tag:theconversation.com,2011:/uk/topics/wannacry-38684/articlesWannaCry – The Conversation2023-08-28T11:39:01Ztag:theconversation.com,2011:article/2112332023-08-28T11:39:01Z2023-08-28T11:39:01ZInternational ransomware gangs are evolving their techniques. The next generation of hackers will target weaknesses in cryptocurrencies<figure><img src="https://images.theconversation.com/files/542594/original/file-20230814-24-9r3xkv.jpg?ixlib=rb-1.1.0&rect=233%2C155%2C5458%2C2967&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-illustration/ransomware-cyber-security-email-phishing-internet-2014441709">Shutterstock/JLStock</a></span></figcaption></figure><p>In May 2023, the <a href="https://www.govtech.com/security/dallas-officials-say-ransomware-recovery-could-take-months">Dallas City Government</a> was hugely disrupted by a ransomware attack. Ransomware attacks are so-called because the hackers behind them encrypt vital data and demand a ransom in order to get the information decrypted. </p>
<p>The attack in Dallas put a halt to hearings, trials and jury duty, and the eventual <a href="https://www.nbcdfw.com/news/local/dallas-municipal-court-building-closed-this-week-due%20to-ongoing-ransomware-attack/3262694/">closure</a> of the Dallas Municipal Court Building. It also had an indirect effect on wider police activities, with stretched resources affecting the ability to deliver, for example, <a href="https://www.nbcdfw.com/news/local/ransomware-attack-still-impacts-police%20as-dallas-plans-summer-youth-programs/3259229/">summer youth programmes</a>. The <a href="https://www.cbsnews.com/texas/news/royal-ransomware-group-threatens-release-sensitive-information-dallas/">criminals threatened</a> to publish sensitive data, including personal information, court cases, prisoner identities and government documents.</p>
<p>One might imagine an attack on a city government and police force causing widespread and lengthy disruption would be headline news. But ransomware attacks are now so common and routine that most pass with barely a ripple of attention. One notable exception happened in May and June 2023 when hackers exploited a vulnerability in the <a href="https://theconversation.com/moveit-hack-attack-on-bbc-and-ba-offers-glimpse-into-the-future-of-cybercrime-207670">Moveit file transfer app</a> which led to data theft from hundreds of organisations around the world. That attack grabbed headlines, perhaps because of the high profile victims, reported to include British Airways, the BBC and the chemist chain Boots.</p>
<p>According <a href="https://www.theguardian.com/technology/2023/may/10/ransomware-payments-nearly-double-in-one-year">to one recent survey</a>, ransomware payments have nearly doubled to US$1.5 million (£1.2 million) over the past year, with the highest-earning organisations the most likely to pay attackers. Sophos, a British cybersecurity firm, found that the average ransomware payment rose from US$812,000 the previous year. The average payment by UK organisations in 2023 was even higher than the global average, at US$2.1 million.</p>
<p>Meanwhile, in 2022 <a href="https://www.bbc.co.uk/news/uk-60158874">The National Cyber Security Centre</a> (NCSC) issued new guidance urging organisations to bolster their defences amid fears of more state-sponsored cyber attacks linked to the conflict in Ukraine. It follows a series of cyber attacks in Ukraine which are suspected to have involved Russia, which Moscow denies.</p>
<hr>
<figure class="align-right ">
<img alt="" src="https://images.theconversation.com/files/288776/original/file-20190820-170910-8bv1s7.png?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/288776/original/file-20190820-170910-8bv1s7.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=600&fit=crop&dpr=1 600w, https://images.theconversation.com/files/288776/original/file-20190820-170910-8bv1s7.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=600&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/288776/original/file-20190820-170910-8bv1s7.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=600&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/288776/original/file-20190820-170910-8bv1s7.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=754&fit=crop&dpr=1 754w, https://images.theconversation.com/files/288776/original/file-20190820-170910-8bv1s7.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=754&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/288776/original/file-20190820-170910-8bv1s7.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=754&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption"></span>
</figcaption>
</figure>
<p><strong><em>This article is part of Conversation Insights</em></strong>
<br><em>The Insights team generates <a href="https://theconversation.com/uk/topics/insights-series-71218">long-form journalism</a> derived from interdisciplinary research. The team is working with academics from different backgrounds who have been engaged in projects aimed at tackling societal and scientific challenges.</em></p>
<hr>
<p>In reality, not a week goes by without attacks affecting governments, schools, hospitals, businesses and charities, all over the world. These attacks have significant financial and societal costs. They can affect small businesses, as well as huge corporations, and can be particularly devastating for those involved.</p>
<p>Ransomware is now <a href="https://www.zdnet.com/article/ransomware-attacks-are-the-biggest-global-cyber-threat-and-still-evolving-warns-cybersecurity-chief/">widely acknowledged</a> as a major threat and challenge to modern society. </p>
<hr>
<iframe id="noa-web-audio-player" style="border: none" src="https://embed-player.newsoveraudio.com/v4?key=x84olp&id=https://theconversation.com/international-ransomware-gangs-are-evolving-their-techniques-the-next-generation-of-hackers-will-target-weaknesses-in-cryptocurrencies-211233&bgColor=F5F5F5&color=D8352A&playColor=D8352A" width="100%" height="110px"></iframe>
<p><em>You can listen to more articles from The Conversation, narrated by Noa, <a href="https://theconversation.com/us/topics/audio-narrated-99682">here</a>.</em></p>
<hr>
<p>Yet ten years ago it was nothing more than a theoretical possibility and niche threat. The way in which it has quickly evolved, fuelling criminality and causing untold damage should be of major concern. The ransomware “business model” has become increasingly sophisticated with, for instance, advances in <a href="https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9895237">malware attack vectors</a>, <a href="https://research.nccgroup.com/2021/11/12/we-wait-because-we-know-you-inside-the-ransomware-negotiation-economics/">negotiation strategies</a> and the structure of criminal enterprise itself.</p>
<p>There is every expectation that criminals will continue to adapt their strategies and cause widespread damage for many years to come. That’s why it is vital that we study the ransomware threat and preempt these tactics so as to mitigate the long-term threat – and that is exactly what our research team is doing.</p>
<p><strong>Prediction of global ransomware damage costs - source: Cyber Security Ventures</strong></p>
<figure class="align-center ">
<img alt="A graph showing the damges related to ransomware" src="https://images.theconversation.com/files/543190/original/file-20230817-19-7du7xx.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/543190/original/file-20230817-19-7du7xx.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=373&fit=crop&dpr=1 600w, https://images.theconversation.com/files/543190/original/file-20230817-19-7du7xx.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=373&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/543190/original/file-20230817-19-7du7xx.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=373&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/543190/original/file-20230817-19-7du7xx.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=469&fit=crop&dpr=1 754w, https://images.theconversation.com/files/543190/original/file-20230817-19-7du7xx.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=469&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/543190/original/file-20230817-19-7du7xx.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=469&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption"></span>
<span class="attribution"><span class="source">Alpesh Bhudia</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>For many years <a href="https://ieeexplore.ieee.org/abstract/document/9854946">our research</a> has looked <a href="https://link.springer.com/chapter/10.1007/978-3-031-16035-6_9">to preempt this evolving threat</a> by exploring new strategies that ransomware criminals can use to extort victims. The aim is to forewarn, and be ahead of the game, without identifying specifics that could be used by criminals. In our <a href="https://arxiv.org/pdf/2308.00590.pdf">latest research</a>, which has been peer reviewed and will be published as part of the International Conference on Availability, Reliability and Security (<a href="https://www.ares-conference.eu/">ARES</a>), we have identified a novel threat that exploits vulnerabilities in cryptocurrencies.</p>
<h2>What is ransomware?</h2>
<p>Ransomware can mean subtly different things in different contexts. In 1996, Adam Young and Mordechai “Moti” Yung at Columbia University <a href="https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=502676">described</a> the basic form of a ransomware attack as follows: </p>
<p>Criminals breach the cybersecurity defences of the victim (either through tactics like phishing emails or using an insider/rogue employee). Once the criminals have breached the victim’s defences they deploy the ransomware. The main function of which is to encrypt the victim’s files with a private key (which can be thought of as a long string of characters) to lock the victim out of their files. The third stage of an attack now begins with the criminal demanding a ransom for the private key. </p>
<p>The simple reality is that many victims <a href="https://www.bbc.co.uk/news/business-60478725">pay the ransom</a>, with ransoms potentially into the millions of dollars.</p>
<p>Using this basic characterisation of ransomware it is possible to distinguish different types of attack. At one extreme we there are the “low level” attacks where files are not encrypted or criminals do not attempt to extract ransoms. But at the other extreme attackers make considerable efforts to maximise disruption and extract a ransom.</p>
<p>The <a href="https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5461132/">WannaCry ransomware attack</a> in May 2017 is such an example. The attack, <a href="https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and">linked to the North Korean government</a>, made no real attempt to extract ransoms from victims. Nevertheless, it led to widespread disruption across the world, <a href="https://www.bbc.co.uk/news/technology-41753022">including to the UK’s NHS</a>, with some cybersecurity risk-modelling organisations even saying the global economic losses going into the billions.</p>
