Ransomware Attack May Spur Government Policy Review, Factor Into EO Implementation

The worldwide WannaCry ransomware attack affecting hundreds of thousands of computers in about 150 countries gave more urgency about how to address malware's spread. It will reinforce discussions about basic cyberhygiene practices and education and automatic security software updates, experts told us. They added that WannaCry will likely just reinforce the direction of U.S. government policymaking on cybersecurity issues.

"WannaCry has infected more than 200,000 computers," said Kaspersky Lab in a Monday blog post, mostly in Russia but also in Ukraine, India and Taiwan, among the countries hit. "The sheer number of infections is a big part of the reason it has drawn so much attention." Kaspersky and other security firms said WannaCry took advantage of a Windows exploit called "EternalBlue," which Microsoft provided a patch for two months ago. The malware first infects and propagates and then encrypts files, ransoming them.

Security firms and news reports said the Shadow Brokers hacker group stole the exploit from NSA -- which didn't comment -- and released it last month. The U.S. government uses the vulnerabilities equities process (VEP) to determine whether it should disclose information to the developer about a vulnerability so it can issue a fix or withhold it for its own purposes. Privacy and security organizations said the flawed process needs to change.

The U.S. so far seemed to have fared better against WannaCry than many other countries, though federal officials said the attack was ongoing and the ransomware could continue to morph. No federal agencies’ systems were infected and only FedEx and a “very small” number of private sector U.S. entities were affected, White House Homeland Security Adviser Tom Bossert said. The White House’s Cyber Response Group and the National Security Council have been actively monitoring the situation since Friday and are “working side by side” with the private sector, Bossert told reporters.

WannaCry’s global reach is likely to accelerate the federal government’s ongoing push to address “systemwide” cyber challenges that “aren’t solvable by one particular entity or set of stakeholders,” said Wilkinson Barker cybersecurity lawyer Clete Johnson. There’s likely to be an increased focus on ransomware as a “particularized challenge,” but “this is something that’s long been on the government’s radar,” he said. “There was already a lot of urgency among key players in this ecosystem and there’s no doubt that urgency will increase,” but “nobody’s sitting on their laurels.”

The U.S. has “seen less of an impact” partly because the federal government placed “emphasis in the last few years on the fundamentals of cybersecurity,” something governments in Europe and elsewhere didn't stress as much, said Internet Security Alliance President Larry Clinton. The U.S. has “been more proactive” about using public-private partnerships to address overarching cybersecurity issues, he said. That work centered on protecting critical infrastructure entities’ cybersecurity at the expense of addressing the sort of cybercrime activities that WannaCry typifies, Clinton said. The extent of WannaCry’s reach may prompt the federal government to more effectively balance cyber priorities, he said.

EO Fallout

Agencies may feel obligated to prominently highlight any existing cyber protections in their IT systems against ransomware as part of their response to President Donald Trump’s recent cybersecurity executive order, said Venable telecom and cybersecurity lawyer Jamie Barnett. Trump’s EO, signed Thursday, in part directs the Office of Management and Budget and the Department of Homeland Security to assess all federal agencies' cybersecurity risks (see 1705110058).

“I suspect we’ll hear” about mitigating ransomware risks in the White House push for modernizing federal agencies’ IT systems, particularly where federal systems are using defunct operating systems that are no longer being patched to address the sorts of vulnerabilities that WannaCry exploited, Barnett said.

The Republican chairs of four House Commerce subcommittees said jointly they’re monitoring the attack closely and are in touch with agencies and experts. “We understand the gravity of the situation as this infection has affected businesses, hospitals, and universities across the globe and poses a significant risk to consumer safety, privacy, and data security,” said Oversight and Investigations Subcommittee Chairman Tim Murphy, R-Pa.; Communications and Technology Subcommittee Chairman Marsha Blackburn, R-Tenn.; Health Subcommittee Chairman Michael Burgess, R-Texas; and Digital Commerce and Consumer Protection Subcommittee Chairman Bob Latta, R-Ohio.

A ransomware emphasis won’t fit into all aspects of Trump’s EO, but “it wouldn’t surprise me if agencies feel obliged” to explicitly address the issue “in various and sundry ways,” said Wiley Rein telecom and cybersecurity lawyer Megan Brown. She cited language in the EO directing DHS and the Department of Commerce to explore ways to “promote action by appropriate stakeholders to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by” botnets.

Microsoft Chief Legal Officer Brad Smith said in a Sunday blog post the attack shows cybersecurity is a shared responsibility between companies and customers since so many computers remained at risk after the patch release. "There is simply no way for customers to protect themselves against threats unless they update their systems," he wrote. "Otherwise they’re literally fighting the problems of the present with tools from the past." He raised the issue that agencies like the CIA and NSA shouldn't stockpile vulnerabilities and this attack should be a "wake-up call."

Users to Blame?

Luke Beals, health IT firm CNSI's senior director-cybersecurity, said U.S. institutions may have been better prepared because many were hit by ransomware attacks last year, while federal agencies and state and local governments had moved to Windows 10, which wasn't vulnerable. He said the bigger concern is why it's difficult for organizations to keep systems and software current. "The versions of Windows susceptible to this attack are all at least three generations old and, in theory, two months should be plenty of time to apply a patch for a critical vulnerability," he said. "There are still real, and expensive barriers that organizations have to break through before we’re going to see the tide reverse."

The VEP needs to be updated and codified in legislation, but the WannaCry attack wasn't a failure of that process and is a bit of a "red herring," said Ryan Hagemann, Niskanen Center director-technology policy. "The real failure here is where the failure for most cybersecurity attacks and breaches occur: with the end user. Had users updated at the time, their systems would not have been vulnerable to this attack." He was surprised by the number of companies, foreign governments and companies that were attacked since critical security updates like Microsoft's "are hardly a burden to implement."

Ross Schulman, co-director of the Cybersecurity Initiative and senior policy counsel at New America's Open Technology Institute, said VEP should be strengthened and codified, and its relevance in this attack is "a bit tangential. Even if the vulnerability that was used had been turned over to Microsoft, it is far from obvious that ... we would be in better shape." He said users should always install updates when available, but that "older equipment may have entire operating systems contained within that can't be upgraded and are too expensive to replace."

"Stopping threats like this isn’t going to get easier," Beals said. "Each new landmark cybersecurity event tends to pave the way for a new, more perilous, norm. We’re going to see more major attacks like this, guaranteed."