If security is often a distant issue to the general public, on Friday it must have felt very close indeed. The ransomware attack that paralysed 40 UK hospitals and countless other organisations across 150 countries will not soon be forgotten. After all, what appears to be a relatively unsophisticated and untargeted campaign managed to shut down industry giants and public utilities, including the UK's National Health Service.
A week ago cyber-security was an issue widely ignored by the general public, government and business - but by Monday there had been a paradigm shift.
If voters, citizens, law enforcers, executives, business owners, bureaucrats, doctors and politicians ignored these problems last week, they couldn't on Monday morning.
Over the weekend most of the affected NHS trusts returned to full operation and fears of a second attack have been largely put to bed. Now that the smoke has cleared, what is to be made of this new landscape?
Any policy response will have to wait. Parliament is currently in recess and MP's are awaiting June's general election. It's unclear what legislative reply might shake out of this, but hay is already being made by government critics who point to insufficient NHS funding as the reason the UK's public health service was so vulnerable. Jeremy Corbyn, leader of the UK Labour Party has pointed to the current government's failure to renew a £5.5 million NHS contract with Microsoft as well as hospitals needing to plunder infrastructure funds to fill the holes left by other funding shortfalls within the service.
In light of ten years of austerity, Emily Taylor, editor of the journal of Cyber Policy sympathises: “You can really understand that in the midst of cuts to frontline services how difficult it must be to win arguments about things like upgrading your Microsoft licensing.”
In a perpetually underfunded health service, Taylor told SC, how can you justify upgrading hundreds of thousands of machines that appear to be working fine when you could be providing frontline care?
That won't be considered such a binary choice looking forward: “I think what this illustrates is that as we become more interconnected and dependent on these technologies, they are just as much part of the critical supply chain”.
It's hard to tell what kind policy this event might produce, but Taylor cautions against the kind overreaction which would impose encumbering, disabling and unneeded levels of security.
“Security is not there to shut you down, but it should be an enabler,” adds Taylor. Despite the shocking realisation last Friday of how vulnerable we are,, she sees it as a vindication of the policy that already exists. Even with massive public sector cuts the UK has seen huge cyber-security spending. Moreover, it should be remembered that the simple steps that government bodies such as the NCSC have advised, actually prevented the majority of NHS trusts getting affected by this.
On the other end of the attack, the culprits are still at large. Having raised the ire of a series of major companies and nation states, not to mention their populations, one might suspect that whoever was behind the attack would soon feel the full weight of the international community bearing down on them. Maybe not, according to Joyce Hakmeh, a legal expert at Chatham House and specialist in cyber-crime.
“At the level of Europe, the situation is good because European countries all talk to each other.”Legally speaking, there are frameworks like the Budapest Convention and achievements to point to such as Operation Avalanche in late 2016. However, the battle against cyber-crime is often little more than a bureaucratic nightmare.
Being an international vice, cyber-crime is notoriously hard to prosecute. Though there might be a great political will to properly pursue criminals, investigators often get caught up in the stubborn entanglements of sovereignty.
Here, says Hakmeh, “the situation is much more complex because you don't have a legal platform that would involve all the countries that were affected.” The global attack supposedly affected 30,000 sites in China and took aim at the Russian Interior Ministry, making both countries key stakeholders in the aftermath of this campaign. Still, those two and countries like them often remain intransigent when it comes to matters of national sovereignty.
Russian President, Vladimir Putin today said he had stepped away from signing a cyber-security agreement with the US, signalling that parts of the international community have become more divided by this shared threat.
Mechanisms such as Mutual Legal Assistance Treaties do exist, but pursuing them tends to take a long time. That fact provides poor prospects for cyber-crime investigations, where electronic evidence is volatile and agility is key, lengthy bureaucratic procedures would likely jeopardise the investigation.