<p>It is difficult to discern motive in this case, but, generally speaking, political intent, or simple error on the part of the attackers may contribute to the lack of coherent value-extraction through extortion.</p>
<p>Our research focuses on the second extreme of ransomware attacks in which criminals look to coerce money from their victims. This does not preclude a political motive. Indeed, there is evidence of <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4507111">links between major ransomware groups and the Russian state</a>. We can distinguish the degree to which ransomware attacks are motivated by financial gain by observing the effort invested in negotiation, a willingness to support or facilitate payment of the ransom, and the presence of money laundering services. By investing in tools and services which facilitate payment of the ransom, and its conversion to fiat currency, the attackers signal their financial motives.</p>
<h2>The impact of attacks</h2>
<p>As the attack on the Dallas City Government shows, the financial and social impacts of ransomware attacks can be <a href="https://heimdalsecurity.com/blog/companies-affected-by-ransomware">diverse and severe</a>.</p>
<p>High-impact ransomware attacks, such as the one which targeted <a href="https://www.bbc.co.uk/news/business-57178503">Colonial Oil in May 2021</a> and took a major US fuel pipeline offline, are obviously dangerous to the continuity of vital services. </p>
<p>In January 2023, there was a ransomware <a href="https://talion.net/blog/royal-mail%20cyber-attack-wheres-my-mail-gone/">attack on the Royal Mail</a> in the UK that led to the suspension of international deliveries. It took over a month for service levels to <a href="https://www.bbc.co.uk/news/business-64718824">get back to normal</a>. This attack would have had a significant direct impact on the Royal Mail’s revenue and reputation. But, perhaps more importantly, it impacted all the small businesses and people who rely on it.</p>
<p>In May 2021, the Irish NHS was hit by a ransomware attack. This affected every aspect of patient care with widespread cancellation of appointments. The <a href="https://www.bbc.co.uk/news/world-europe-57184977">Taoiseach Micheál Martin said</a>: “It’s a shocking attack on a health service, but fundamentally on the patients and the Irish public.” Sensitive data was also reportedly leaked. The financial impact of the attack could be as <a href="https://www.infosecurity-magazine.com/news/ransomware-attack-cost-irish">high as 100 million euros</a>. This, however, does not account for the health and psychological impact on patients and medics affected by the disruption.</p>
<p>As well as health services, education has also been a prime target. For instance, in January 2023 a school in Guilford, UK, suffered an attack with the criminals threatening to publish sensitive data including safeguarding reports and <a href="https://therecord.media/vice-society-ransomware-guildford-school-student-data-extortion">information about vulnerable children</a>.</p>
<p>Attacks are also timed to maximise disruption. For instance, an attack in June 2023 on <a href="https://www.bbc.co.uk/news/uk-england-dorset-65685607">a school in Dorchester, UK</a>, left the school unable to use email or access services during the main exam period. This can have a profound impact on children’s wellbeing and educational achievement.</p>
<p>These examples are by no means exhaustive. Many attacks, for instance, directly target businesses and charities that are too small to attract attention. The impact on a small business, in terms of business disruption, lost reputation and the psychological cost of facing the consequences of an attack <a href="https://academic.oup.com/cybersecurity/article/%206/1/tyaa023/6047253?login=false">can be devastating</a>. As an example, a survey in 2021 found that <a href="https://atlasvpn.com/blog/31-of-us-companies-close-down-after-falling-victim-to-ransomware">34% of UK businesses that suffered a ransomware attack</a> subsequently closed down. And, many of the businesses that continued operation still had to lay off staff.</p>
<h2>It began with floppy disks</h2>
<p>The origins of ransomware are usually traced back to the <a href="https://medium.com/@alinasimone/the-bizarre-pre-internet-history-of-ransomware-bb480a652b4b">AIDS or PC Cyborg Trojan</a> virus in the 1980s. In this case, victims who inserted a floppy disk in their computer would find their files subsequently encrypted and a payment requested. Disks were distributed to attendees and people interested in specific conferences, who would then attempt to access the disk to complete a survey - instead becoming infected with the trojan. Files on affected computers were encrypted using a key stored locally on each target machine. A victim could, in principle, have restored access to their files by using this key. The victim, though, may not have known that they could do this, as even now, technical knowledge of cryptography is not common among most PC users.</p>
<p>Eventually, law enforcement traced the floppy disks to a Harvard-taught <a href="https://edition.cnn.com/2021/05/16/tech/ransomware-joseph-popp/index.html">evolutionary biologist named Joseph Popp</a>, who was conducting AIDS research at the time. He was arrested and charged with multiple counts of blackmail, and has been credited by some with being the inventor of ransomware. No one knows exactly what provoked Popp to do what he did.</p>
<figure class="align-center ">
<img alt="Early form of white computer text on red background" src="https://images.theconversation.com/files/543197/original/file-20230817-17-pzdpm2.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/543197/original/file-20230817-17-pzdpm2.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=293&fit=crop&dpr=1 600w, https://images.theconversation.com/files/543197/original/file-20230817-17-pzdpm2.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=293&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/543197/original/file-20230817-17-pzdpm2.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=293&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/543197/original/file-20230817-17-pzdpm2.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=369&fit=crop&dpr=1 754w, https://images.theconversation.com/files/543197/original/file-20230817-17-pzdpm2.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=369&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/543197/original/file-20230817-17-pzdpm2.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=369&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The on-screen message after the AIDS Trojan Horse ransomware was activated.</span>
<span class="attribution"><a class="source" href="https://en.wikipedia.org/wiki/AIDS_(Trojan_horse)">wikipedia</a></span>
</figcaption>
</figure>
<p>Many <a href="https://arxiv.org/pdf/2107.09470.pdf">early versions</a> of ransomware were quite basic cryptographic systems which suffered from various issues surrounding how easy it was to find the key information the criminal was trying to hide from the victim. This is one reason why ransomware really came of age with the <a href="https://www.bbc.co.uk/news/technology/28661463">CryptoLocker attack in 2013</a> and 2014.</p>
<p>CryptoLocker was the first technically sound ransomware attack virus to be distributed en masse. Thousands of victims saw their files encrypted by ransomware that could not be reverse engineered. The private keys, used in encryption, were held by the attacker and victims could not restore access to their files without them. Ransoms of around US$300-600 were demanded and it is estimated the criminals <a href="https://www.bbc.co.uk/news/technology-28661463">got away with</a> around US$3 million. Cryptolocker was eventually shut down in 2014 following an operation involving multiple, international law enforcement agencies.</p>
<p>CryptoLocker was pivotal in showing proof of concept that criminals could earn large amounts of money from ransomware. Subsequently, there was an explosion of new variants and new types. There was also significant evolution in the strategies used by criminals.</p>
<h2>Off-the-shelf and double extortion</h2>
<p>One important development was the emergence of ransomware-as-a-service. This is a term for markets on the dark web through which criminals can obtain and use <a href="https://www.sciencedirect.com/science/article/pii/S0167404820300468">“off-the-shelf” ransomware</a> without the need for advanced computing skills while the ransomware providers take a cut of the profits. </p>
<p>Research has shown how the dark web is the “<a href="https://www.sciencedirect.com/science/article/pii/S0167404820300468">unregulated Wild West</a> of the internet” and a safe haven for criminals to communicate and exchange of illegal goods and services. It is easily accessible and with the help of anonymisation technology and digital currencies, there is a global black economy thriving there. An <a href="https://www.europol.europa.eu/cms/sites/default/files/documents/iocta_2019.pdf">estimated US$1 billion</a> was spent there during the first nine months of 2019 alone, according to the European Union Agency for Law Enforcement.</p>
<p>With <a href="https://www.sciencedirect.com/science/article/pii/S0167404820300468?ref=pdf_download&fr=RR-2&rr=7f373d3fbf9b0722">ransomware as a service</a> (Raas) the barrier to entry for aspiring cyber criminals, in terms of both cost and skill, was lowered. </p>
<p>Under the Raas model, expertise is provided by vendors who develop the malware while the attackers themselves may be relatively unskilled. This also has the effect of compartmentalising risk – the arrest of cyber criminals using ransomware no longer threatens the entire supply chain, allowing attacks launched by other groups to continue.</p>
<p>We have also seen a movement away from mass phishing attacks, like CryptoLocker, which reached more than 250,000 systems, to more targeted attacks. That has meant an increasing focus on organisations with the revenue to pay large ransoms. Multinational organisations, legal firms, <a href="https://www.ncsc.gov.uk/news/alert-targeted-ransomware-attacks-on-uk-education-sector">schools, universities, hospitals and healthcare providers</a> have all become prime targets, as well as many small and micro businesses and charities.</p>
<p>A more recent development in ransomware, such as Netwalker, REvil/Sodinokibi, has been the threat of double extortion. This is where the criminals not only encrypt files but also exfiltrate data by copying the files. They then have the potential to leak or post potentially sensitive and important information.</p>
