WannaCry and government agencies – Canadian Government Executive

NEWS

SEARCH

AccountabilitySecurityTechnology
May 17, 2017

WannaCry and government agencies

Cybersecurity professionals have sounded the alarm for years, and they are again being proven right. When government agencies secretly find security vulnerabilities and develop exploits, they put everyone at risk.

Over the past week, the WannaCry ransomware worm exploded across 74 countries, infecting businesses, hospitals, universities, and many others. The worm encrypts files and demands the equivalent of $300 to $600 in Bitcoin to restore them.

The infection leverages a vulnerability in Microsoft operating systems, ranging from Windows XP to Windows 10 and Server 2016. While that is not unusual, what is unusual is that the exploit appears to have been originally developed by the NSA.

Imagine, just for a moment, that a government agency were to discover a hidden weakness in a car or aircraft. And, rather than notifying the manufacturer for immediate action, the agency developed a way to take over the vehicle remotely, with the intent of only using it against criminals, terrorists, and other hostiles.

There are three problems with this scenario:

First, public safety is reliant on keeping the vulnerability and exploit a highly controlled secret. Government agencies have a poor track record on this critical matter.

Second, each time the exploit is used, somebody, somewhere, will wonder what happened. There will be investigations. The more the exploit is used, the more attention it will garner. It is naive for any agency to believe that their exploit will not be discovered, analyzed, and copied. If an intelligence agency uses an exploit to attack terrorists and hostile governments, they are essentially handing them the clues required to find and leverage the same vulnerability.

Third, the agency’s belief that they alone have the capability to discover the vulnerability is seriously misguided. It is foolish for one of 196 countries to believe that their discovery will not be uncovered by another government, criminal organization, or independent security researcher.

If next week criminals started crashing cars or aircraft using a government-developed exploit, there would be public outcry, inquiries, political resignations, and lawsuits. The government employees involved would likely be the subject of a criminal investigation. The same type of accountability apparently doesn’t apply when individuals and businesses suffer losses due to government negligence with cyberweapons.

Microsoft released security update MS17-010 on March 14, 2017, which addressed the issue in supported versions of Windows. Then, on April 14, the Shadow Brokers hacker group released a stolen NSA exploit called EternalBlue, which exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. Users of Windows 8.1, Windows 10, Server 2012, Server 2016, and other currently supported operating systems were protected if they applied the March 14 patch. However, unsupported Windows XP, Windows 8, and Windows 2013 systems were not. When WannaCry began using the vulnerability to spread itself on May 12, it spread through these outdated systems like wildfire. Microsoft has since taken the unusual step of issuing an emergency patch for Windows XP, Windows 8, and Windows Server 2003.

In an added twist, a UK-based malware analysis expert who calls himself MalwareTech was running a sample of the malware in his analysis environment, and noticed it queried an unregistered Internet domain. As researchers often do, he registered the domain and pointed it to a sinkhole server. As it turns out, the existence of the URL caused WannaCry to stop executing.

“The reason which was suggested is that the domain is a ‘kill switch’ in case something goes wrong, but I now believe it to be a badly thought out anti-analysis,” he wrote. “In certain sandbox environments, traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as if it were registered.” In effect, MalwareTech stopped the attack by spending about $15 on a domain.

Law enforcement agencies around the globe should vigorously pursue the criminals responsible for WannaCry. Windows users should update their systems immediately, turn on automatic updates, and where necessary upgrade to a supported version of the operating system. Businesses that have erroneously decided against automatically applying Microsoft patches to Windows PCs, or who continue to run unsupported Windows operating systems, need to seriously reevaluate their priorities.

Many governments are engaged in the cyber arms race. Some Americans are understandably outraged that an agency of their government decided that creating cyberweapons was more important than protecting millions, and then failed to safeguard highly-classified information.

Canada should lead the way by shining a light on this dark issue. While most citizens are unaware of decisions being made on their behalf, we need transparency, public engagement, and appropriate oversight to prevent future tears.

 

About this author

Eric Jacksch

Eric Jacksch

Eric Jacksch is a leading cybersecurity analyst with over 20 years of practical security experience. He has consulted to some of the world's largest banks, governments, automakers, insurance companies and postal organizations. Eric is a regular columnist for IT in Canada and was a regular columnist for Monitor Magazine and has contributed to several other publications.

0 comments

There are no comments for this post yet.

Be the first to comment. Click here.

Accountability
 
The International Monetary Fund (IMF) in issuing its annual review of...
 
There’s no shortage of organizations claiming to have a digital transformation...
 
Cybersecurity professionals have sounded the alarm for years, and they are...
 
Cost estimation is becoming an extremely important skill within government due...
 
In this special episode of CGE Radio, your host John Jones...
 
Security professionals have an obligation to communicate risks and recommendations to...
 
Risk is always present in any undertaking, no matter the size...
 
Cost overruns have become institutionalized in the federal government, according to...
 
Last year, procurement Minister Jody Foote was prompted by the swirling...
 
Professionals, managers, and executives in the cost estimation industry can gain...
 
