The ‘WannaCry’ wake-up call

A massive cyberattack, the largest in history, occurred last week. The assault infected computer networks around the world, its perpetrators unknown and its purpose uncertain, although it may have been nothing more than an attempt to extract money from its victims. By the weekend, the incident appears to have been contained, although experts warn that the next attack is likely to have already been launched, its targets infiltrated and it is only awaiting commands to begin.

Last week’s attack involved ransomware, malicious code that is introduced into computers and upon a signal encrypts files on the machine until payment is made, typically to an anonymous bitcoin account. If the ransom is not paid, the files are destroyed. In this case, the ransom was relatively small, $300 at first, but the amount doubled if payment was not made immediately.

This attack used malware called “WannaCry” (sometimes called Wcry), and it infected more than 100,000 computers in over 150 countries, ranging from Brazil to Ukraine; no part of the world was untouched. Among the hardest hit countries were Ukraine and Russia, which reported over 1,000 computers infected in its Interior Ministry. Victims ranged from the mundane — a Norwegian soccer club lost its ticket-selling website — to the essential: The British National Health System lost use of digital services throughout many of its hospitals, slowing routine procedures like processing payments and imperiling patients by locking out access to records. Chinese secondary schools and universities were affected, manufacturing facilities in France and Slovenia were forced to shut down, parts of the FedEx computer network were impacted, as were networks in Brazil’s national petrochemical country as well as its court system and foreign ministry.

In Japan, there have been no reports of large-scale attack, although police said Sunday they have confirmed that two personal computers — one used in a hospital and the other by an individual — have been affected. Production at a Nissan Motor car plant in Britain was reportedly shut down temporarily due to an attack. On Monday, Hitachi said an attack using the same type of ransomware caused a problem in its in-house system that hampered email communications, while the municipal government of Osaka said it was looking into the possibility of such an attack after its website was rendered inaccessible.

The attack is another of the all-too-frequent reminders of the need for greater vigilance among users when it comes to cybersecurity. The hack exploited a flaw in Microsoft Windows, a system that is used throughout the world on all sorts of computers, both personal and in very large businesses and institutions. There are no reports that the infiltration affected critical infrastructure networks, such as dams, nuclear power systems or transport systems, but there is little reason to believe that those systems enjoy special protection.

The provenance of WannaCry raises another important issue. Experts say the malware exploits a flaw in Microsoft software that was identified by the U.S. National Security Agency (NSA) and was used by the organization to hack the computers of adversaries. That exploit, along with a cache of others, was given to Wikileaks by a group called Shadow Brokers, an organization of unknown purpose and origin, and Wikileaks released them to the public.

WannaCry uses a “zero-day exploit,” a flaw in software that the vendor does not know about. In theory, when outsiders find these problems they notify the maker to get them fixed; instead, in some cases they are used to penetrate a computer for criminal or intelligence purposes, as the NSA did. It can be argued that intelligence agencies should acquire information by whatever means possible (and legal), but there is invariably the danger that the tools it uses will not remain proprietary, and that they will be leaked and used and misused by others, as happened here.

In fact, Microsoft released a patch for the WannaCry exploit in March when it was published on Wikileaks. As news of this attack spread, Microsoft reminded users that that the security update would protect against this attack, that it had added new detection and protection safeguards and it was working to assist users that ran software that was no longer usually subject to such updates. In other words, routine maintenance would have been enough to defeat this attack.

But the larger questions surrounding cyber security persist. The deepening integration of information technologies into all facets of daily life has created dangerous vulnerabilities. It may seem burdensome or inconvenient to pay attention to every security announcement from every IT manufacturer, especially as those technologies spread. But it is the responsibility of all stakeholders — governments, businesses, vendors and individual citizens — to be alert to the possibilities created by growing reliance on technology and take steps to protect themselves and others. WannaCry is only the latest reminder of the impact of the failure to do so; more will follow.