Borders nothing for cyber attackers
Aweekend cyber attack that disabled computers across much of the world had the hallmarks of a gripping fictional thriller. A weaponised computer hacking tool developed by an American spy agency, and leaked to the world by activists, was then exploited by international criminals. They used the ‘‘ransomware’’ to remotely lock people’s computers and try to extort money to have them released. Hospitals in England and Scotland descended into dangerous chaos as the attack spread and crippled their computers.
In the middle of this madness, a 22-year-old English cyber security researcher, living at home with his parents, took the initiative to register a nonsensical domain name buried in the computer code. At a cost of $15, this triggered a ‘‘kill switch’’ that stopped the attack, or at least slowed it enough for people to shore up their defences. He was soon being hailed as a hero.
It would make an excellent movie – if it were not so serious and frightening.
The fact that the Wanna Cry ransomware attack sent parts of the British National Health Service (NHS) into a tailspin demonstrates that cyber crime can now be as potent as bombs-and-bullets terrorism. At the height of the crisis, operations were cancelled, ambulances diverted and the movement of X-rays and blood supplies through the hospitals was disrupted.
Although the NHS was not specifically targeted, its vulnerability and the potential of cyber crime to cause lifethreatening mayhem has been exposed. The destruction that might be wrought on, say, air-traffic control systems or railway networks can only be imagined.
New Zealand seems to have largely escaped the weekend’s attack, which hit computers in about 100 countries, but sighs of relief should be held in until after people return to work this morning and turn on their computers.
This is also a timely reminder that we should not be complacent. New Zealand’s geographic isolation means nothing in cyberspace. A computer in Christchurch is as likely a target as one in London, Washington or Moscow, especially if, as in this case, the attack is indiscriminate.
Not addressing the issue can have serious consequences. The Wanna Cry ransomware exploited a vulnerability in an older Windows operating system known about for months, and for which Microsoft had issued a ‘‘patch’’, or solution. Advice for protection can be summed up in four words – install patch, update, reboot. The rapid spread of the attack shows people had failed to do that.
We should all be concerned. Then communications minister Amy Adams told a cyber-security summit last year that New Zealand was experiencing a ‘‘constant barrage of attacks’’, with NetSafe and telecommunications providers reporting dozens every day. Cyber attacks were estimated to be costing the economy more than $250 million a year. Adams said then she suspected the real cost would be higher – and a year further down the track it almost certainly will be.
The Government has established CERT NZ (the Computer Emergency Response Team) to co-ordinate public and private sector entities responding to attacks. However, they cannot stop them, any more than police can be on hand to stop a burglar from entering your home. Like all crime prevention, it is up to the owners and users of computer systems to make sure their defences are up to date and as good as they can be.