<p>An example of this occurred in 2020, when one of the largest software companies, Software AG, was hit with a <a href="https://www.computerweekly.com/news/252490395/Software-AG-caught-in-double-extortion-ransomware-hit">double extortion ransomware</a> called Clop. It was reported that the attackers had requested an exceptionally high ransom payment of US$20 million (about £15.7 million) which Software AG refused to pay. This led to attackers releasing confidential company data on the <a href="https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/">dark web</a>. This provides criminals with two sources of leverage: they can ransom for the private key to decrypt files and they can ransom to stop publication of sensitive data.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1314648938704588801"}"></div></p>
<p>Double extortion changes the business model of ransomware in interesting ways. In particular, with standard ransomware, there is a relatively straightforward incentive for a victim to pay a ransom for access to the private key if that would allow decryption of the files, and they cannot access the files through any other means. The victim “only” needs to trust the cyber criminal will give them the key and that the key will work.</p>
<h2>‘Honour’ among thieves?</h2>
<p>But with data exfiltration, by contrast, it is not obvious what the victim gets in return for paying the ransom. The criminals still have the sensitive data and could still publish it any time they want. They could, indeed, ask for subsequent ransoms to not publish the files.</p>
<p>Therefore, for data exfiltration to be a viable business strategy the criminals need to build a <a href="https://www.mdpi.com/2073-4336/10/2/26">credible reputation</a> of “honouring” ransom payments. This has arguably led to a normalised <a href="https://www.pure.ed.ac.uk/ws/portalfiles/portal/257573307/How_Cyber_Insurance_WOODS_%20DOA27052021_VOR.pdf">ransomware ecosystem</a>.</p>
<p>For instance, ransom negotiators are private contractors and in some cases are required as part of a cyber insurance agreement to provide expertise in the managing of crisis situations involving ransomware. Where instructed, they will facilitate negotiated ransom payments. Within this ecosystem, some ransomware criminal gangs have developed a reputation for not publishing data (or at least delaying publication) if a ransom is paid.</p>
<p>More generally, the encryption, decryption or exfiltration of files is typically a difficult and costly task for criminals to pull off. It is far simpler to delete the files and then claim they have been encrypted or exfiltrated and demand a ransom. However, if the victims suspect that they won’t be getting the decryption key or encrypted data back then they won’t pay the ransom. And those that do pay a ransom and get nothing in return may disclose that fact. This is likely to impact the attacker’s “reputation” and the likelihood of future ransom payments. Simply put, it pays to play “fair” in the world of extortion and ransom attacks.</p>
<p>So in less than ten years we have seen the ransomware threat evolve enormously from the relatively low scale CryptoLocker, to a <a href="https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-2031/">multi-million dollar business</a> involving organised criminal gangs and sophisticated strategies. From 2020 onwards the incidents of ransomware, and consequent losses, have seemingly increased by another order of magnitude. Ransomware has become too big to ignore and is now a major concern for governments and law enforcement.</p>
<h2>Crypto extortion threats</h2>
<p>Devastating though ransomware has become, the threat will inevitably evolve further, as criminals develop new techniques for extortion. As mentioned already, a key theme in our collective research over the last ten years has been to try and preempt the likely strategies that criminals can employ so as to be ahead of the game. </p>
<p>Our research <a href="https://arxiv.org/pdf/2308.00590.pdf">is now focused on</a> the next generation of ransomware, which we believe will include variants focused on cryptocurrency, and the “consensus mechanisms” used within them.</p>
<p>A consensus mechanism is any method (usually algorithmic) used to achieve agreement, trust and security across a decentralised computer network.</p>
<figure class="align-center ">
<img alt="Financial business concept, bitcoin, etheruem, litecoin" src="https://images.theconversation.com/files/543204/original/file-20230817-25-qp0zf3.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/543204/original/file-20230817-25-qp0zf3.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/543204/original/file-20230817-25-qp0zf3.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/543204/original/file-20230817-25-qp0zf3.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/543204/original/file-20230817-25-qp0zf3.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/543204/original/file-20230817-25-qp0zf3.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/543204/original/file-20230817-25-qp0zf3.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The next target could by crypto.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/financial-business-concept-bitcoin-etheruem-litecoin-1056178808">Shutterstock/sundaemorning</a></span>
</figcaption>
</figure>
<p>Specifically, cryptocurrencies are increasingly using a so called “<a href="https://theconversation.com/ethereum-second-biggest-cryptocurrency-to-cut-energy-use-by-over-99-but-the-industry-still-has-a-long-way-to-go-189907">proof-of-stake</a>” consensus mechanism, in which investors stake significant sums of currency, to validate crypto transactions. These stakes are vulnerable to extortion by ransomware criminals.</p>
<p>Cryptocurrencies rely on a decentralised blockchain that provides a transparent record of all the transactions that have taken place using that currency. The blockchain is maintained by a peer-to-peer network rather than a central authority (as with conventional currency). In principle, the transaction records included in the blockchain are immutable, verifiable and securely distributed across the network, giving users full ownership and visibility into the transaction data. These properties of blockchain rely on a secure and non-manipulable “consensus mechanism” in which the independent nodes in the network “approve” or “agree” which transactions to add to the blockchain.</p>
<p>Until now, cryptocurrencies like Bitcoin have relied on a so-called “proof-of-work” consensus mechanism in which the authorisation of transactions involves the solving of complex mathematical problems (the work). In the long term this approach is unsustainable because it results in duplication of effort and avoidable <a href="https://www.forbes.com/advisor/investing/cryptocurrency/bitcoins-energy%20usage-explained/">large scale energy use</a>.</p>
<p>The alternative, which is now becoming a reality, is a “proof-of-stake” consensus mechanism. Here, transactions are approved by validators who have staked money and are financially rewarded for validating transactions. The role of inefficient work is replaced by a financial stake. While this addresses the energy problem, it means that large amounts of staked money becomes involved in validating crypto-transactions.</p>
<h2>Ethereum</h2>
<p>The existence of this staked money provides a novel threat to some proof-of-stake cryptocurrencies. We have focussed our attention on <a href="https://ethereum.org/en/">Ethereum</a>, a decentralised cryptocurrency that establishes a peer-to-peer network to securely execute and verify application code, known as a smart contract.</p>
<p>Ethereum is powered by the Ether (ETH) token that allows users to transact with each other through the use of these smart contracts. The Ethereum project was co-founded by Vitalik Buterin in 2013 to overcome shortcomings with Bitcoin. On September 15 2022, <a href="https://ethereum.org/en/roadmap/merge/">The Merge</a>, moved the Ethereum network from proof-of-work to proof-of-stake, making it one of the first prominent proof-of-stake cryptocurrencies.</p>
<p>The proof-of-stake consensus mechanism in Ethereum relies on “validators” to approve transactions. To set up a validator there needs to be a minimum stake of 32ETH, which is currently around US$60,000 (around £43,000). Validators can then earn a financial return on their stake from operating a validator in accordance with Ethereum rules. At the time of writing there are around <a href="https://beaconscan.com/statistics">850,000 validators</a>.</p>
<p>A lot of hope is being pinned on the “stake” solution of validation - but hackers are sure to be looking into how they can infiltrate the system.</p>
<p>In our project, which was funded by the Ethereum Foundation, we identified ways in which ransomware groups could exploit the new proof-of-stake mechanism for extortion. </p>
<h2>Slashing</h2>
<p>We found that attackers could exploit validators through a process called “slashing”. While validators receive rewards for obeying the rules, there are financial penalties for validators that are seen to act maliciously. The basic objective of penalties is to prevent exploitation of the decentralised blockchain.</p>
<p>There are two forms of penalties, the most severe of which is slashing. Slashing occurs for actions that should not happen by accident and could jeopardise the blockchain, such as proposing conflicting blocks are added to the blockchain, or trying to change history. </p>
<p>Slashing penalties are relatively severe with the validator losing a significant share of their stake, at least 1ETH. Indeed, in the most extreme case the validator could lose all of their stake (32ETH). The validator will also be forced to exit and no longer act as a validator. In short, if a validator is slashed there are big financial consequences.</p>
<p>To perform actions, validators are assigned unique signing keys, that, in essence, prove who they are to the network. Suppose that a criminal got hold of the signing key? Then, they could blackmail the victim into paying a ransom.</p>
<p><strong>Flow diagram showing just how complicated it gets when there is an extortion attack against proof-of-stake validators, such as Ethereum</strong></p>
<figure class="align-center ">
<img alt="Flow chart showing what happens when ransomware attacks infiltrate crypto." src="https://images.theconversation.com/files/543232/original/file-20230817-21-qc11u7.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/543232/original/file-20230817-21-qc11u7.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=604&fit=crop&dpr=1 600w, https://images.theconversation.com/files/543232/original/file-20230817-21-qc11u7.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=604&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/543232/original/file-20230817-21-qc11u7.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=604&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/543232/original/file-20230817-21-qc11u7.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=759&fit=crop&dpr=1 754w, https://images.theconversation.com/files/543232/original/file-20230817-21-qc11u7.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=759&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/543232/original/file-20230817-21-qc11u7.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=759&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption"></span>
