Militarized software a new threat
Wild west of web must end
The global ransomware crisis that spread to Asian countries yesterday and threatened critical software infrastructure worldwide exemplifies the need for a new layer of policy and diplomatic alliances that treat cyberspace as our most important battlefront.
A new, cyber-focused NATO would make for an important next step. Unlike all previous international treaties, a new agreement would have to involve private software companies such as Microsoft. That’s because they provide both the vehicle for spreading viruses like “WannaCry” and the distribution channel for security patches that stop it.
“We are increasingly among the first responders to attacks on the internet,” Microsoft President Brad Smith wrote in a blog post.
This is uncharted military territory. Smith equated the leak of the NSA-derived hacking tools as the cyber equivalent of the U.S. military having Tomahawk missiles stolen. He’s not exaggerating. This attack likely will result in people dying, if it hasn’t already, as British hospitals were unable to see patients due to the infected software.
Just as our government would be expected to inoculate Americans against the known spread of a bioweapon, it’s time for our federal agencies to go public about the risks that escaped cyber weapons pose to our citizens.
It’s likely that the National Security Agency knew about this stolen worm for years. A core piece of code that is vulnerable to the attack has been around for at least 16 years, since the launch of Windows XP. The only reason that the NSA would keep this info under wraps is if doing so would compromise its own hacking. These types of decisions — whether to imperil citizens for the sake of preserving weaponized software — should not be made at the agency level. Although our president exhibits no signs of understanding the crisis, someone decided to give Microsoft a heads-up that a software weapon could compromise hundreds of millions of computers. But it was far too late for much of the world. Microsoft released a patch for the exploit with fortuitous timing in March. Chances are that Microsoft was told in February, because the software giant canceled a normally scheduled security update for that month, which is unprecedented. The self-replicating worm affected every version of Windows from the year 2001 through Windows Server 2016. Those that downloaded the patch were lucky.
Pirated copies of Windows are prevalent throughout Asia. Pirated software doesn’t receive security patches, worsening the spread.
Here at home, millions of computers were vulnerable. The reason it didn’t bring our domestic software infrastructure to its knees is twofold: Microsoft’s last-minute patch, and an accidental hero, a security researcher who discovered a website URL hard-coded into the exploit that turned out to be a kill-switch for the worm.
We were perilously close to the worst cyber crisis our nation has ever seen. It’s not a matter of whether such a crisis will happen to us, but when it will happen.
We don’t know if the government tipped off Microsoft. But we do know many of these weapons have originated from within our own spy agencies. They have a responsibility to do the right thing.
“The governments of the world should treat this attack as a wake-up call,” Microsoft’s Smith wrote. “They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.”