You are here

After WannaCry, will cyber security be taken as seriously as surveillance?

5 June 2017

The WannaCry ransomware attack exposed truths about cyber security that should serve as an urgent warning to governments, policy makers, companies and institutions globally. There has been movement- the long awaited Executive Order on Cyber Security was finally signed last week, and a Bill to formalize the Vulnerability Equalities Process (VEP) into law has been introduced with bipartisan support in both the House and the Senate.

However, governments largely prioritise surveillance systems over secure networks and criminalise those with the very skills that can help make us safer.

Security is hard. The systems that play an essential role in our lives are fragile and vulnerable. Nevertheless, we continue to build on top of them and are surprised when they collapse. Security is not optional nor an afterthought.

And yet, governments and companies pour resources into costly data intensive projects, build devices, networks and services that accumulate vast data stores without proper regard to risk, security, or data minimisation. This ultimately makes people less secure.

These are the issues to be considered before we even get to a discussion about state sponsored action involving the "stockpiling" of vulnerabilities and hacking.

Getting policy makers to think of security in this way is hard. Instead, security has been articulated across the world through an increase of mass surveillance legislation and therefore financial resource and technical expertise invested into capturing more and more data. But the WannaCry attack highlights where the priority should be- addressing the root problem of insecure systems and acting to secure them. 

Some governments have chosen to frame cyber security as a national security issue and endow law enforcement and security agencies with great resources and power. We are then told to trust without being able to verify due to secrecy. This means there is little accountability or transparency- we don’t really know what our government agencies are doing in the name of cyber security.  

Policy makers must take note and ensure they prioritise a holistic approach to cyber security by emphasising the importance of simultaneously protecting people and their data, protecting devices and networks. This should form the basis of any cyber security strategy.

Inter-governmental organisations involved in supporting governments develop their cyber security strategies, such as the Council of Europe, European Commission and the Organisation of American States (OAS), should encourage this framing.

It is important to acknowledge the contribution by independent security researchers in this story, from collaboratively and voluntarily analysing the WannaCry malware in action, to the young British researcher known as MalwareTech who helped slow its spread. It is in the public interest for this research to happen, but those with the skills and expertise are often prevented from legally doing so, even under the protection of institutions like universities. To test a company’s assurances that, for example, a phone is secure, an independent researcher may be breaking the law or the terms of service of the technology. There are many examples of researchers being arrested or threatened with arrest for discovering and exposing vulnerabilities, particularly in the systems of big business.

Skilled individuals need to be incentivised and encouraged so that adversaries with the same skills do not deploy them to undermine individuals’ security and privacy.

In the UK, the National Health Service (NHS) was a victim of the WannaCry malware and many hospitals were affected. Disappointingly, politicians generally chose to ignore the huge wake-up call handed to them and instead turned the incident into a debate about NHS funding- an issue of great national sensitivity- as the general election looms.

Cyber security is often compared to public health, a public good which promotes collective responsibility for the benefit of everyone. But it is a metaphor no more- the WannaCry attack demonstrated cyber security can have a direct impact on health. Patients were turned away and appointments cancelled as the malware locked staff out of computer systems.

Investigations into the spread of WannaCry continue and it may be some time before we know the full story of who, when, where and how. We do know the attack impacted many different types of services globally- telecommunications companies, railways, banks, hospitals- which reflects the reality that protection of our personal data, devices and networks is now also part of our personal security.

And make no mistake, there will be more WannaCry’s. It’s time that Governments shifted their focus away from surveilling massive number of people, and towards the existential threat to our entire global infrastructure that the next big cyber attack could unleash. This time the criminals want money. Next time much more could be held to ransom.