|15 May 17. The most important thing about the cyber “attack” over the weekend is that while thousands of computers were affected, millions were not. This highlights one of the biggest problems in cybersecurity: many people still don’t take it seriously. The 2016 Verizon Data Breach Report, one of the best sources of information on breaches, found once again that the vast majority of successful hacks required only the most basic techniques because defense is too often ignored, something that has been true for years. “WannaCry” is a tribute to negligence.
WannaCry took advantage of a vulnerability in Microsoft software found by the National Security Agency (NSA) and made public by “Shadow Brokers,” an unidentified group of hackers likely backed by Russia. However, Microsoft published a fix to the vulnerability two months ago. Networks that implemented the fix largely escaped harm. The incident is embarrassing for NSA, but culpability rests first with the criminals and second with network owners that did not stay up to date. Blaming NSA, while tempting, is irrelevant. There are an immense number of software vulnerabilities, and social engineering techniques to trick people, like phishing, always work. Taking NSA out of the equation will not change this. Blaming NSA avoids hard questions about operator negligence, buggy software, and the Snowdenistas’ anti-American agenda.
We can have a long debate over whether intelligence agencies should play nice in cyberspace. This is not going to happen for a long time, if ever. Eventually, constraints on cyber espionage may be necessary, but these would only work if everyone observed them, and there is reasonable doubt that China and Russia would go along. There is only one agreement to limit cyber espionage: the Obama-Xi agreement on commercial espionage, tightly written to block only a specific kind of espionage while allowing all other kinds to continue. With the United States challenged around the world, this is not the time to give up something as crucial for defense as cyber espionage unless one favors unilateral disarmament—and it is not possible to force NSA to reveal every exploit they develop without giving Russia and China an intelligence advantage. As a leading Russian dissident put it, “Putin needs an enemy. He wants to be the leader of the anti-American, anti-European world.” In this context, calls for NSA to be more forthcoming are dangerously naïve.
We can also have a long discussion over how to improve law enforcement in cyberspace, something that faces major political obstacles. Countries that are hostile to the United States have no incentive to cooperate, particularly if they support cyber crime as a tool for state power (such as Russia and North Korea). Other countries worry that cooperation would diminish their sovereign control over their citizens’ private data. Like-minded countries (e.g., Western democracies) could agree to cooperate against cyber crime, but it would take time for the United States to develop a new, coherent strategy for cooperation that its sometimes-timid allies would find persuasive.
Cyber criminals are fast and innovative; defenders are too often slow and reactive. Cyberspace will not be safe anytime soon, but in the interim (and it may be a long interim), there are three things organizations, can do to better protect themselves against this kind of incident:
None of these are new ideas, nor do they require advanced degrees to implement, but people who own networks (or make software) must move from a twentieth-century approach to data protection. Cyberspace is a Darwinian environment, replete with predators and victims, but the risk of being eaten in this environment can be managed and reduced. WannaCry should not have worked.
James A. Lewis is a senior vice president at the Center for Strategic and International Studies in Washington, D.C.
Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2017 by the Center for Strategic and International Studies. All rights reserved.