Northwest Arkansas Democrat-Gazette
Alarms often unheeded
Cybersecurity analysts put blame on earlier overhyping.
Misha Govshteyn and his colleagues at the cybersecurity startup Alert Logic dropped all their projects about a month ago, except for one they deemed a graver threat than the rest.
Someone had stolen neverbefore-seen hacking tactics from the National Security Agency and posted them online. Working in shifts for 36 hours straight, dozens of Alert Logic engineers in Belfast in Northern Ireland, Cardiff in Britain, and Houston devoted their attention to analyzing the leaked computer code.
What they found could undermine the privacy of the crucial corporate files they protect for 4,000 media companies, retailers and app makers. They developed a way to stop their clients from falling victim to the spying and issued warnings to the public through blogs and social media.
Several security firms around the world echoed that sentiment, blasting alerts in midApril instructing systems administrators to tighten defenses because the National Security Agency leak was sure to lead to a cyberweapon, and signs of a brewing attack had emerged.
It’s clear the advice didn’t reach or sway everyone: The socalled WannaCry ransomware offensive seized an estimated 300,000 computers, with repairs and other associated costs possibly running into the billions of dollars globally.
WannaCry illustrates the challenge faced by cybersecurity companies as data breaches, credit-card theft and phishing become more common. Security researchers regularly sound the alarm — but they fear their warnings are getting lost in a sea.
The problem, they acknowledge, is partially their own making as researchers and firms sometimes overhype threats to gain publicity. But there also remains a gap between external advice and internal action across the corporate cybersecurity landscape.
This is a concern for Govshteyn and others in the industry. Even though WannaCry marked only a temporary inconvenience for most, cybersecurity experts continue to fear the next onslaught could take someone’s life.
“What we’re doing now with warnings by Alert Logic and other companies in the security industry clearly isn’t working,” Govshteyn said.
The answer, he says, could be governments holding companies accountable for failing to take proper precautions, especially in the face of warnings.
About a month ago, private researchers announced they had identified computers compromised by breach methods held by the National Security Agency. The fact that they emanated from the intelligence agency was a sign to the researchers that the tactics were more likely than others to prove virulent and highly effective.
At that point, hackers aren’t believed to have deployed a weapon such as ransomware to lock users’ files. But they had an entryway to do so if they wanted.
“It’s highly likely what we saw were precursors to WannaCry,” said Govshteyn, Alert Logic’s co-founder and senior vice president of products.
Alert Logic quickly informed clients, including about two dozen customers whose security practices left open dangerous holes. Other information-security companies shared news of thousands of infected computers.
Matthew Hickey, co-founder of Hacker House in Britain, said his teams had been tracking several similar leaks since late last year and saw this National Security Agency-related batch as the most worrisome. As the days went on, Hacker House kept issuing ever-heightened warnings of a “Microsoft apocalypse.”
The early detection should have led people to update their systems with a patch from Microsoft and adjust firewall settings, said Vladimir Vlaski, founder of Milwaukee firm BelowoDay.
Some heeded the advice. But many more apparently ignored it or weren’t aware. The number of infected computers rose to more than 428,000 from 50,000 in five days, he said.
British computer-security researcher Kevin Beaumont said people mocked his prediction that the National Security Agency intrusion tactic would be used to set off a worm — malware that automatically crawls