Wan­naCry win­ner

Why Mi­crosoft will ben­e­fit from the cy­ber at­tack

Financial Times USA - - FRONT PAGE - John Gap­per john.gap­per@ ft.com

The Wan­naCry cy­ber at­tack has dented the rep­u­ta­tions of or­gan­i­sa­tions in­clud­ing the UK Na­tional Health Ser­vice, Tele­fónica of Spain and the US Na­tional Se­cu­rity Agency, which may have in­vented part of the soft­ware. For one com­pany, though, it is work­ing out bet­ter.

Mi­crosoft, which owns the tar­geted op­er­at­ing sys­tem, would have had to pay mil­lions for com­pa­ra­bly use­ful pub­lic­ity. True, 200,000 com­put­ers run­ning Win­dows were af­fected, with hard drives en­crypted and de­mands for bit­coin ran­soms on com­puter screens. But the world’s big­gest soft­ware maker has seized on the ad­van­tages.

Not only did Brad Smith, Mi­crosoft’s pres­i­dent and chief le­gal of­fi­cer, take the op­por­tu­nity to tell cus­tomers to up­date soft­ware, but he took a shot at the NSA and gov­ern­ments with which tech­nol­ogy com­pa­nies have tus­sled over pri­vacy and se­cu­rity. It was a master­class in pur­su­ing Mi­crosoft’s in­ter­ests while in­vok­ing a no­ble mission.

It in­cluded a help­ing of hum­bug — Win­dows still sits at the heart of 90 per cent of per­sonal com­put­ers, and has proved vul­ner­a­ble to many kinds of ex­ploits over the years. But there was some truth: the in­ci­dent shows that gov­ern­ments are keener on at­tack­ing en­e­mies than de­fend­ing their cit­i­zens, who are bad at it them­selves.

Mi­crosoft’s clear ad­van­tage is that it was pre­pared: it had made a patch for the Wan­naCry vul­ner­a­bil­ity in March and rolled it out to mil­lions of com­put­ers. Many of those caught un­aware were still run­ning Win­dows XP, an age­ing ver­sion dat­ing back to 2001.

It en­dured a dark pe­riod at that time, when it kept launch­ing edi­tions of Win­dows, in­clud­ing 98 and XP, which were filled with new fea­tures but lacked ba­sic re­li­a­bil­ity and se­cu­rity. Bill Gates, its founder, had to write his “trust­wor­thy com­put­ing” memo in 2002, promis­ing to per­form bet­ter.

To a large de­gree, it worked. Any user of a re­cent ver­sion of the op­er­at­ing sys­tem, such as Win­dows 7 or 8, can shield them­selves by keep­ing up­dated. The in­ter­net makes it sim­pler for hack­ers to bur­row into com­put­ers, but also makes them eas­ier to de­fend — com­pa­nies can at least patch their ma­chines against any known loop­holes.

The re­main­ing chal­lenge is that Win­dows has a long tail — old ver­sions stay on com­put­ers be­cause it would ei­ther be too costly or too dif­fi­cult to up­grade them. It is of­ten the lat­ter: com­pa­nies run cus­tomised soft­ware that is not easy to make work with a newer Win­dows. There is al­ways the temp­ta­tion to let things re­main as they are.

Mi­crosoft needs in­cen­tives for the 7 per cent of users still run­ning XP to up­grade to a new ver­sion, and for ev­ery­one to re­main cur­rent. That is what the Wan­naCry at­tack, and the like­li­hood that it will only be the first in a string of sim­i­lar in­cur­sions, of­fers.

It may be ar­du­ous to stick with old ver­sions of soft­ware, but it is much more painful when ma­chines stop work­ing. “In­for­ma­tion tech­nol­ogy ba­sics like keep­ing com­put­ers cur­rent and patched are a high re­spon­si­bil­ity for ev­ery­one,” Mr Smith warned. It is ev­ery­one’s pub­lic duty to carry on re­fresh­ing Win­dows soft­ware, in other words.

The sec­ond ad­van­tage for Mi­crosoft and other tech­nol­ogy com­pa­nies is that it of­fers a good rea­son to re­sist the pres- sure from gov­ern­ments to loosen se­cu­rity just for of­fi­cials. The UK govern­ment is among those to ar­gue against the un­break­able en­cryp­tion of data, which keeps mes­sages sent from mo­bile and desk­top de­vices se­cret.

Gov­ern­ments of­ten de­mand that “back doors” should be in­serted in soft­ware to al­low them to read, for ex­am­ple, ter­ror­ist com­mu­ni­ca­tions. But un­less they could keep such tech­nol­ogy se­cure and not let it leak, this would also al­low oth­ers to run amok.

In prac­tice, the NSA is poor at keep­ing secrets. Wan­naCry spread fast be­cause it was com­bined with a worm called Eter­nalBlue that is thought to have been de­vel­oped by the NSA for its own pur­poses. This and other tools leaked af­ter an NSA con­trac­tor was ar­rested last year for steal­ing data.

Eter­nalBlue and other tools ap­par­ently de­vel­oped by an NSA group were sold on the black mar­ket by an­other group called the Shadow Bro­kers. Gangs can now buy soft­ware from govern­ment agen­cies to de­ploy crim­i­nally.

It is a one-sided con­test. Fluid groups of de­ter­mined hack­ers with ac­ci­den­tal sup­port from in­tel­li­gence agen­cies take on the tech­nol­ogy de­part­ments of bu­reau­cratic en­ter­prises, and un­der­funded pub­lic sec­tor bod­ies.

When hospi­tal op­er­a­tions are can­celled and med­i­cal scan­ners break down, ev­ery govern­ment has to ask it­self ques­tions. Many have as­sumed that their own agen­cies can strike oth­ers with­out risk, but cit­i­zens are start­ing to suf­fer col­lat­eral dam­age.

The chances of the US, Rus­sia, China and oth­ers agree­ing a deal to limit their own cy­ber at­tacks — what Mi­crosoft calls a Dig­i­tal Geneva Con­ven­tion — are slim. As James An­drew Lewis of the Cen­ter for Strate­gic and In­ter­na­tional Stud­ies says drily, that would be “very dif­fi­cult to ne­go­ti­ate”.

But ev­ery­one — gov­ern­ments, com­pa­nies and in­di­vid­u­als — needs to do more to pro­tect so­ci­ety. It suits Mi­crosoft, but it also hap­pens to be true.

The ran­somware at­tack is a rea­son to re­sist pres­sure from gov­ern­ments to loosen se­cu­rity

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.