Yet another major cyber extortion campaign recently wrecked computer networks all over the world – and we need to start thinking about cyber safety more comprehensively and include users in solving the problem. This effort must begin with an assessment of user risk, not just technical risk – because all signs indicate that there is still worse to come.
This latest attack is a metastasized version of WannaCry, the ransomware attack that within a few days in May ripped through over 3 million computers in 150 countries and spread faster than most highly contagious diseases ever have. Ransomware is a class of malware that encrypts all the files on a computer, letting go of them only when a ransom is paid to the hacker who has the encryption key. This new attack has already hurt major organizations in Russia, Europe, Asia and North America. Thankfully, its spread also appears to have stalled, partly because many users have already installed software patches after WannaCry.
Every major cyberattack in recent years has led to even bigger attacks because hackers learn and evolve. The Sony Pictures email breach was followed by the Ashley Madison leak of user credentials, which eventually spurred the 1 billion plus username heist at Yahoo. Likewise, last October, we saw the record-setting distributed denial-of-service attack that hijacked thousands of Internet-of-Things (IoT) devices – everything from Internet enabled home cameras and DVRs to baby monitors – and targeted the Internet’s leading directory service provider Dyn, making large parts of the Internet inaccessible all over the world. This is a likely reason we are seeing ransomware attacks, which for most of 2016 were targeting individual organizations, now turning into distributed global attacks that spread from organization to organization.
In addition, hacking is becoming a more readily available and easily deployed weapon. Hackers are in high demand, some even work for nation states with deep pockets. Thanks to this, the malware being developed and available for rent has become even more sophisticated. Exacerbating this problem is the fact that hackers are also co-opting tools developed by the NSA and CIA with enormous capabilities, which are available on the dark web.
Ultimately, we have yet to make a dent in tackling the single biggest problem in cybersecurity: users. From not installing software patches or conducting routine updates to clicking on malicious hyperlinks and attachments in spear-phishing emails, and using weak passwords on devices, regular people – all of us computer users – continue to be the conduits for most cyberattacks.
And so far, the only proactive approach against this continues to be security awareness training, which people usually only get when they’re affiliated with larger organizations. Not only does this leave everyone else, from small businesses to senior citizens, vulnerable, but all signs also point to a limited impact of such training even within big organizations.
As a case in point, a team at the technology website Gizmodo recently sent an obviously fake spear-phishing email to 15 people associated with the Trump administration. According to Gizmodo, more than half the targeted individuals clicked on the hyperlink in the email, with former FBI Director James Comey and Donald Trump adviser Newt Gingrich even responding to the email. Keep in mind that hackers need just one errant user to inadvertently click on a spear-phishing email or leave a computer unpatched to start a cyberpandemic.
In spite of this staggering vulnerability, almost all policymaking ignores end-users and abandons the opportunity to transform users from conduits into a defense mechanism against cyberattacks.
Take President Trump’s Executive Order on Cybersecurity that was released last month. The order continues many of the Obama era policies and creates accountability by holding the heads of federal agencies responsible for breaches, enforces discipline by mandating adherence to the National Institute of Standards and Technology, or NIST, cybersafety framework, and requires all federal agencies provide a risk assessment report that details their cybersecurity readiness.
But nowhere is there any mention of end-users, the single biggest risk to cybersecurity. Ignoring the end-user is akin to putting better locks on a safe, while forgetting all the many people who have its keys. In other words, it is a huge problem.
One potential solution is for federal government to task NIST, which is currently focused on technical risk, toward building a user cyber risk assessment framework that takes into account how people work, what devices they use, and their thoughts, habits and online behaviors. This will not only help understand the weakness among users, but it also helps accurately assess risk and build safeguards.
We also need to start a nationwide campaign to inform and educate everyone, from homemakers to high school students, about cyber risks. With malware capable of being ported into work from shared computers and even from travelers using free Wi-Fi terminals, it is imperative that everyone is secure. Such a campaign requires federal and state funding and local support that is aimed at empowering users to develop good cyber hygiene. This includes teaching people how to be safe online, how to use online privacy protection tools, and how to monitor, detect and report cyberattacks.
Finally, we have to better engage users in reporting attacks. In 2014, I called for a centralized cyberbreach reporting system, much like the 911 emergency system we already have. Such a system is all the more important now with ransomware-type attacks, because it can serve as a point of contact for desperate victims who have merely hours to comply or face losing all their data. Additionally, with attacks spreading like contagions, having incoming reports helps law enforcement track them and could serve as an early warning system to caution others to take steps. But this again requires federal, state and local government to recognize the need for enlisting and protecting people.
WannaCry was only stopped because a vigilant researcher discovered a critical weakness in its code. The current attack, at least for now, has also stalled because the email account used by the hackers to manage their ransom demands was blocked by the email provider. But it’s almost certain that a hacker somewhere is already developing a workaround. The next attack will surely be bigger, bolder and more consequential. And the next time we might not be so lucky.