It makes me WannaCry….
You don’t know how to ease my pain
You don’t know…
You don’t know how to ease my pain
Don’t you hear any voices cryin’?
You don’t know how to play the game
You don’t even know how to say goodbye…
You make me want to cry….
It’s rare that the world of IT impinges on my friends day-to-day lives in the scale it has in recent days, and rarer still that I feel compelled to address political issues on my tech based blog. That’s mainly because I think people visit michellelaverick.com to learn something new about tech or to read one of my blogposts where I got something to work, and they are looking to find out how to do the same. I do have a political blog called “The Age of Rage” and I offload my venom there – I only wish more people did this instead of filling Linkedin, Twitter and Facebook with political opinions they think everyone else will agree with – only to be upset, offended or abusive when they are shocked to discover the world doesn’t uniformly agree with them. However, the outbreak of the “WannaCry” ransomware represents for me unique situation where these worlds do collide. However, I want to talk about these issues in a non-partisan, non-party political way, because frankly there’s enough of that guff around already from our policial class.
Before I “go positive” and speak about the positive steps that can be taken by all stakeholders (users, vendors, governments, agencies of the state). I feel compelled to draw your attention to some artful media management and outright charlatanism that typifies how this adverted crisis is playing out in the media, especially here in the UK. It’s from this I hope to outline how we can collectively take responsibility, but that some organisations have more responsibility than others because of the power and/or financial muscle.
Right now the UK is in the midst of one of the dullest general elections in living memory, and a piece of one soul quitely dies as the party slogans are repeated ad nauseum. Our current PM reassured the country that the attack was NOT a threat to National Security because it hadn’t been carried out by “State Actors”. She seems to fail to understand that anything the substantially degrades the normal operation of everyday life in this country is a threat to national security. Had WannaDie shutdown our power stations it would have been different matter. Social order would have broken down, and we would have riots on the cities in hours. It doesn’t matter WHERE the attack comes from, its the impact that matters. The government has gone into overdrive to deflect criticism because they are fearful that this “May Suprise” might unhinge their assured majority. As MacMillian put it “Events, dear boy, events…”
The view seems to be that as everyone was globally shafted, then its not really our fault – because were are all going to hell in a hand cart. So that’s alright then. The government is trying to demonstrate that it knew about the threat and did something – and is using the devolved structure of the NHS to, in a Pontius Pilate way, to wash its hands of the responsiblity. Politicans tend to be of a type – they want to take all the credit for any success, and none of the blame when things go wrong. The economy is a classic example. The economy grows, that’s their magic touch, when it crashes that’s the “global economic systems” fault – over which they have no control. Kinda of handy that, isn’t?
Relativity muted, but a couple of spokespeople and Corbyn are starting to make noises. To extend the medical analogy, there’s a danger of looking like opportunist ambulance chasers. Best to keep above the fray and let the media do the damage. If the government wiggles of the hook for this one – by blaming the NHS tTusts – it at least takes the emphasis away from the ‘leadership’ issue, and puts the media emphasis on the underfunding at the heart of the service, that results in people in trolleys in corridoors at A&E.
The NSA and GCHQ.
Silence. Followed by tumbled weed. But it is the source of WonderWhy.
Microsoft (and the Software Industry Generally)
A press release was issued by the companies legal counsel. That to me is significant because somebody somewhere at Microsoft is wondering what their legal position could be, and whether they will find themselves in court – by either government or by class action. This press statement squarelly lays ‘the blame’ at the foot of the customer for not keeping up to date. Despite the fact the main culprit for spreading WannaFly was unpatched WindowXP instances that are no longer blessed by critical security patches.
Meanwhile another set of ambulance chasers feel its ethical and moral to use this situation in order to shift more stuff. One mans pain, is another mans fortune. So I’ve seen people trying to flog software to pre-encrypt data before its ransomware’d, and fatuous suggestions that somehow “virtual desktops” would protect customers – without giving a thought to persistent desktops that could be just as poorly patch managed as physical. Our industry desperately needs an ounce of prevention, rather than a pound of cure. We need to solve the problem at source – not bolt the gate after the horse has disappeared over the horizon.