<span class="attribution"><span class="source">Alpesh Bhudia</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<h2>A ‘smart contract’</h2>
<p>The victim may be reluctant to pay the ransom unless there is a guarantee that the criminals will not take their money and fail to return/release the key. After all, what is to stop the criminals asking for another ransom? </p>
<p>One solution we have found – which harks back to the fact that ransomware has in fact become a kind of business operated by criminals who want prove they have an “honest” reputation – is a smart contract.</p>
<p>This automated contract can be written so that the process only works if both sides “honour” their side of the bargain. So, the victim could pay the ransom and be confident that this will resolve the direct extortion threat. This is possible through the Ethereum because all the steps required are publicly observable on the blockchain – the deposit, the sign to exit, the absence of slashing, and the return of the stake. </p>
<p>Functionally, these smart contracts are an <a href="https://dictionary.cambridge.org/dictionary/english/escrow">escrow system</a> in which money may be held until pre-agreed conditions are met. For instance, if the criminals force slashing before the validator has fully exited, then the contract will ensure that the ransom amount is returned to the victim. Such contracts are, however, open to abuse, and there’s no guarantee that an attacker-authored contract can be trusted. There is potential for the contract to be automated in a fully trusted way, but we have yet to observe such behaviour and systems emerge.</p>
<h2>The staking pools threat</h2>
<p>This type of “pay and exit” strategy is an effective way for criminals to extort victims if they can obtain the validator signing keys. </p>
<p>So how much damage would a ransomware attack like this do to Ethereum? If a single validator is compromised then the slashing penalty – and so maximum ransom demand – would be in the region of 1ETH, which is around US$1,800 (about £1,400). To leverage larger amounts of money the criminals, therefore, need to target organisations or staking pools that are responsible for managing large numbers of validators.</p>
<p>Remember, that given the high entry costs for individual investors, most of the validating on Ethereum will be run under “staking pools” in which multiple investors can collectively stake money. </p>
<p>To put this in perspective, Lido is the largest staking pool in Ethereum with around 127,000 validators and 18% of the total stake; Coinbase is the second largest with 40,000 validators and 6% of the total stake. In total, there are 21 staking pools operating more than a 1,000 validators. Any one of these staking pools is responsible for tens of millions of dollars of stake and so viable ransom demands could also be in the millions of dollars. </p>
<p>Proof-of-stake consensus mechanisms are too young for us to know whether extortion of staking pools will become an active reality. But the general lesson of ransomware’s evolution is that the criminals tend to gravitate towards strategies that incentivise payment and increase their illicit gains.</p>
<p>The most straightforward way that investors and staking pool operators can mitigate the extortion threat we have identified is by protecting their signing keys. If the criminals cannot access the signing keys then there is no threat. If the criminals can only access some of the keys (for operators with multiple validators) then the threat may fail to be lucrative. </p>
<p>So staking pools need to take measures to secure signing keys. This would involve a range of actions including: partitioning validators so that a breach only impacts a small subset; step up cyber security to prevent intrusion, and robust internal processes to limit the insider threat of an employee divulging signing keys.</p>
<figure class="align-center ">
<img alt="Concept using blocks with locks and keys printed on them to show encryption keys being compromised." src="https://images.theconversation.com/files/543207/original/file-20230817-17-s3whx1.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/543207/original/file-20230817-17-s3whx1.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=405&fit=crop&dpr=1 600w, https://images.theconversation.com/files/543207/original/file-20230817-17-s3whx1.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=405&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/543207/original/file-20230817-17-s3whx1.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=405&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/543207/original/file-20230817-17-s3whx1.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=509&fit=crop&dpr=1 754w, https://images.theconversation.com/files/543207/original/file-20230817-17-s3whx1.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=509&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/543207/original/file-20230817-17-s3whx1.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=509&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">What happens when hackers gain access to secret keys?</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/intruder-gains-access-secrets-hacker-hacking-2249792687">Shutterstock/Andrii Yalanskyi</a></span>
</figcaption>
</figure>
<p>The staking pool market for cryptocurrencies like Ethereum is competitive. There are many staking pools, all offering relatively similar services, and competing on price to attract investors. These competitive forces, and the need to cut costs, may lead to relatively lax security measures. Some staking pools may, therefore, prove a relatively easy target for criminals.</p>
<p>Ultimately, this can only be solved with regulation, greater awareness and for investors in staking pools to demand high levels of security to protect their stake.</p>
<p>Unfortunately, the history of ransomware suggests that high profile attacks will need to be seen before the threat is taken seriously enough. It is interesting to contemplate the consequences of a significant breach of a staking pool. The reputation of the staking pool would presumably be badly affected and so the staking pool’s viability in a competitive market is questionable. An attack may also have implications for the reputation of the currency.</p>
<p>At the most serious, it could lead to a currency collapsing. When that happens - as it did with <a href="https://www.bbc.co.uk/news/business-64313624">FTX in 2022</a> following another hacking attack, there are knock-on effects to the global economy.</p>
<h2>Here to stay</h2>
<p>Ransomware will be a challenge for years, if not decades, to come. </p>
<p>One potential vision of the future is that ransomware just becomes part of normal economic life with organisations facing the constant threat of attack, with few consequences for the largely anonymous gangs of cyber criminals behind the scams.</p>
<p>To preempt such negative consequences we need greater awareness of the threat. Then investors can make more informed decisions over which staking pools and currencies to invest in. It also makes sense to have a <a href="https://link.springer.com/chapter/10.1007/978-3-031-16035-6_9">market with many staking pools</a>, rather than a market dominated by just a few large ones, as this could insulate the currency from possible attacks.</p>
<p>Beyond crypto, preemption involves investment in cyber security across a range of forms – from staff training and an organisational culture that supports reporting of incidents. It also involves investment in recovery options, such as effective back-ups, in-house expertise, insurance and tried and tested contingency plans. </p>
<p>Unfortunately, cyber security practices are not improving as one might hope in many organisations and this is leaving the door open for cyber criminals. Essentially, everyone needs to get better at hiding, and protecting, their digital keys and sensitive information if we are to stand a chance against the next generation of ransomware attackers.</p>
<hr>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/313478/original/file-20200204-41481-1n8vco4.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/313478/original/file-20200204-41481-1n8vco4.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=112&fit=crop&dpr=1 600w, https://images.theconversation.com/files/313478/original/file-20200204-41481-1n8vco4.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=112&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/313478/original/file-20200204-41481-1n8vco4.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=112&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/313478/original/file-20200204-41481-1n8vco4.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=140&fit=crop&dpr=1 754w, https://images.theconversation.com/files/313478/original/file-20200204-41481-1n8vco4.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=140&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/313478/original/file-20200204-41481-1n8vco4.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=140&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption"></span>
</figcaption>
</figure>
<p><em>For you: more from our <a href="https://theconversation.com/uk/topics/insights-series-71218?utm_source=TCUK&utm_medium=linkback&utm_campaign=TCUKengagement&utm_content=InsightsUK">Insights series</a>:</em></p>
<ul>
<li><p><em><a href="https://theconversation.com/the-melting-arctic-is-a-crime-scene-the-microbes-i-study-have-long-warned-us-of-this-catastrophe-but-they-are-also-driving-it-207785">The melting Arctic is a crime scene. The microbes I study have long warned us of this catastrophe – but they are also driving it
</a></em></p></li>
<li><p><em><a href="https://theconversation.com/beatrix-potters-famous-tales-are-rooted-in-stories-told-by-enslaved-africans-but-she-was-very-quiet-about-their-origins-202274">Beatrix Potter’s famous tales are rooted in stories told by enslaved Africans – but she was very quiet about their origins
</a></em></p></li>
<li><p><em><a href="https://theconversation.com/invisible-windrush-how-the-stories-of-indian-indentured-labourers-from-the-caribbean-were-forgotten-206330">Invisible Windrush: how the stories of Indian indentured labourers from the Caribbean were forgotten
</a></em></p></li>
</ul>
<p><em>To hear about new Insights articles, join the hundreds of thousands of people who value The Conversation’s evidence-based news. <a href="https://theconversation.com/uk/newsletters/the-daily-newsletter-2?utm_source=TCUK&utm_medium=linkback&utm_campaign=TCUKengagement&utm_content=InsightsUK"><strong>Subscribe to our newsletter</strong></a>.</em></p><img src="https://counter.theconversation.com/content/211233/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Alpesh Bhudia's research was funded by the Ethereum Foundation for the project “Game theoretic modelling of a ransomware attack against Ethereum 2.0 validators” and “REVOKE: Consensus-layer mitigations for validator ransomware attacks”, from which this article derives some contributions.
