Note: This article was originally published on the NATO Association of Canada's website.
On May 12, a computer virus known as WannaCry swept around the globe in what may have been the most extensive cyber attack in history. The ransomware, which gets its name from how it holds a user’s data hostage, affected at least 200 000 computers in more than 150 countries, disrupting the operations of FedEx, Renault-Nissan, Russia’s interior ministry, Chinese universities, and the UK’s National Health Service (NHS). 98% of the infected computers were running the Windows 7 operating system, for which Microsoft no longer standardly offers free security updates. On June 27, another major cyber attack hit Ukraine before spreading to tens of thousands of computers worldwide.
The damage done by WannaCry was made possible by hacking tools named EternalBlue and DoublePulsar. They took advantage of vulnerabilities in the software code of the Server Message Block (SMB) protocol, which allows computers running Windows operating systems to share files with one another over a network. Those vulnerabilities, called Zero-Day Exploits, are flaws in a software program’s original code that were overlooked when it was first written. ‘Zerodays’ are known as such because they present an opening for cyber attacks the moment they are discovered, leaving the authors of the software zero days to fix the error. The developer is then suddenly pitted against potential hackers in a race to patch the code’s weakness before it can be exploited. This type of vulnerability is common because, as The Economist magazine explains, even a rate of 0.5 errors per 1000 lines of code still results in numerous holes for hackers to discover, particularly if a program’s code is several million lines long.
The WannaCry incident was the most severe in a growing trend of cyber attacks. A 2016 study by IBM Security found that from 2015 to 2016 the number of ransomware emails spiked by 6000%, with infections expected to rise further in 2017. The emergence of the Internet of Things, about which I have written before, will further exacerbate this threat. Every Wi-Fi-enabled device from household appliances to baby monitors to children’s toys can be hacked, hijacked, and recruited into a botnet used to carry out massive Distributed Denial of Service (DDoS) cyber attacks.
The abundance of threats makes further incidents likely, especially given deficient public cyber literacy. While major software companies work hard to detect and patch weaknesses in their products, accounting for human naiveté is far more difficult. The IBM study discovered also that 40% of spam emails contain ransomware. As University College London discovered first-hand hardly a month after the WannaCry incident, it only takes one person to click on a malicious link in an email for the malware to gain access to an entire computer network. Croatian cyber security expert Miroslav Stampar cautions that “once hackers start breaking in from the inside . . . countermeasures that corporations have taken mean nothing.” His trepidation is well-founded. Take this quiz on cyber security concepts, and then compare your knowledge level to the results of a survey by Pew Research Center. It concludes that “a majority of internet users can answer fewer than half the questions correctly . . .”
If the general public is guilty of cyber illiteracy, certain governments lack cyber wisdom. The UK’s NHS, for instance, was stricken by WannaCry because chronic underfunding has prevented its computers’ operating systems from being upgraded to Windows 10. Then there is the issue of culpability, since the vulnerabilities that enabled the ransomware attack had been discovered, hoarded, and weaponized by the National Security Agency (NSA) for the purpose of surveillance, much to Microsoft’s chagrin. When the NSA realized that it had been hacked it advised Microsoft to release a software patch, but it proved to be too little, too late.
To make matters worse, EternalBlue and DoublePulsar are only two of seven hacking tools that the group who released them, known as the Shadow Brokers, stole from the NSA. The other five ― EternalChampion, EternalRomance, EternalSynergy, ArchiTouch, and SMBTouch ― make up a ‘doomsday’ malware called EternalRocks, which may have already infected many computers around the world. At this point it is impossible to estimate the extent of the contagion because EternalRocks infects computers covertly, and even names itself ‘WannaCry’ in order to deceive analysts. Strictly speaking, EternalRocks is benign on its own because it will infect a computer network but remain dormant once inside, so far. That hardly comforts Miroslav Stampar, though, who warns that it could be weaponized to enable mass phishing or Trojan horseattacks. Furthermore, unlike the early versions of WannaCry, EternalRocks has no ‘kill-switch.’ It could eventually be unleashed to even more devastating effect than its predecessor.
The NSA’s policy of keeping exploits secret from software developers is dangerous because it involves a fundamental trade-off: a backdoor can be used by anyone who discovers it, with bleak implications for cyber security. Such recklessness is emblematic of the difficulty in juggling efforts at counter-terrorism, concerns for privacy, and protection of digital infrastructure. The conundrum is far from being resolved. Even if security agencies really can be trusted to use hacking tools responsibly, the WannaCry episode proves that it’s only a matter of time before those same cyber weapons fall into the wrong hands.