With the possible exception of someone just back from an extended vacation on the planet Mars, everyone knows that cyberattacks are bad and getting worse. The nature of attacks is also changing, with increasing use of true “cyberweapons”, typically dangerous malware based on extremely sophisticated “exploits” that target vulnerabilities in software. Old fashioned fishing scams and single organization data breaches by hacker teams are, of course, still around, but large scale, exploit based cyberattacks – sometimes bordering on cyberwarfare – are what we have to face up to now.
Cyberattacks are becoming more dangerous
Consider the example of the Wannacry ransomware attack that – in the space of a single day, May 12, 2017 – hit organizations in countries worldwide (mostly in Russia and Ukraine, but also the NHS in the UK, Renault in France and FedEx in the US), encrypting the files of tens of thousands of computers.
Without getting into the details of malware architecture, the Wannacry “payload” is a curious animal: a combination of highly sophisticated “exploit” code (that targets an old vulnerability in a previous version of the Windows SMB protocol) together with amateur-level ransomware code. As it turns out, the exploit used in the WannaCry attacks — EternalBlue — was just one of the exploits stolen from the NSA and included in the April 14, 2017 Shadow Brokers leak. As one of our sources put it: “Wannacry is like the motor of a Ferari dropped into a 1970’s Russian Lada”.
While Microsoft did diffuse a patch for the SMB vulnerability on March 14th – one month before the Shadow Brokers leak and two months before the actual attack – patch management in companies is often a lengthy process and many organizations were still unprotected. Fortunately, Wannacry was stopped after several days (more or less by accident, but we’ll skip the details) when a researcher discovered and activated a “kill switch”. Since actual damage was less than expected, some specialists started saying in June that the whole thing had simply been overblown.
Then on June 26, NotPetya – a more virulent first cousin of Wannacry – hit Europe, attacking major companies such as Saint Gobain, Maersk, WPP and many others. It used not just EternalBlue, but also several other exploits from the NSA leak. While “dressed up” as ransomware, the objective of NotPetya was not to obtain ransoms but simply to wreak destruction. According to the Director of ANSSI, the French cybersecurity agency, NotPetya left some enterprises in a “catastrophic state.”
Unfortunately, over the coming years, cyberattacks will – in all probability – get considerably worse. The inevitable development of the IoT – everything from smart grids and cities to connected consumer products and medical devices, not to mention Industry 4.0) – will require lots of new software, presumably with a goodly number of exploitable vulnerabilities.
Brad Smith blames the NSA
In a much remarked blog shortly after the Wannacry attack, the entirely admirable General Counsel and President of Microsoft essentially put the blame on government hoarding of vulnerabilities. According to Brad Smith: “We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage…. This most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.”
A Digital Geneva Convention ?
The NSA says that it discloses 9 out of 10 vulnerabilities that it discovers or acquires to the software editor. Since most vulnerabilities are not useful candidates for exploits, this claim may be true but is essentially meaningless. In any case, vulnerabilities hoarding is not just a US issue – it’s an international problem. Governments in advanced countries have conflicting duties: keeping people and companies safe via disclosure of vulnerabilities AND developing credible offensive and defensive capabilities for the possibility of cyberwarfare.
In February of this year, Microsoft called for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. While Microsoft’s proposal is still a “work in progress”, the initiative has the merit of being both serious and timely. Pessimists will (of course) say that it will never work. Those who are cautiously optimistic will reply: given everything that is at stake, it’s worth giving it a try !