It makes you WannaCry
The increased capabilities of information technology have made cyber security risks far more systemic, raising the stakes of every attack, says These vulnerabilities go to the heart of what companies claim to offer their clients: privacy, security and sta
Many of the warnings that cybersecurity experts have been sounding came to fruition with the “WannaCry” ransomware attack penetrating the UK’s National Health Service (NHS) computers and locking down crucial patient data.
But this incident should itself be a warning for the much more severe attacks that are surely inevitable.
The attack spread rapidly, infecting over 100,000 computers within the first day. It hit the shores — or the networks — of more than 100 different nations.
Though the spread was eventually slowed by a 22-year old stumbling upon the ransomware’s kill switch, this raises questions about the vulnerability of global cyber networks. For the financial sector, these vulnerabilities go to the heart of what companies claim to offer their clients: privacy, security and stability.
If a future iteration penetrates banks and other financial institutions, the liquidity of financial markets could also be jeopardised. The panic caused by the ransomware attack was limited by virtue of the NHS’s ability to provide clear, centralised direction to its employees.
For industries that are, by their nature, competitive and fast-moving, the impact could be exacerbated. If a particular stock exchange is reported to have been targeted, for example, the safe response by hedge funds, investment banks, and private investors would likely be to try and withdraw funds. However, acting together, this would cause a crash in the market, sparking further panic and flow-on risks for other exchanges.
A swift response by central authorities such as the US Securities and Exchange Commission might take the form of suspending trading on certain markets. But that, in itself, would be a costly exercise and cause panic in other markets.
Additionally, the ability of these regulators to respond to such attacks before they cause lasting damage is limited. When data from thousands of different companies are stored together, often on common cloud servers, the potential for a single attack to affect vast swathes of the economy is greater.
Though the pooling of resources through cloud computing companies enables greater investment in security for all, the flipside is that in the single instance that this fails a much greater number of companies are exposed.
And when so many computer systems are intricately linked through interoperating platforms and communication tools, particularly in the financial sector, the spreading of ransomware and other malware can occur rapidly through email and other file-sharing tools.
In essence, the increased capabilities of information technology, for all their virtues, have made cyber security risks far more systemic — raising the stakes of every attack.
With some estimates for the cost of cyber crime at more than US$600 billion per year worldwide, protection against such attacks is worthy of investment.
The New Zealand Government, for its part, has invested $22.2 million in a new organisation to limit the fallout when these attacks do occur, the Computer Emergency Response Team (CERT). A briefing paper to Communications Minister Simon Bridges last year indicated CERT will be responsible for “incident response and triage; situational awareness and information sharing; advice and outreach; international collaboration; and co-ordination of serious cyber incidents.”
However, while these are admirable goals, there is of course no replacement for vigilance on the part of the private sector.
Last week’s attack, for example, was possible only because of a failure by many users to install an update released by Microsoft to resolve a weakness in their Windows operating system. The update was released in March, but the importance of installing it only became apparent to users once it was too late.
The ability to trace and punish the source of such attacks is also becoming more challenging.
Last week’s hackers demanded that ransom payments were paid in the form of Bitcoin, a cryptocurrency, making it impossible to know who the recipients of such funds were or to place a freeze on the fraudulentlyobtained funds in the aftermath.
Regulators have long resisted taking steps to limit the use of such digital currencies, arguing that they do not fulfil the normal definitions of a currency in large part due to their limited use.
However, on reflection they may realise this view is myopic given that the limited use of bitcoin can be connected to such systemically influential events. Whether or not regulation could actually affect cryptocurrencies is a question in its own right, but the failure to devote significant attention to doing so could be costly in the long run.