The research team is scheduled to present their findings on August 30 at the ARES Conference. </span></em></p><p class="fine-print"><em><span>Anna Cartwright receives funding from The Ethereum Foundation, for the project "Game theoretic modelling of a ransomware attack against Ethereum 2.0 validators", from which this article derives some contributions.</span></em></p><p class="fine-print"><em><span>Darren Hurley-Smith received funding from The Ethereum Foundation, for the REVOKE project, from which this article derives some theoretical contributions. </span></em></p><p class="fine-print"><em><span>Edward Cartwright receives funding from The Ethereum Foundation, for the project "Game theoretic modelling of a ransomware attack against Ethereum 2.0 validators", from which this article derives some contributions.</span></em></p>What will ransomware attackers focus on next?Alpesh Bhudia, Doctoral Researcher in Cyber Security, Royal Holloway University of LondonAnna Cartwright, Principal Lecturer in Accounting, Finance and Economics, Oxford Brookes UniversityDarren Hurley-Smith, Senior Lecturer in Information Security, Royal Holloway University of LondonEdward Cartwright, Professor of Economics, De Montfort UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1475312020-10-29T18:49:22Z2020-10-29T18:49:22ZRansomware can interfere with elections and fuel disinformation – basic cybersecurity precautions are key to minimizing the damage<figure><img src="https://images.theconversation.com/files/366273/original/file-20201028-13-111h5ve.jpg?ixlib=rb-1.1.0&rect=0%2C33%2C7348%2C4858&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Ransomware attacks often strike local government computer systems, which poses a challenge for protecting elections.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/woman-finding-computer-getting-virus-attack-royalty-free-image/847207652">PRImageFactory/iStock via Getty Images</a></span></figcaption></figure><p>Government computer systems in Hall County, Georgia, including a voter signature database, were <a href="https://www.cnn.com/2020/10/22/tech/ransomware-election-georgia/index.html">hit by a ransomware attack</a> earlier this fall in the first known ransomware attack on election infrastructure during the 2020 presidential election. Thankfully, county officials reported that the voting process for its citizens was not disrupted.</p>
<p>The attack follows on the heels of a <a href="https://www.nytimes.com/2020/10/03/technology/clinical-trials-ransomware-attack-drugmakers.html">ransomware attack last month on eResearchTechnology</a>, a company that provides software used in clinical trials, including trials for COVID-19 tests, treatments and vaccines. Less than a week after the attack in Georgia was revealed, the <a href="https://apnews.com/article/politics-crime-elections-presidential-elections-548634f03e71a830811d291401651610">FBI warned</a> that cyber criminals have unleashed a wave of ransomware attacks targeting hospital information systems.</p>
<p>Attacks like these underscore the challenges that cybersecurity experts face daily – and which loom over the upcoming election. As a <a href="https://cybersecurity.umbc.edu/richard-forno/">cybersecurity professional and researcher</a>, I can attest that there is no silver bullet for defeating cyber threats like ransomware. Rather, defending against them comes down to the actions of thousands of IT staff and millions of computer users in organizations large and small across the country by embracing and applying the basic good computing practices and IT procedures that have been promoted for years.</p>
<h2>What is ransomware?</h2>
<p>Ransomware is a form of malicious software, or malware, that typically encrypts a victim’s computer files, holds the files hostage and then demands a payment to send the decryption key that unlocks the files. Individual ransomware payments usually range from a few hundred to a few thousand dollars, with the expectation that a relatively low dollar amount will motivate the victim to quickly pay the attacker to end the incident. </p>
<p>Ransomware attacks frequently begin through email as a typical <a href="https://www.csoonline.com/article/2117843/what-is-phishing-how-this-cyber-attack-works-and-how-to-prevent-it.html">phishing</a> message purporting to be from someone the potential victim trusts, such as a co-worker or friend. However, emerging types of ransomware exploit existing or recently discovered security vulnerabilities – in other words, they hack in – <a href="https://arstechnica.com/information-technology/2020/10/dhs-warns-that-emotet-malware-is-one-of-the-most-prevalent-threats-today/">to gain system access</a> without requiring any user interaction at all.</p>
<p>Once a computer system is compromised, there are many things a ransomware attack can do. But the most common outcome is encrypting a user’s data to hold it for a ransom payment. In other cases, ransomware encrypts a victim’s data and the ransomware’s creator threatens to release personal or sensitive information onto the internet unless the ransom is paid. </p>
<figure class="align-center ">
<img alt="Computer screen showing ransomware demand" src="https://images.theconversation.com/files/366260/original/file-20201028-15-17rhadh.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/366260/original/file-20201028-15-17rhadh.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=449&fit=crop&dpr=1 600w, https://images.theconversation.com/files/366260/original/file-20201028-15-17rhadh.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=449&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/366260/original/file-20201028-15-17rhadh.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=449&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/366260/original/file-20201028-15-17rhadh.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=565&fit=crop&dpr=1 754w, https://images.theconversation.com/files/366260/original/file-20201028-15-17rhadh.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=565&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/366260/original/file-20201028-15-17rhadh.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=565&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">A typical ransomware attack seizes control of a victim’s computer files and holds them for ransom.</span>
<span class="attribution"><a class="source" href="https://commons.wikimedia.org/wiki/File:%EA%B0%90%EC%97%BC%EC%82%AC%EC%A7%84.png">So5146/Wikimedia</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span>
</figcaption>
</figure>
<p>While ransomware attacks can affect any internet user or organization, attackers tend to target entities known for having less-robust cybersecurity defenses, including <a href="https://enterprise.verizon.com/resources/reports/dbir/">hospitals, health systems and state or local government computers</a>. But health care remains an enticing ransomware target: In 2019, <a href="https://healthitsecurity.com/news/ransomware-attacks-on-healthcare-providers-rose-350-in-q4-2019">759 health care providers</a> in the U.S. were hit. Overall, ransomware attacks cost users and companies <a href="https://www.technologyreview.com/2020/01/02/131035/ransomware-may-have-cost-the-us-more-than-75-billion-in-2019/">over US$7 billion</a> in 2019 as a result of either ransoms paid or through costs incurred in recovering from attacks.</p>
<h2>Ransomware’s toll</h2>
<p>The first high-profile ransomware incident was launched by North Korea in 2017. Using malware called <a href="https://www.csoonline.com/article/3227906/what-is-wannacry-ransomware-how-does-it-infect-and-who-was-responsible.html">“Wannacry</a>,” the attackers brought the British National Health Service to a paralyzing halt. Hospitals lost access to their computer systems and routine and emergency care was disrupted. But that was a preview of things to come: In 2020, <a href="https://www.nytimes.com/2020/09/18/world/europe/cyber-attack-germany-ransomeware-death.html">a patient in Germany died</a> after being diverted to another hospital due to a ransomware incident.</p>
<p>In 2020, during the COVID-19 pandemic, a ransomware attack <a href="https://www.wired.com/story/universal-health-services-ransomware-attack/">crippled over 250 medical facilities</a> run by American-based Universal Health Services. At eResearchTechnology, staff conducting COVID-19 clinical trials were <a href="https://www.nytimes.com/2020/10/03/technology/clinical-trials-ransomware-attack-drugmakers.html">locked out of their data</a> and unable to conduct business for nearly two weeks.</p>
<p>And it’s not just health care organizations. The city of Atlanta was <a href="https://www.wired.com/story/atlanta-spent-26m-recover-from-ransomware-scare/">crippled</a> by ransomware in 2018. Baltimore was similarly <a href="https://theconversation.com/hackers-seek-ransoms-from-baltimore-and-communities-across-the-us-118089">paralyzed</a> in 2019. In both cases, city services – from tax collection and business licensing to real estate transactions – were unavailable to citizens. Numerous smaller cities around the world also have been affected by ransomware attacks.</p>
<p>However, even organizations with good IT policies and procedures find it extremely <a href="https://www.baltimoresun.com/politics/bs-md-ci-ransomware-expenses-20190828-njgznd7dsfaxbbaglnvnbkgjhe-story.html">costly</a> to investigate and recover from ransomware attacks, whether or not they pay the ransom. For example, an organization’s routine data backup can also inadvertently include ransomware code. This means victims need to ensure <a href="https://www.infosecurity-magazine.com/opinions/keeping-backups-ransomware/">they are not restoring the ransomware infection</a> when they reconstruct their systems after an attack. Depending on the victim’s backup procedures, locating a ransomware-free backup can be a very time-consuming process.</p>
<h2>Ransomware and election 2020</h2>
<p>The 2016 elections underscored the importance of ensuring the security and integrity of information related to government operations, including elections. Unfortunately, for many state and local governments, ransomware concerns are just another in a <a href="https://cybersecurity.umbc.edu/cybersecurity-for-local-governments/">long line of issues</a> that cybersecurity teams must contend with during periods of limited budgets and staffing.</p>
<p>Much has already been <a href="https://theconversation.com/how-vulnerable-to-hacking-is-the-us-election-cyber-infrastructure-63241">written</a> about the vulnerable and fragile state of America’s election systems, ranging from obsolete operating systems installed on voting machines to insecure networks and systems that exchange and store vote tabulations, to ensuring the protection of voter registration databases. </p>