Our Poor beleaguered NHS
As with the govenment the NHS has gone into damaged limitation mode. There will always be funding priorities in the NHS, and anyone who knows the history – will know the NHS felt its first funding crisis in its first year. Bevan had to ‘stuff their mouths with gold” in order to get private GPs to join. At the moment the line is that no patient data has been compromised and no-one died. This is a line they can stick to because its really difficult to prove other wise, except as ancedotal evidence drifts out. In fairness loads of other organisation were effected, but nothing precious as once fragile health.
Everyone is very skillfully blaming everyone else, in the hope that no-one (that’s me and you by the way) notices their cupability.
Everyone needs to stop using cleverly crafted PR to deflect responsibilty to others. Everyone needs to start taking responsibility for their actions. This is a really difficult thing to say and do, in a climate where blaming someone else for all your woes is the philosophy of the hour.
Needs acknowledge it was caught with its pants down. And acknowledge that when it comes to government bodies, and structures that allow them function, are part of our national security. Devolved powers are great for democracy, but fundmentally the buck stops with our elected officials. Other wise no one is accountable to the electorate.
Needs to acknowledge that it probably would have been no better prepared.
The NSA and GCHQ (and Mossad)
Needs to acknowledge they are the source of the hack, and were themselves hacked – and that keeping open backdoors so they can do their own snooping or attacks (like the Stuxnet attack on Iranian centrifuges) is as morally bankrupt as the black hackers. We have laws that strictly control the creation of, and development of biological virus’s such as anthrax. The creation of tools that either make or exploit security breaches need to be regulated with the same vigour. We as citizens need to ask ourselves whether the security services should be given regulated backdoors as part as anti-terrorist or anti-organised crime efforts. The alternative is that the temptation to keep undiscovered backdoors open will always be present. Practically anything can be used to justify actions in the name of some vague “national security” – in recent times this has extended to torture of your own citzens and the citizens of your allies. The bottomline is the bad guys are moving off the regular software packages anyway, that me and you use to communicate with. They are evolving and so does the counter cyber-intelligence.
Microsoft and Other Software Vendors
We desperately need “herd immunity” to stop the catasrophic spread of dangerous software. WannaCry should signal the end of the corporate policies that lead to the withdrawal of Security Updates. Numbers vary and are often %, but some research indicates that globally some 8.45% of the worlds computing population are still using Windows XP.
And people have been talking for years about how unpatched operating systems represent a global threat to the very users and organizations who are patched and up to date. I propose that ALL vendors (not just Microsoft) are compelled to supply security update for free, and impertuity until the % global usage of that system is less than 1%. Within hours of WannaCry being release, Microsoft released a patch for WindowsXP users – imagine the damage that could have been avoided if this patch had been freely available before hand. Additionally, software updates that are security critical must be mandatory for ALL users. It is simply too easy for retail end-users to ignore or switch off such updates. However, given the size and scope of these large software vendors they could easily absorb these costs and defaults. The reputational cost alone justifies this expense.
To vendors who circle like vultures hoping to make a fast buck from other people misfortune. You have just revealed yourself to be the snake-oil salespeople we always knew you were….
It’s time to accept that computers can and do save lives. And I don’t just mean scanners that find your innards a rotting away. The choice is really how are people going to die. Will they die by less operations being done per quarter, or by the fact that through a computer virus (the irony is bitter sweet) people have died or had the health impacted. Just because we can’t see it or measure it doesn’t mean it isn’t happening. The critical thing is even if the NHS had the best patch-management system in the world – you can’t patch the unpatchable. Had Microsoft’s policy been different on WindowsXP, the poor unsung heros of the NHS IT System would have least had a sporting chance against the evil hackers (who didn’t have the bravery to admit what they had done, but released some gutless statement about it being a protested against Donald Trump).
The Accidental Hero…
And finally… to the accidental hero of the hour. We owe this man the same debt of honour as we might to someone who stopped the spread of Ebola. Okay, I’m exaggerating with hyperbole for the purposes of rhetoric. I, for one admire the fact that this chap has been modest and self-effacing. But strikes me odd that further damage was averted by private citzen (albeit working for, and with interest in anti-malware) for the cost of a £8 DNS domain name registeration. Whilst large and powerful organizations are bizzy making themselves slippery with PR, this unassuming individual acted in the public interest. It’s a evidence to the fact that humanity is not completely beyond redemption. And these large and powerful instuition could do with taking a leaf out of his book.