The WannaCry attack is a wake-up call for all those who always overlook internet security
Subimal Bhattacharjee
On May 12, a major cyber attack took place across computer networks the world over. The attack was in the form of a computer malware known as WannaCry which actually infected systems having a particular version of the Windows operating system that was not patched to address a vulnerability exploit called Eternal Blue which was recently brought to public attention by a global hacker group. The nature of the malware was ransomware that actually led to the compromised computer being locked to the user and could be restored by paying a ransom amount which in this case was US$300 and to be paid in the form of bitcoins, a form of digital currency yet to gain legal status. The attack continued over the weekend and also the following week and a few lakhs of computers were affected across more than 150 countries. From individual computers to critical infrastructures, the spread was quite extensive. The infection came via innocuous email malware and also spread and replicated on its own via networks after setting itself up in hard disks and then encrypting it and spreading across local area networks.
While the attacks have definitely made news globally and created a lot of panic, the damages have not been of a catastrophic nature. However, it has raised a lot of concerns at the readiness of the digital world to address cyber security concerns. The fact that cyber attacks can spread in no time across the globe and the actual attribution of the source of attack is still not possible in most cases raised the fear further. Many organisations and individuals paid the ransom amount to wriggle out of the situation and very many also have taken this up as a wake-up call to look at network security with more attention. The fact that computer networks need to be updated with patches and security software updates on a constant basis has also dawned across countries and in a nutshell, suddenly the reality of a cyber attack striking with debilitating and destructive capabilities is being better grasped.
Definitely much more will be known in the coming days and weeks about the actual impact of this attack, but the fact remains that vulnerabilities have been exposed and seem to be a mix of software exploits based on coding flaws, cyber criminal syndicates operations and also on the active cyber warfare programmes that many nations and rogue entities are pursuing. WannaCry is a shocking example of cyber weapon being prepared by a particular country to exploit and it got leaked and then some entity possibly a non-state actor exploited it to the hilt. Even some reports of North Korean sleeper cells being involved are also being speculated. But it is the network and the liaisons that the malware would have encountered in its journey that is worrisome. And today when terrorist groups are investing big time into cyber attack vectors and social media exploits to increase their footprints, such attacks need to be dealt with the maximum attention. More than the reactive efforts to contain the damages and restore the systems, there also has to be the proper focus on how to globally address the menace with policy interventions and regulatory regimes. The efforts of the UN or even cyber security pursuits under the umbrella of internet governance multistakeholder dialogues need to further up an international regime that addresses cyber issues just as nuclear and space sectors are covered today. The last group of government experts under the aegis of the UN last year had clearly laid the need to lay the norms that define cyber behaviour and its jurisdictions but no further steps have been laid to come to a workable arrangement.
The criminal aspects of cyber attacks are growing significantly in terms of their sophistication, frequency and reach. The recent internet security threat report from Symantec refers to the growing menace of email threats, malware and bots. As per the report, there were 35.7 crore new malware discovered in 2016 compared to 35.5 crores in 2015. Likewise, 606 new mobile vulnerabilities were discovered in 2016 compared to 552 the previous year. The email malware rate is reported to be 1 in 131 emails in 2016 compared to 1 in 220 in the previous year. In terms of ransomware, there were 4.63 lakhs detected in 2016 with an average ask of US$ 1077 up from 3.4 lakh cases with an average of US$ 294 in 2015. These figures are a clear indication of the expanding threat of cyber criminals. The migration from using zero-day tolls and malware to exploiting operating system features, off the shelf tools and cloud services were gradually emanating.
Many reports have indicated that computers and networks in India were also affected by the WannaCry attacks and one particular cyber security company also mentioned that India was the third largest country in terms of attacks reported. Irrespective of the figure it is critical to realise that this is yet another wake-up call for government, industry and individual users alike to pay attention to cyber security more closely. The propensity to feel safe with one-time application of security software and also recourse to outdated and often pirated software is something that needs to change soonest. While CERT India, the government body for alerting and the incident response had promptly issued its advisory and swung into action to defuse the impact, the reporting across stakeholders have not been very aggressive. The patch management response has been satisfactorily addressed and incidents were supported very proactively by agencies both government and private. Apart from the reactive mechanisms, the banking, power and telecom fraternities swung into action to explore the impact of the exploit.
Pertinently, cybersecurity is a priority of the Narendra Modi government and the efforts at incorporating best practices in the spread of Digital India initiative have been encouraging. Many of the flagship programmes have factored in cyber security measures since its inception and there is a method to deal with the impending expansion of such networks. India’s tryst with a more digital ecosystem in governance with the advent of flagship e-governance programmes is a clear indicator here. The national cyber security policy of 2013 was in effect implemented by this government and the 14 yardsticks of the policy are being monitored on a regular basis. However what needs to be more proactively done is to focus on more awareness building among the common citizens on various aspects of the digital push regime. Banks need to run some major initiatives to educate their customers of the best practices which in turn will orient the customers to better use of the banking and payment systems. A very good reference point is the effort at reaching out to the masses at all levels by the Modi government and many state governments when the push for digital payments was undertaken after the demonetization drive. It has not only brought in more people into the digital ecosystem and made the common people feel more empowered but also taught them some basic lessons of cyber security.
So while WannaCry has not made too many people cry, it has definitely given every cyber user another wake-up call to look at computers and networks more closely and adhere to more best practices. Needless to say, cyber attacks will not go away, it will be prudent to stay alert with right precautions and also be able to respond when an attack impacts an individual or institution. In one word best practices are the order of the day.
(The writer, a defence and cyber security analyst, is former country head of General Dynamics)
Comments