<p>Making this situation more challenging is that many local governments don’t know what’s happening on their networks. A <a href="https://doi.org/10.1111/puar.13028">nationwide survey</a> conducted by University of Maryland, Baltimore County researchers in 2016 reported that nearly 30% of local government officials would not know if a cyberattack was affecting them. This lack of awareness means an attack could be well underway and causing havoc before security teams realize it – let alone respond.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/366266/original/file-20201028-15-17rdomk.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="voters fill out ballots during early voting in Cleveland, Ohio on October 6, 2020" src="https://images.theconversation.com/files/366266/original/file-20201028-15-17rdomk.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/366266/original/file-20201028-15-17rdomk.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/366266/original/file-20201028-15-17rdomk.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/366266/original/file-20201028-15-17rdomk.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/366266/original/file-20201028-15-17rdomk.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/366266/original/file-20201028-15-17rdomk.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/366266/original/file-20201028-15-17rdomk.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Voting is vulnerable to cyberattacks at several points, from voter registration rolls to voter signature databases and computers that tabulate votes.</span>
<span class="attribution"><a class="source" href="https://newsroom.ap.org/detail/ElectionSecurityTrump/cb65c952390c43ddbaaa435640d87e8c/photo">AP Photo/Tony Dejak</a></span>
</figcaption>
</figure>
<p>Despite a growing awareness of the threat, ransomware has the potential to adversely affect the 2020 election. Unfortunately, if state and local election offices haven’t implemented strong cybersecurity protections by now, it’s probably too late to do anything meaningful given that voting is well underway. So it’s no surprise that election offices across America are considering <a href="https://slate.com/news-and-politics/2020/08/election-nightmares-experts.html">potential nightmare scenarios</a> that include cyberattacks that might disrupt election activities.</p>
<h2>Fuel for disinformation</h2>
<p>Elections are based on trust – trust in the voting mechanisms and procedures, trust in the voting data and trust in the overall electoral process. But trust in all these items is under <a href="https://theconversation.com/weaponized-information-seeks-a-new-target-in-cyberspace-users-minds-100069">active attack</a> by adversaries both <a href="https://www.npr.org/2020/09/28/917757932/trumps-baseless-attacks-on-election-integrity-bolstered-by-disinformation-online">at home</a> and <a href="https://www.washingtonpost.com/national-security/us-defends-russian-election-interference/2020/10/21/533b508a-130a-11eb-bc10-40b25382f1be_story.html">from abroad</a> using a variety of <a href="https://www.sciencemag.org/news/2020/10/us-election-nears-researchers-are-following-trail-fake-news">influence and disinformation techniques</a> that have become more <a href="https://www.insidehook.com/article/politics/how-election-hacks-work-according-cybersecurity-expert">refined</a> since 2016.</p>
<p>Thankfully, ransomware attacks are unlikely to cripple the entire U.S. election given the <a href="https://abcnews.go.com/Politics/election-cybersecurity-decentralized-system-viewed-blessing-curse/story?id=58877082">decentralized nature</a> of voting jurisdictions and systems. However, even a few successful attacks could <a href="https://www.technologyreview.com/2020/10/15/1010551/election-ransomware-disinformation/">contribute to disinformation campaigns</a> that erode confidence in the outcome of the election.</p>
<p>[<em><a href="https://theconversation.com/us/newsletters/the-daily-3?utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=experts">Expertise in your inbox. Sign up for The Conversation’s newsletter and get expert takes on today’s news, every day.</a></em>]</p>
<h2>How to lower the risk</h2>
<p>At this point, since the election is already happening, state and local governments should increase the monitoring of their computer systems and implement even more stringent security controls on any devices or computers that might touch election-related networks in any way. Sharing real-time information about threats and working with the DHS, FBI and Office of the Director of National Intelligence election security teams, along with other states’ election offices, also will help keep election officials informed. Additionally, <a href="https://www.washingtonpost.com/technology/2020/10/12/microsoft-trickbot-ransomware/">major technology vendors</a> and the <a href="https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html">U.S. military</a> are taking active steps to disrupt cybersecurity threats, including ransomware, that may target the electoral process. </p>
<figure class="align-center ">
<img alt="A woman walks in front of the Microsoft stand " src="https://images.theconversation.com/files/366257/original/file-20201028-21-jb0kcm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/366257/original/file-20201028-21-jb0kcm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=296&fit=crop&dpr=1 600w, https://images.theconversation.com/files/366257/original/file-20201028-21-jb0kcm.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=296&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/366257/original/file-20201028-21-jb0kcm.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=296&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/366257/original/file-20201028-21-jb0kcm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=372&fit=crop&dpr=1 754w, https://images.theconversation.com/files/366257/original/file-20201028-21-jb0kcm.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=372&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/366257/original/file-20201028-21-jb0kcm.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=372&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Microsoft took legal action this month to disrupt a major botnet, a cybercrime digital network that used more than 1 million zombie computers to spread ransomware.</span>
<span class="attribution"><a class="source" href="https://newsroom.ap.org/detail/Cybersecurity-TrickbotBotnet/c39a2d954b584e9888083bba54751d7d/photo">AP Photo/Michel Spingler</a></span>
</figcaption>
</figure>
<p>As with most cybersecurity problems, the ransomware threat can be minimized by implementing common-sense best practices – many of which have been <a href="https://theconversation.com/overcoming-cyber-fatigue-requires-users-to-step-up-for-security-70621">recommended for decades</a> but often are not followed. These include keeping systems up to date, ensuring security software is installed and current, monitoring network activities and implementing appropriate IT policies and procedures to include resilient backup practices. For individual users, thinking before clicking an email link – even from people you know – is excellent self-defense to make many ransomware or phishing attacks less likely to succeed. </p>
<p>None of these practices is specific to the ransomware threat or election security. But for this and other cyber threats, the best thing to do is continuing to implement and enforce those common-sense, decades-old best practices of information protection that can help guard against the ever-widening range of cyberthreats – including ransomware.</p><img src="https://counter.theconversation.com/content/147531/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Richard Forno has received research funding related to cybersecurity from the National Science Foundation (NSF) and the Department of Defense (DOD) during his academic career, and sits on the advisory board of BlindHash, a cybersecurity startup focusing on remedying the password problem</span></em></p>A ransomware attack on election-related government computers in a Georgia county raises the specter of more disruptions for Election Day voting and vote tabulation.Richard Forno, Senior Lecturer, Cybersecurity & internet researcher, University of Maryland, Baltimore CountyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1108072019-02-03T19:12:39Z2019-02-03T19:12:39ZCybersecurity: high costs for companies<figure><img src="https://images.theconversation.com/files/256907/original/file-20190202-112389-1wc48q4.jpg?ixlib=rb-1.1.0&rect=0%2C53%2C4000%2C2443&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">If they cannot be completely prevented, detecting computer attacks as early as possible helps to limit their costs.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/fr/image-photo/concept-screen-full-binary-computer-data-721630210?src=At-xZDAK4hThpInXiUs0gg-1-0">Shutterstock</a></span></figcaption></figure><p>The world of cybersecurity has changed drastically over the past 20 years. In the 1980s, information systems security was a rather confidential field with a focus on technical excellence. The notion of financial gain was more or less absent from attackers’ motivations. It was in the early 2000s that the first security products started to be marketed: firewalls, identity or event management systems, detection sensors, etc. At the time these products were clearly identified, as was their cost, which was high at times. Almost 20 years later, things have changed: attacks are now a source of financial gain for attackers.</p>
<h2>What is the cost of an attack?</h2>
<p>Today, financial motivations are usually behind attacks. An attacker’s goal is to obtain money from victims, either directly or indirectly, whether through requests for ransom (ransomware), or denial of service. Spam was <a href="https://www.icsi.berkeley.edu/pubs/networking/2008-ccs-spamalytics.pdf">one of the first ways to earn money</a> by selling <a href="http://www.davidreiley.com/papers/SpamEconomics.pdf">illegal or counterfeit products</a>. Since then, <a href="https://fc18.ifca.ai/bitcoin/papers/bitcoin18-final11.pdf">attacks on digital currencies such as bitcoin</a> have now become quite popular. Attacks on telephone systems are also <a href="http://s3.eurecom.fr/docs/eurosp17_sahin.pdf">extremely lucrative</a> in an age where smartphones and computer technology are ubiquitous.</p>
<p>It extremely difficult to assess the cost of cyber-attacks due to the wide range of approaches used. Information from two different sources can however provide insight to estimate the loss incurred: that of service providers and that of the scientific community.</p>
<p>On the service provider side, a report by American service provider Verizon entitled, <a href="http://www.verizonenterprise.com/resources/reports/rp_DBIR_2017_Report_en_xg.pdf">“Data Breach Investigation Report 2017”</a> measures the number of records compromised by an attacker during an attack but does not convert this information into monetary value. Meanwhile, <a href="https://www.ibm.com/security/data-breach">IBM and Ponemon</a> indicate an average cost of $141 US per record compromised, while specifying that this cost is subject to significant variations depending on country, industrial sector etc. And a report published by Accenture during the same period assesses the average annual cost of cybersecurity incidents as approximately $11 million US (for 254 companies).</p>
<h2>How much money do the attackers earn?</h2>