In this episode, hear from Carl Hammersburg, Manager, Government and Healthcare...
 
A new study from the Conference Board of Canada gives our...
 
In the world that we are living in today, free and...
 
The delivery method developed by Sir Michael Barber, chief adviser to...
 
Rules and accountability are helpful in developing and standardizing processes but...
 
Canadian doctors were told that climate change impacts human health and...
 
Even as talks between the government and federal workers affected problems...
 
The largest effort in 20 years to seek public input on...
 
Ottawa has overhauled the process by which justices are picked for...
 
Please to view this Content. (Not a member? Join Today! )...
 
In this episode, editor-in-chief, Patrice Dutil talks about the need for...
 
As much a 20 per cent of grade seven students in...
 
Upon receiving numerous complaints regarding add-on fees that turn making economy...
 
Are you absolutely clear what the government wants to achieve? Are...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Written By Jason McNaught The Public Service Alliance of Canada was...
 
Independence has long been regarded as a cornerstone of the auditing...
 
Canada is a diverse nation, in language, culture, geography, and, ultimately,...
 
Public sector organizations are under increasing pressure to identify all risks...
 
The government of Canada has implemented several measures over the past...
 
Whether at the territorial, provincial or federal government level, internal audit...
 
An organization’s reputation can take years to build but it can...
 
On October 30, Ontario began second reading of the Public Sector...
 
In the well-known children’s story, an Emperor falls victim to the...
 
The Nova Scotia Office of the Ombudsman is a small operation...
 
I think the ombudsman needs to be independent, because without independence...
 
Today’s business environment changes rapidly to adjust to evolving conditions and...
 
The best internal auditors actually are really good managers first. I...
 
The recent controversy about the actions of some staff members in...
 
Most professionals don’t need more than a sentence at a cocktail...
 
Recent research by the Institute of Internal Auditors Canada aims to...
 
When is it that a politician becomes part of the governing...
 
It’s been a busy couple of weeks on the information, privacy...
 
In 1996, a new budget watchdog, the Parliamentary Budget Officer, was...
 
The Ontario government is moving forward with the creation of a...
 
The Office of the Public Sector Integrity Commissioner of Canada (PSIC)...
 
After the Auditor General’s (AG) report was released on April 30,...
 
In the U.K. system, Permanent Secretaries are what we call Deputy...
 
We are living in a period of rapid change and limited...
 
US public sector employees don’t trust their management to do the...
 
The news of Mark Carney’s nomination as the new Governor of...
 
Following Singapore’s independence in 1965, the controversial leadership of Lee Kuan...
 
Over the past few years, the preparation and delivery of the...
 
In healthcare, cost-cutting can result in cutting what is valued most...
 
For over 20 years Colin Bennett has been exploring issues of...
 
Even before controversy shook the organization to its foundation, Ornge was...
 
It will be the largest international multi-sport event ever held on...
 
We’ve all seen the headlines – BC Ferries, Ornge, la Caisse...
 
It can happen, and it’s noteworthy when it does. Government, business...
 
Kevin Page’s mandate as the first Parliamentary Budget Officer comes to...
 
Governments are challenged to meaningfully mitigate the effects of the financial...
 
Canada is facing a huge financial challenge brought on by massive...
 
For the past one hundred years, democratic states have been moving...
 
It’s so much easier and less painful to learn from the...
 
CGE Vol.13 No.7 September 2007 "If the Public Service, as a...
 
When pondering leadership, we immediately think of exercising our influence downward...
 
CGE Vol.13 No.1 January 2007 "How can I be held accountable...
 
CGE Vol.13 No.2 February 2007 Canada’s Performance 2006 is the sixth...
 
CGE Vol.14 No.1 January 2008 The furor over the $300,000 that...
 
CGE Vol.14 No.2 February 2008 Let’s say you’re a senior manager,...
 
CGE Vol.13 No.1 January 2007 Perhaps it’s a legacy of the...
 
The Independent Blue Ribbon Panel on Grants and Contributions called for...
 
Au Canada, le secteur bénévole et à but non lucratif vit...
 
As the global economy struggles to regain some forward momentum, Canadian...
 
This will be a defining budget for Stephen Harper. It will...
 
It is difficult to determine when the debate about the need...
 
For the next few years, the federal government’s overarching agenda will...
 
Much of the current conversation about the federal government’s economic agenda...
 
Bill Greenlaw is the elected president of the Institute for Public...
 
Have you ever asked yourself the question: ‘How would I evaluate...
 
Last fall, Alberta’s Employment and Immigration department posted online the workplace...
 
In 2006 the world was feeling the aftershocks of a number...
 
CGE Vol.13 No.4 April 2007 Robert Parkins, editorial director, met recently...
 
In the past two decades, the nature of the state has...
 
Please to view this Content. (Not a member? Join Today! )...
 
Some title Some author
Some excerpt
 
Some title Some author
Some excerpt
 
Some title Some author
Some excerpt
The International Monetary Fund (IMF) in issuing its annual review of...

Member Login

Forgot Password?

Join Us

Password Reset
Please enter your e-mail address. You will receive a new password via e-mail.