On the weekend of May 12, 2017 news broke that a highly effective "WannaCry" hacking attack in infected over thousands of computers in over 150 countries. Also known as WannaCrypt and WannaCryptor, the attack should serve as a global reality check about the dangers and threat of cyber attacks.
Some saw the WannaCry attack coming. In April, a hacker group called Shadow Brokers hacked into the NSA and disclosed list of older Windows OS vulnerabilities on GitHub. The National Security Agency had been collecting a list of vulnerabilities for Windows Systems — though the NSA is tight-lipped on why they were collecting vulnerabilities, it's been speculated it was for offensive attacks on other computers. An unknown ransomeware group got ahold of the information and used the data for the attack earlier this month.
The WannaCry malware infects a computer and encrypts all of the data on the hard drive and even external drives connected to the computer. It searches for and encrypts 176 different file types, so if your music file has an extension of .mp3 it will turn into .WCRY, for example. When users try to access encrypted files a screen pops up demanding money, in the form of bitcoins, in order to decrypt the data. Ransom demands increase according to how long users wait to pay up.
Nearly 98 percent of the computers infected in the May attack were running some version of Windows 7, less than a thousand ran Windows XP and some were using Microsoft's 2008 R2 Server. Major businesses such as FedEx, Renault, and UK’s National Health Service fell victim to attack, too. If it weren't for a 22-year-old British computer scientist discovering a kill switch that was put in by malware developers, this recent attack could have been even more catastrophic.
Before the September 11th attacks, the job of a contingency planner or a disaster recovery manager carried little weight and remained a relatively obscure position in the corporate world. I was working for Time Warner Telecom as a Contingency Planning Manager in relative obscurity before 9/11 attack. But in the wake of the attack more emphasis was put on protecting assets and continuing income flow without interruption. My budget increased, and I was given every means necessary to ensure the company's disaster plans were up to date and compliant with industry best practices. Surely the same can be said for my counterparts across the country and the rest of the world. The WannaCry attack may not be the digital equivalent of a 9/11 attack, but it gives the world an excellent opportunity to focus even more on cyber security and defense at the corporate and national levels once again.
It's worth noting that this cyber attack, though large in scale, could have been avoided very easily. We are two operating systems removed from Windows 7, yet the large corporations and businesses were still using it. Not only that, the victims seemly weren't updating their systems regularly. It’s difficult for me to understand why a huge company like FedEx, or Germany’s National Railway could leave itself so vulnerable, especially when it has the means to mitigate security issues. IT personnel may lose their job for this oversight if they haven't already.
With far reaching attacks like WannaCry, smaller companies with little or no money to maintain modern hardware and software can be hit even harder. Some don’t have computer literate staff to make sure holes in security systems are patched, or even able to perform basic maintenance tasks. And for any one using "bootleg" copies of Windows operating systems can’t receive patches from Microsoft — you can’t install patches on illegal software. — leaving users in China and Russia feeling the effects of attacks with few to no options to mitigate.
Our lives are controlled by computers in one way or another, so attacks like WannaCry affect everyone, and the next could be even worse. The entire world needs to be smarter about cyber security because of this rising threat, with knowledge about anti-virus and -malware software, and how to spot vulnerabilities and patch security flaws. Rhetoric, books and well meaning advertisements could not have come up with a more effective awareness message.
We can all take a deep breath, and feel lucky that the WannaCry attack wasn't worse. No advertising campaign could have ever brought as much awareness about the importance of cybersecurity than the attack itself. Now that we’ve been warned, from the personal to the national level, we all need to take advantage of the opportunity to protect ourselves from the next one.