Repercussions of Friday’s malware attacks are continuing. Elizabeth Dwoskin and Karla Adam report in The Washington Post that as of Sunday morning, more than 200,000 people in more than 150 countries have been affected. They quote Europol spokesman Jan Op Gen Oorth as saying “…many workers left their computer turned on last Friday and will probably find out that they are also affected by the malware on Monday morning.” The Guardian reports Monday morning that hundreds of thousands of Chinese computers at 30,000 institutions have been affected by the attack.
The malware hit Britain’s National Health Service particularly hard. Dwoskin and Adam quote a Downing Street spokesman as saying Saturday that the British government has not paid any ransom, and Amber Rudd, Britain’s home secretary, advised against others paying ransom.
The attack made use of a software security flaw found by the National Security Agency that was leaked. Microsoft had reportedly patched the bug in March before the leak, but systems that were not updated remained vulnerable.
IDC last October estimated that worldwide revenues for security-related hardware, software, and services were $73.7 billion in 2016 and would grow to $101.6 billion in 2020, representing a CAGR of 8.3%—more than twice the rate of overall IT spending growth.
“Today’s security climate is such that enterprises fear becoming victims of the next major cyberattack or cyber extortion,” said Sean Pike, program vice president, Security Products. “As a result, security has become heavily scrutinized by boards of directors demanding that security budgets are used wisely and solutions operate at peak efficiency.”
Zeynep Tufekci in The New York Times takes a look at why so many computers were vulnerable. It’s easy to criticize individuals and organizations that failed to install Microsoft’s update, but as Tufekci points out, it’s not that simple.
Sure, Britain’s National Health Service should had purchased long-term support for its Windows XP systems. And indeed, IDC estimates that the healthcare industry will see the fastest growth in security investments—at a CAGR of 10.3%.
Nevertheless, Tufekci writes, “Upgrades come with many downsides that make people reluctant to install them.” They raise privacy concerns and often come with unwanted features.
Further, upgrades in a medical environment raise issues of recertification. Tufekci writes, “The machines can (as they should) last for decades; that the software should just expire and junk everything every 10 years is not a workable solution.”
And as Dwoskin and Adam in the Post put it, “Health-care organizations in the United States are also subject to additional regulations, which constrain their ability to do updates. Many updates require systems to go dark for some period of time, and many hospitals are not allowed to put critical systems out of use.”
Further, upgrades can introduce new bugs. Jeremy Wagstaff and Jim Finkle at Reuters quote Marin Ivezic, cybersecurity partner at PwC, as saying the ransomware has prompted some clients to abandon their usual testing of patches “…to do unscheduled downtime and urgent patching, which is causing some inconvenience.”
To minimize the possibility of adverse effects of upgrades, Tufekci recommends, “Security updates should only update security, and everything else should be optional and unbundled.”
Tufekci also warns of the threat of the IoT, with inherently insecure devices often lacking a mechanism for receiving updates. “In the current regulatory environment, the people who write the insecure software and the companies who sold the ‘things’ bear no liability.”
Tufekci notes that software evolves through the layering of new code on old, likening the result to the construction of entire cities upon crumbling swamps. “And we live on the fault lines where more earthquakes are inevitable,” she says. “All the key actors have to work together, and fast.”
She suggests first that software companies discard the idea that they can abandon people using older software—“The money they made from these customers hasn’t expired; neither has their responsibility to fix defects.” She likens the companies’ stance of “pay extra money to us or we will withhold critical security updates” as its own form of ransomware.
Governments have a role to play as well. “It past time the NSA shifted to a defensive posture and the United States government focused on protecting its citizens and companies from malware, hacking, and ransomware—rather than focusing so much on spying,” she writes. She recommends that the NSA not only disclose the vulnerabilities it finds but also help develop standards for higher security.
Tufekci concludes, “It is time to consider whether the current regulatory setup, which allows all software vendors to externalize the costs of all defects and problems to their customers with zero liability, need re-examination.”