<p>In 2008, American researchers tried to assess <a href="https://www.icsi.berkeley.edu/pubs/networking/2008-ccs-spamalytics.pdf">the earnings of a spam network operator</a>. The goal was to determine the extent to which an unsolicited e-mail could lead to a purchase. By analysing half a billion spam messages sent by two networks of infected machines (botnet), the authors estimated that the hackers who managed the networks earned $3 million US. However, the net profit is very low. Additional studies have shown the impact of cyber-attacks on the cost of shares of corporate victims. This cybersecurity economics topic has also been developed as part of a Workshop on the Economics of Information Security.</p>
<p>The figures may appear to be high, but as is traditionally the case for Internet services, attackers benefit from a network effect in which the cost of adding a victim is low, but the cost of creating and installing the attack is very high. In the case studied in 2008, the e-mails were sent using the <a href="https://en.wikipedia.org/wiki/Zeus_(malware)">Zeus robots network</a>. Since this network steals computing resources from the compromised machines, the initial cost of the attack was also very low.</p>
<p>In short, the cost of cyberattacks has been a topic of study for many years now. Both academic and commercial studies exist. Nevertheless, it remains difficult to determine the exact cost of cyber-attacks. It is also worth noting that it has historically been greatly overestimated.</p>
<h2>The high costs of defending against attacks</h2>
<p>Unfortunately, defending against attacks is also very expensive. While an attacker only has to find and exploit one vulnerability, those in charge of defending against attacks have to manage all possible vulnerabilities. Furthermore, there is an ever-growing number of vulnerabilities discovered every year in information systems. Additional vulnerabilities are regularly introduced by the implementation of new services and products, sometimes unbeknownst to the administrators responsible for a company network. One such case is the <a href="https://en.wikipedia.org/wiki/Bring_your_own_device">“bring your own device” (BYOD) model</a>. By authorizing employees to work on their own equipment (smartphones, personal computers) this model destroys the perimeter defence that existed a few years ago. Far from saving companies money, it introduces an additional dose of vulnerability.</p>
<p>The cost of security tools remains high as well. Firewalls or detection sensors can cost as much as 100,000 euros and the cost of a monitoring platform to manage all this security equipment can cost up to ten times as much. Furthermore, monitoring must be carried out by professionals and there is a shortage of these skills in the labour market. Overall, the deployment of protection and detection solutions amounts to <a href="https://www.accenture.com/t20170926T072837Z_w_/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf">millions of euros every year</a>.</p>
<p>Moreover, it is also difficult to determine the effectiveness of detection centres intended to prevent attacks because we do not know the precise number of failed attacks. A number of initiatives, such as <a href="https://www.etsi.org/technologies-clusters/technologies/information-security-indicators">Information Security Indicators</a>, are however attempting to answer this question. One thing is certain: every day information systems can be compromised or made unavailable, given the number of attacks that are continually carried out on networks. The spread of the <a href="https://en.wikipedia.org/wiki/WannaCry_ransomware_attack">malicious code Wannacry</a> proved how brutal certain attacks can be and how hard it can be to predict their development.</p>
<p>Unfortunately, the only effective defence is often updating vulnerable systems once flaws have been discovered. This creates few consequences for a work station, but is more difficult on servers, and can be extremely difficult in high-constraint environments (critical servers, industrial protocols etc.) These maintenance operations always have a hidden cost, linked to the unavailability of the hardware that must be updated. And there are also limitations to this strategy. Certain updates are impossible to implement, as is the case with Skype, which requires a <a href="https://www.theregister.co.uk/2018/02/15/microsoft_skype_fixed/">major software update</a> and leads to uncertainty in its status. Other updates can be extremely expensive, such as those used to correct the Spectre and Meltdown vulnerabilities that affect the microprocessors of most computers. Intel has now stopped patching the vulnerability in older processors.</p>
<h2>A delicate decision</h2>
<p>The problem of security comes down to a rather traditional risk analysis, in which an organization must decide which risks to protect itself against, how subject it is to risks, and which ones it should insure itself against.</p>
<p>In terms of protection, it is clear that certain filtering tools such as firewalls are imperative in order to preserve what is left of the perimeter. Other subjects are more controversial, such as Netflix’s abandoning of anti-virus and decision to rely instead on massive data analysis to detect cyber-attacks.</p>
<p>It is very difficult to assess how subject a company is to risks since they are often the result of technological advances in vulnerabilities and attacks rather than a conscious decision made by the company. Attacks through denial of service, like the one carried out in 2016 using the Mirai malware, for example, are increasingly powerful and therefore difficult to counter.</p>
<p>The insurance strategy for cyber-risk is even more complicated, since premiums are extremely difficult to calculate. Cyber-risk is often systematic since a flaw can affect a large number of clients. Unlike the risk of natural catastrophe, which is limited to a region, allowing insurance companies to spread the risk out over its various clients and calculate a future risk based on risk history, computer vulnerabilities are often widespread, as can be seen in recent examples such as the Meltdown, Spectre and <a href="https://www.krackattacks.com/">Krack</a> flaws. Almost all processors and wi-fi terminals are vulnerable.</p>
<p>Another aspect that makes it difficult to estimate risks is that vulnerabilities are often latent, which means that only a small community is aware of them. The flaw used by the Wannacry malware had already been identified by NSA, the American Security Agency (under the name EternalBlue). The attackers who used the flaw learned about its existence from documents leaked from the American government agency itself.</p>
<h2>How can security be improved? The basics are still fragile</h2>
<p>Faced with a growing number of vulnerabilities and problems to solve, it seems essential to reconsider the way Internet services are built, developed and operated. In other industrial sectors the answer has been to develop standards and certify products in relation to these standards. This means guaranteeing smooth operations, often in a statistical manner. The aeronautics industry, for example, certifies its aircraft and pilots and has very strong results in terms of safety. In a more closely-related sector, telephone operators in the 1970s guaranteed excellent network reliability with a risk of service disruption lower than 0.0001%.</p>
<p>This approach also exists in the Internet sector with certifications based on <a href="https://blog.ercom.com/common-criteria/">common criteria</a>. These certifications often result from military or defence needs. They are therefore expensive and take a long time to obtain, which is often incompatible with the speed-to-market required for Internet services. Furthermore, standards that could be used for these certifications are often insufficient or poorly suited for civil settings. Solutions have been proposed to address this problem, such as the CSPN certification defined by the <a href="https://www.ssi.gouv.fr/en/">ANSSI (French National Information Systems Security Agency)</a>. However, the scope of the CSPN remains limited.</p>
<p>It is also worth noting the consistent positioning of computer languages in favour of quick, easy production of computer code. In the 1970s languages that chose facility over rigor came into favour. These languages may be the source of significant vulnerabilities. The recent <a href="http://php.net/manual/en/history.php.php">PHP</a> case is one such example. Used by millions of websites, it was one of the major causes of <a href="https://en.wikipedia.org/wiki/SQL_injection">SQL injection</a> vulnerabilities.</p>
<h2>The cost of cybersecurity, a question no longer asked</h2>
<p>In strictly financial terms, cybersecurity is a cost centre that directly impacts a company or administration’s operations. It is important to note that choosing not to protect an organization against attacks amounts to attracting attacks since it makes the organization an easy target. As is often the case, it is therefore worthwhile to provide a reminder about the rules of computer hygiene.</p>
<p>The cost of computer flaws is likely to <a href="https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/">increase significantly in the years ahead</a>. And more generally, the cost of repairing these flaws will rise even more dramatically. We know that the point at which an error is identified in a computer code greatly <a href="https://www.isixsigma.com/industries/software-it/defect-prevention-reducing-costs-and-enhancing-quality/">affects how expensive it is to repair it</a>: the earlier it is detected, the less damage is done. It is therefore imperative to improve development processes in order to prevent programming errors from quickly becoming remote vulnerabilities.</p>
<p>IT tools are also being improved. Stronger languages are being developed. These include new languages like RUST and <a href="https://golang.org/">GO</a>, and older languages that have come back into fashion, such as <a href="https://en.wikipedia.org/wiki/Scheme_(programming_language)">SCHEME</a>. They represent stronger alternatives to the languages currently taught, without going back to languages as complicated as <a href="https://www.iso.org/news/2013/02/Ref1707.html">ADA</a> for example. It is essential that teaching practices progress in order to factor in these new languages.</p>