There will likely be parallel and cooperating investigations involving Europol and the United States. But other major stakeholders will be running their own operations: “Russia will be doing its own thing, China will be doing its own thing but they will not be working together in a systematic way. Even if they have the willingness, they don't have the platform to do so.”
The aftermath of the attack, adds Hakmeh, “will highlight the gap that exists in the current international relations framework and possibly that will have an effect on states' willingness to do something about it but we won't see that in the near future.”
Nor will the use of publicly available vulnerabilities be fade any time soon. The perpetrators use of the NSA's Eternal Blue vulnerability vindicates much of the security industry's criticism of the vulnerability industry.
There has long been a theory that the appetite for vulnerabilities has been driven by nation states seeking to achieve their geopolitical goals. The SMB vulnerability which the Shadow Broker's harvested from the NSA, which was in turn used to perpetrate this attack, is likely a symptom of that appetite.
Grinding this axe for a while now has been Etienne Greef, founder of Secure Data Europe: “When governments start finding vulnerabilities and use them but don't disclose them,” he told SC, “there is an asymmetry. These things will always get out every time that this happens - these vulnerabilities find their way to the end space and then they become collateral damage.”
This is certainly not the last time this will happen, added Greef: “The people behind Friday's attack used the vulnerability because it was easy; the code was there; they didn't have to do research; they didn't have to pay.”
With a working business model and increasing spam volumes “this is just the first sign of what's going to happen with ransomware”.
If there is something good to come out of the events of last week, it's that it “will cause people to start taking patching seriously: it's amazing that people can patch in a weekend what they couldn't do in three months.”
The WannaCry attack has also shot cyber security stocks skyward, signalling a renewed level of interest from markets. Palo Alto Networks, Symantec and FireEye have all experienced a surge of market interest in the wake of friday's events, apparently bolstered by fears of another wave as companies look to strengthen their defences.
“Every time something like this becomes something that's talked about in the mainstream news it incrementally pushes us to that point”, Mike Pittenger, head of security strategy at Black Duck told SC. It might not change how consumers act, but “this is one of those things that will cause a step change in how businesses treat this stuff.”
The problems that allowed the attack to spread so far and wide were easily preventable. Had more companies taken a patch which was released in March, or looked up the publicly available vulnerabilities that they were exploited with, the damage this attack caused may have been mitigated. Pittenger expects security education, along with a better observation of these basics to be at the forefront of companies minds in coming weeks.
The threat seems to have subsided for the moment. A statement released by the NCSC on 14 May read that while there may yet be undiscovered compromised machines, “since the global coordinated ransomware attack on thousands of private and public sector organisations across dozens of countries on Friday, there have been no sustained new attacks of that kind.”
Fridays events might have been preventable but “at some point we were going to hit a large scale disruptive attack”, Rob Holmes, VP of products at Proofpoint told SC.
The notable thing about this, suggests Holmes, is that even with the damage that it caused, the attack did not appear to be targeted or even all that sophisticated. “Seriously sophisticated cyber-criminals wouldn't have a marked kill switch in it”, said Holmes, and it wouldnt reference an unregistered domain either. If that can exploit systems in 150 countries, one might wonder what somebody who really meant to do damage could do.
“You've got to strike the right balance of not being alarmist, because that doesn't help”, added Holmes, but without raising enough hype “people are going to be going about as they've done for decades and not paying enough attention to this major problem.”
Ransomware, of which we see new variants every day, is not going away anytime soon. In the short term, Holmes hopes “that there aren't any other vulnerabilities that could be exploited and propagated so quickly and that we've patched our systems so that WannaCry is put to bed.” The problem is still there, Holmes assured SC.Emily Taylor was in Madrid on Friday, at the ICANN DNS symposium. Amid people disappearing and a hum of unexpected activity, many of the symposium's attendees were trying to aid the defenders on the other side of this attack. It's something that often escapes notice, says Taylor: “One of the things that is really heartening about the community of engineers and network people is how they do talk together and everyone that could contribute was trying to contribute in their own way.”