Global ransomware attack: Who is to be blamed?

By Udayani Shanmugavel 

The ransomware attack WannaCry recently that locked more than 200,000 computers in over 150 countries has given rise to inevitable questions about the security measures taken by organisations to protect the information they hold. In an era where information is a strategic resource, any compromise on system security can be disastrous.

It has been reported that this ransom demanding software has attacked the computers with Windows XP system. Microsoft’s operating systems are run on about 80% of computers globally. This March, Microsoft released a patch to fix vulnerabilities in its operating systems. Shortly after that, a group called Shadow Brokers released hacking tools that took advantage of vulnerabilities that had already been fixed in these patches. 

Shadow Brokers had acquired tools the US National security Agency (NSA) had used to break into computers. Realising these tools were stolen, the NSA had warned Microsoft so they can fix the vulnerabilities. Microsoft’s hit US NSA’s ‘stockpiling’ of cyber weapons hinting a warning to the governments all over the world who develop tools to break into computers quoting, “The governments of the world should treat this attack as a wake-up call.”

Users were protected if they had applied the patches that were released, but with a catch: if the computer still used an older Microsoft OS, it did not receive this patch unless it paid for an expensive “custom” support agreement, though after the attack they released the patch for free.

But by that time, the State-funded National Health Service (NHS) in Britain, a provider of healthcare to over 50 million people, whose systems with older version of Windows were one of the worst affected. The hospitals in Britain were crippled – forcing the rerouting of ambulances, delays in surgeries and the shutdown of diagnostic equipment.

Further it was reported that telecommunication companies in Spain, FedEx in the US, the Russian Interior Ministry, Chinese Universities, Renault the European automaker and many other institutions around the world have fallen victim to this. Affected computers displayed an ominous message asking for about $300 worth bitcoin – a cryptocurrency where hard-to-trace transactions can be made.

The attack was halted temporarily by a British techie who fortunately found the kill switch which he managed to activate. Europol warns that this attack is far from over as its vulnerability still lives in unpatched systems and the next one may not have a convenient switch.

It is inevitable that software will have bugs and there are ways to make operating systems more secure. It has become clear that there were many institutions that could have patched or upgraded their system, but they chose not to. The major reason is that upgrades come bundled with unwanted features such as hard to adapt user interfaces and target advertisements that make people reluctant to install them. 

Most software is sold with “as is” license, meaning the company is not legally liable for any issues with it. This makes the problem worse for institutions like hospitals whose software is complicated and is embedded in expensive medical equipment. Hospitals are reluctant for an upgrade because of the ‘no liability” policy which makes them non-reliable and can potentially halt their major functions.

Companies like Microsoft should not abandon people using older software especially cash constrained government institutions that run essential services. Tweets flooded on twitter slamming Microsoft for betraying Windows XP users and its business model was criticised to be exploiting which sell dominant OS with no liability for defects.

Corporations and governments should take software security more seriously, allocate more funds and give priority to cyber security. After all it is the customers, the public who receive essential services, and the companies’ systems which hold crucial information and those who have invested on said companies whose data will be vulnerable. 

This is a simple depiction of how progressive economies rely on up-to-date information and communication technologies. However according to the Sri Lankan National Human Development Report (2014) over 60% of our youth do not have access to acquire even basic ICT skills indicating that the government should do more to bridge this gap. Moreover, the failure to prioritise software security will surely be a road to disaster.

[The writer, a past student of Hindu Ladies College, Colombo, is currently working towards becoming CIMA (UK) qualified. After her Advanced Level examinations, she worked for Ernst & Young Sri Lanka providing advisory services in risk and assurance to both the public and private sector entities. Her interests include following contemporary business developments and current affairs.](DISCLAIMER: UNLOCKED is a space for Sri Lankan youth to express their views and opinions on development with the aim of creating positive change in the world. The views expressed in the blogs are solely those of the authors. UNDP Sri Lanka and Daily FT does not represent or endorse the views expressed in these blogs. Read more about the UNLOCKED initiative www.lk.undp.org.)