Ransomware Liability and the Future of Security
If you’ve visited any tech related web site in the past week, you’re painfully aware of the WannaCry ransomware outbreak. This one has been really bad as it exploits a vulnerability in Windows that Microsoft patch in mid-March of this year. For those that patched their systems, things may not have been as bad. For those that forewent patching for whatever reason, the ransomware inflicted its damage.
Unfortunately, in this case, the ransomware exploits a vulnerability in the Server Message Block protocol stack in Windows, meaning that it only has to gain a foothold on one machine in an organization at which point it can rapidly spread across the network. As of this writing, CNN claims that there have been more than 200,000 victims so far, including shipping giant FedEx, which issued an advisory indicating that “a malware infestation may impact package delivery.” Perhaps most seriously, this attack crippled a number of hospitals in England and Scotland. From Wikipedia: “The attack affected many National Health Service hospitals in England and Scotland, and up to 70,000 devices — including computers, MRI scanners, blood-storage refrigerators and theatre equipment — may have been affected. On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted. In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP.” Other news reports have contradicted this statement, indicating that unpatched Windows 7 computers were actually at fault and that some of the NHS trusts had not paid Microsoft for extended patching support. Windows 7 mainstream support ended in 2015. I’m sure that this contradictory information will be cleared up in the coming days as people work to figure out how the happened in an attempt to prevent a recurrence.
Note: This attack is so serious that Microsoft actually issued a patch for Windows XP, Windows 8, and Windows Server 2003 to correct the SMB flaw in these older operating systems.
One Down, Copycats to Come
Although the original WannaCry was stopped by a security researcher that accidentally discovered the malware’s kill switch, news reports now indicate that updated variants of WannaCry are now making their way into the wild with the kill switch disabled. It’s expected that, as people return from the weekend, that Monday could see a rise in infections as these new variants make their way to their victims.
An Ounce of Prevention… If You Drink the Medication
As the world becomes increasingly connected, these kinds of attacks are going to continue to increase in severity and in frequency. They’re going to be bigger and they’re going to happen more often. In this case, infection was fully preventable thanks to Microsoft’s mid-March patch that corrected the SMB flaw that WannaCry exploits to gain access to a system. However, for a variety of reasons, a lot of organizations have yet to apply these 60+ day old patches.
Let’s take the case of NHS, which seems to have been among the hardest hit by this outbreak. As mentioned, NHS may still have thousands of devices running Windows XP, an operating system that has been out of mainstream support for years as well as Windows 7.
Simply put, specialized devices, and a critical need to maintain stability in healthcare environments can sometimes mean that patches are forgone or postponed for lengthy testing. In many cases, device manufacturers—those that build things like MRIs and x-ray machines, support only very specific versions of operating systems. As you start to get into equipment that is truly life and death, change management takes on a new level of importance and the old adage, “if it’s not broken, don’t fix it” may ring more true than normal.
Other organizations, though, don’t always have these kinds of valid reasons for not staying current. In fact, according to NetMarketShare, as of April 2017, Windows 7 still leads the Windows market with 48.5%. Windows XP is still being used on over 7% of the systems in their lineup. No matter how you look at it, 7% is a huge number when you’re talking about an operating system that powers devices quantified in the billions.
The Liability Conundrum
I asked my followers on Twitter for their thoughts regarding who should hold primary responsibility for any deaths that result from this specific outbreak. Although only 23 people responded and even though Twitter is really limited in its polling, the response was interesting.
Who should hold primary responsibility for deaths related to the WannaCry outbreak? (I understand that hospitals can’t always patch)
— Scott D. Lowe (@otherscottlowe) May 13, 2017
Only 48% indicated that the perpetrator should hold primary sole responsibility. 30% of respondents said that the hospital should be solely liable. No one felt that Microsoft should be solely responsible and 22% indicated that the perpetrator, the hospital, and Microsoft should be held jointly and equally responsible.
The lack of Twitter polling capability means that we can’t make too many direct conclusions here, but it is safe to say that there are people who feel that the fact that the hospital had unpatched systems meant that they should be held liable for deaths that occur. At present, I personally believe that only the perpetrator should be held responsible. As mentioned previously, hospitals have other hindrances to staying current and, for its part, Microsoft patched this vulnerability back in March and even went so far as to patch unsupported operating systems once the impact of WannaCry became clear.
So, hospitals are between a rock and a hard place in many instances. They know that they have gaping security issues like this, but they can’t always protect themselves 100% against them. In that scenario, as long as the hospital did what it could, I don’t see how they’re anything but a victim.
But, what if they could have patched it, but chose not to do so for financial reasons or because they simply had poor patching practices? In that case, I could see a good lawyer working hard to make a case that the hospital’s negligence led directly to someone’s death or against a business that was impacted, resulting in a financial loss for customers.
The Future of Security and Liability
Today, even as organizations around the world reel from the impact of WannaCry, hackers are on the lookout for new and innovative ways to wreak havoc. Vulnerable Windows systems are just the tip of the iceberg. As we continue to move inextricably closer to a world in which every device in our home and business is on a network, things start to look far grimmer, particularly given how these devices are supported… or not. Everyone is rushing to develop devices that manage heating and cooling, that help us see who is at our front door, that allow us to open garage doors from our phones, and more, but many of the companies behind such devices will simply not be viable and they’ll eventually go under. When they do, those devices ultimately go unsupported and won’t get updates or patches. Owners may not even realize that companies are gone, but they still unwittingly use the device.
The problem is that a huge number of these devices are vulnerable to attack and their makers are often not security experts or they may have gone under. With some ease, hackers can gain access to devices and use them for nefarious means. In fact, it was the harnessing of so-called Internet of Things devices that resulted in a massive distributed denial of service attack that took place in October of 2016.
This is another area in which security is only going to get worse. As time goes on, this is an issue that the industry will have to figure out, both from a technical perspective and well as from a liability perspective. Whether that means that there needs to be a standards body that reviews IoT devices and holds source code in escrow or some other mechanism isn’t something I can delve into here. But, something has to happen.
On the liability front, we’re already holding financial and retail institutions liable for their security failings, and I see this spreading to other industries very quickly, particularly when security lapses can be proven to be the result of negligence or greed.
For now, though, the focus can and must be on helping organizations maintain a strong security posture in order to reduce the impact (and maybe even prevent) the spread of malware and ransomware. Organizations must institute strong practices to prevent security breaches. They must implement comprehensive training programs to teach people to identify good email from bad and they may need to go as far as implementing disciplinary procedures for when someone falls for an email from a criminal and exposes the organization to attack.