed “WannaCry” that attacked hospitals, businesses and government agencies around the world this past weekend was like a cybercrime highlight reel, a compilation of by-now familiar elements — conscience-free cybercriminals, an obscure vulnerability in Microsoft Windows, older and ill-maintained corporate computer networks and computer users tricked into opening booby-trapped email attachments — that played out on an epic scale.
What’s different this time is that the hackers apparently had considerable help from the U.S. government. They used a stolen tool reportedly developed by the National Security Agency to exploit a hidden weakness in the Windows operating system and spread their ransomware far and wide. The reality, though, is that doing so would reduce the effectiveness of cybertools that have become an integral part of modern efforts by agencies like the NSA to fight terrorism, international criminal organizations and rogue states.
What’s needed is a better effort to determine if and when a vulnerability discovered by the feds represents too great a threat to keep it secret from the potential victims. That’s a difficult balance to strike, and the decision shouldn’t be made solely by the executive branch without the input of independent experts and, potentially, lawmakers.
The even more important lesson here is that years, even decades of warnings from security experts simply aren’t getting through to the public. WannaCry should not have reached disastrous proportions — Microsoft released a patch that could close the vulnerability in March, well before the NSA’s tool was decrypted.