Let the Finger-Pointing Begin!

In the nervous aftermath of the most extensive ransomware attack to date, the assignment of blame is already beginning. CNet reports that in a rather obvious attempt at pre-emption Microsoft’s chief counsel is calling the attack a “wakeup call”:

Microsoft is criticizing government agencies for hoarding software flaws and keeping them secret, calling a massive, new ransomware attack a “wake-up call” to the problem.

Brad Smith, Microsoft’s chief counsel, said Sunday in a company blog post that by keeping the vulnerabilities secret from vendors, governments open up users to attacks like Friday’s WannaCry hack in which malware locked down computers worldwide while demanding hefty sums for freedom. He also compared WikiLeaks’ release of US spy agencies hacking tools earlier this year to a theft of weapons from the US military.

“An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today — nation-state action and organized criminal action,” he said.

“The governments of the world should treat this attack as a wake-up call. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”

That’s almost a perfect example what I call a “reverse Voltaire”. I agree with what he says but I don’t think he’s in any position to say it. The personal computing monoculture created by Microsoft is one of the main sources of today’s tremendous vulnerability. I also feel the need to point out that cyber-security is almost the diametric opposite of physical security. The advantage is almost completely on the side of the attacker.

So, what are the takeaways from the WannaCry attacks? The first few that occur to me are:

  1. Very few companies are capable of maintaining a serious security policy.
  2. Neither is the federal government.
  3. The only real solution is active measures.
  4. That would require a complete change in attitude on the part of the federal government.

Consequently, I expect things to get much, much worse but they become even a little better. If ever.

8 comments… add one
  • Andy

    Heard on NPR this morning that a lot of Chinese computers are affected because they use so many pirated copies of Windows and therefore they don’t get security updates.

  • Which highlights why China should just be cut off from the Internet. They aren’t good global citizens, don’t live up to their international agreements, most hacking attacks emanate from China with at least tacit support of the Chinese government, Chinese misuse eats up an enormous proportion of total global bandwidth, etc.

    The tolerability of free riders is contingent on cost which is dependent on size. China is too big to be as poorly behaved as it is.

  • TastyBits

    This is why Apple did not want to allow a backdoor in the iPhone. Creating more vulnerabilities does not make anybody safer, and it has now been proven that the government’s most secure agencies cannot protect any backdoors created for them.

    Security is inconvenient. There is no way to have an open system and keep the bad guys out at the same time.

  • steve

    Boy genius says computer security and Microsoft should not be used in the same sentence.

    Steve

  • bob sykes

    I think the real point is the inability of our intelligence agencies to keep their secrets. How deeply they have been infiltrated and compromised should be a major investigation.

  • Quis custodiet ipsos custodes?

  • Andy

    I heard this morning that Microsoft patched this vulnerability back in March. Hopefully this will be a wake-up call to all the people who decide, for whatever reason, to turn the auto-update feature off.

  • I suspect that a lot of those being attacked are using obsolete or pirated copies of Windows or cannot update for one reason or another.

Leave a Comment