When National Security Turns Against You
Opinion originally published by Korea Times
Last Friday a ransomware virus named WannaCry began spreading across the Internet. By Sunday, it had infected computers in an estimated 150 countries, including Korea. Victims included hospitals and the UK’s National Health Service.
Once a computer is infected with ransomware, the virus locks (encrypts) data on that computer. For a home user, ransomware may encrypt family pictures, videos and word documents; data with huge sentimental value. For companies, this could be trade secrets. For hospitals, this could be things like patient data, finances, surgery schedules and blood work results. After the data is encrypted, the ransomware asks for payment to unlock the files in a difficult-to-trace Bitcoin digital currency.
The first version of WannaCry was somewhat mitigated by malware researchers. However, it is very likely that a new version of WannaCry will be released early this week. Make sure you have the latest Windows updates for all of your systems.
WannaCry so far has raised only about $30,000USD, and likely caused millions of dollars worth of damage. While $30,000 may seem like a lot of money, the attack is very ineffective. When the criminals are caught, they will likely go to prison for a long time, and didn’t even get rich in the process.
More interesting than the money is how the ransomware moves from one computer to another. There are two methods. First, an infected file is sent in an email. When the file is opened, the virus runs. This is normal social engineering. The second method of attack uses an exploit called EternalBlue that was developed by the US National Security Agency (NSA). NSA hacking tools were leaked online last April. Microsoft issued a patch for the vulnerability (MS17-010) last March, but many systems were still not patched.
Many countries are developing cyberwarfare capabilities (including Korea), and these capabilities are usually heavily focused on vulnerability detection and exploitation. Basically, finding flaws in software and using these flaws against other countries for intelligence or other purposes.
From a national security perspective, this may make sense. But as the WannaCry ransomware shows us, the efforts of governments to exploit software instead of helping to fix it can also have extremely negative consequences for national security.
There have been calls for a Digital Geneva Convention [1] that would help change the responsibilities of technology companies and governments. Such a convention will probably be a priority in the future. For now, however, governments should evaluate their cyber-weapon development programs, and ask if they want these weapons to be used against their own citizens. Governments would do much better to help secure critical systems than to exploit them.