<p>The Conversation Wasted time, stolen or lost data… We have been slow to recognize the loss of productivity caused by cyber-attacks. It must be acknowledged that cybersecurity now contributes to a business’s performance. Investing in effective IT tools has become an absolute necessity.</p><img src="https://counter.theconversation.com/content/110807/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Hervé Debar has received funding from the European Commission under the Horizon 2020 programme (H2020), the National Research Agency (ANR), the Directorate General for Enterprise (DGE) under the FUI and PIA programmes, the Essonne General Council (ASTRE programme), the Mines-Télécom Foundation and the Carnot TSN Institute. He represents the Institut Mines-Télécom on the "Digital Confidence and Security" steering committee of the System@tic pole and at the European CyberSecurity Organization (ECSO).</span></em></p>The cost of computer attacks to companies is difficult to quantify precisely. One thing is certain, however: it is constantly improving. As is the case with defensive measures…Hervé Debar, Responsable du département Réseaux et Services de Télécommunications à Télécom SudParis, Télécom SudParis – Institut Mines-TélécomLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1089082018-12-17T23:11:41Z2018-12-17T23:11:41ZNew guidelines for responding to cyber attacks don’t go far enough<figure><img src="https://images.theconversation.com/files/250855/original/file-20181217-185255-1repzj6.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">If Australia's electricity grid was targeted by cyber attack the fall out could be severe.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/towers-running-cables-electricity-supply-349850831?src=o4QJBx1SfdZ91oqzEgxc4g-1-10">Shutterstock</a></span></figcaption></figure><p>Debates about cyber security in Australia over the past few weeks have largely centred around the passing of the government’s controversial <a href="https://theconversation.com/the-governments-encryption-laws-finally-passed-despite-concerns-over-security-108409">Assistance and Access bill</a>. But while government access to encrypted messages is an important subject, protecting Australia from threat could depend more on the task of developing a solid and robust cyber security response plan.</p>
<p>Australia released its first Cyber Incident Management Arrangements (<a href="https://www.cyber.gov.au/government/publications/cima/">CIMA</a>) for state, territory and federal governments on December 12. It’s a commendable move towards a comprehensive national civil defence strategy for cyber space.</p>
<p>Coming at least a decade after the need was <a href="https://www.ag.gov.au/Consultations/Pages/ESecurityReview.aspx">first foreshadowed</a> by the government, this is just the initial step on a path that demands much more development. Beyond CIMA, the government needs to better explain to the public the unique threats posed by large scale cyber incidents and, on that basis, engage the private sector and a wider community of experts on addressing those unique threats.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/what-skills-does-a-cybersecurity-professional-need-106521">What skills does a cybersecurity professional need?</a>
</strong>
</em>
</p>
<hr>
<h2>Australia is poorly prepared</h2>
<p>The aim of the new cyber incident arrangements is to reduce the scope, impact and severity of a “national cyber incident”. </p>
<p>A national cyber incident is defined as being of potential national importance, but less severe than a “crisis” that would trigger the government’s Australian Government Crisis Management Framework (AGCMF).</p>
<p>Australia is currently ill-prepared to respond to a major cyber incident, such as the <a href="https://www.acsc.gov.au/news/ransomware-campaign-impacting-organisations-globally.html">Wannacry</a> or <a href="https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/">NotPetya</a> attacks in 2017.</p>
<p>Wannacry severely disrupted the UK’s National Health Service, at a cost of A$160 million. NotPetya shut down the world’s largest shipping container company, Maersk, for several weeks, costing it A$500 million.</p>
<p>When costs for random cyber attacks are so high, it’s vital that all Australian governments have coordinated response plans to high-threat incidents. The CIMA sets out inter-jurisdictional coordination arrangements, roles and responsibilities, and principles for cooperation.</p>
<p>A higher-level cyber crisis that would trigger the AGCMF (a process that itself looks somewhat under-prepared) is one that:</p>
<blockquote>
<p>… results in sustained disruption to essential services, severe economic damage, a threat to national security or loss of life.</p>
</blockquote>
<h2>More cyber experts and cyber incident exercises</h2>
<p>At just seven pages in length, in glossy brochure format, the CIMA does not outline specific operational incident management protocols. </p>
<p>This will be up to state and territory governments to negotiate with the Commonwealth. That means the protocols developed may be subject to competing budget priorities, political appetite, divergent levels of cyber maturity, and, most importantly, staffing requirements. </p>
<p>Australia has a serious <a href="https://unsw.adfa.edu.au/unsw-canberra-cyber/sites/accs/files/uploads/ACCS-Discussion-Paper-4-Web.pdf">crisis in the availability of skilled cyber personnel</a> in general. This is particularly the case in specialist areas required for the management of complex cyber incidents. </p>
<p>Government agencies struggle to compete with major corporations, such as the major banks, for the top-level recruits. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/250891/original/file-20181217-185243-4xq7sd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/250891/original/file-20181217-185243-4xq7sd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=374&fit=crop&dpr=1 600w, https://images.theconversation.com/files/250891/original/file-20181217-185243-4xq7sd.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=374&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/250891/original/file-20181217-185243-4xq7sd.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=374&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/250891/original/file-20181217-185243-4xq7sd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=470&fit=crop&dpr=1 754w, https://images.theconversation.com/files/250891/original/file-20181217-185243-4xq7sd.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=470&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/250891/original/file-20181217-185243-4xq7sd.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=470&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Australia needs people with expertise in cybersecurity.</span>
</figcaption>
</figure>
<p>The <a href="http://www.voced.edu.au/content/ngv%3A77538">skills crisis</a> is exacerbated by the lack of high quality education and training programs in Australia for this specialist task. Our universities, for the most part, do not teach – or even research – complex cyber incidents on a scale that could begin to service the national need. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/its-time-for-governments-to-help-their-citizens-deal-with-cybersecurity-100771">It's time for governments to help their citizens deal with cybersecurity</a>
</strong>
</em>
</p>
<hr>
<p>The federal government must move quickly to strengthen and formalise arrangements for collaboration with key non-governmental partners – particularly the business sector, but also researchers and large non-profit entities. </p>
<p>Critical infrastructure providers, such as electricity companies, should be among the first businesses targeted for collaboration due to the scale of potential fallout if they came under attack.</p>
<p>To help achieve this, CIMA outlines plans to institutionalise, for the first time, regular cyber incident exercises that address nationwide needs.</p>
<h2>Better long-term planning is needed</h2>
<p>While these moves are a good start, there are three longer term tasks that need attention.</p>
<p>First, the government needs to construct a consistent, credible and durable public narrative around the purpose of its cyber incident policies, and associated exercise programs. </p>
<p>Former Cyber Security Minister <a href="https://ministers.pmc.gov.au/tehan/2016/address-national-press-club-cyber-storm">Dan Tehan has spoken of a single cyber storm</a>, former Prime Minister Malcolm Turnbull <a href="https://www.sbs.com.au/news/pm-turnbull-warns-of-perfect-cyber-storm">spoke of a perfect cyber storm</a> (several storms together), and Cyber Coordinator Alastair McGibbon <a href="https://www.themandarin.com.au/101485-macgibbon-cyber-catastrophe-is-societys-greatest-existential-threat-but-risk-can-be-managed/">spoke of a cyber catastrophe</a> as the only existential threat Australia faced. </p>
<p>But there is little articulation in the public domain of what these ideas actually mean.</p>
<p>The new cyber incident management arrangements are meant to operate below the level of national cyber crisis. But the country is in dire need of a civil defence strategy for cyber space that addresses both levels of attack. There is no significant mention of cyber threats in the <a href="https://knowledge.aidr.org.au/">website of the Australian Disaster Resilience Knowledge Hub</a>. </p>
<p>This is a completely new form of civil defence, and it may need a new form of organisation to carry it forward. A new, dedicated arm of a existing agency, such as the State Emergency Services (SES), is another potential solution.</p>
<p>One of us (Greg Austin) <a href="https://www.unsw.adfa.edu.au/unsw-canberra-cyber/news/australian-cyber-civil-corps-draft-concept">proposed in 2016</a> the creation of a new “cyber civil corps”. This would be a disciplined service relying on part-time commitments from the people best trained to respond to national cyber emergencies. A cyber civil corps could also help to define training needs and contribute to national training packages. </p>
<p>The second task falls to private business, who face potentially crippling costs in random cyber attacks. </p>
<p>They will need to build their own body of expertise in cyber simulations and exercise. Contracting out such responsibilities to consulting companies, or one-off reports, would produce scattershot results. Any “lessons learnt” within firms about contingency management could fail to be consolidated and shared with the wider business community. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/the-difference-between-cybersecurity-and-cybercrime-and-why-it-matters-85654">The difference between cybersecurity and cybercrime, and why it matters</a>
</strong>
</em>
</p>
<hr>
<p>The third task of all stakeholders is to mobilise an expanding knowledge community led by researchers from academia, government and the private sector.</p>
<p>What exists at the moment is minimalist, and appears hostage to the preferences of a handful of senior officials in Australian Cyber Security Centre (<a href="https://www.acsc.gov.au/">ACSC</a>) and the <a href="https://www.homeaffairs.gov.au/">Department of Home Affairs</a> who may not be in post within several years. </p>
<p>Cyber civil defence is the responsibility of the entire community. Australia needs a national standing committee for cyber security emergency management and resilience that is an equal partnership between government, business, and academic specialists.</p><img src="https://counter.theconversation.com/content/108908/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Austraia’s first Cyber Incident Management Arrangements are a good start, but the government needs to better engage with private companies to prevent and manage cyber attacks.Adam Henry, Adjunct Lecturer, UNSW SydneyGreg Austin, Professor UNSW Canberra Cyber, UNSW SydneyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/865012017-10-30T17:16:31Z2017-10-30T17:16:31ZWannaCry report shows NHS chiefs knew of security danger, but management took no action<figure><img src="https://images.theconversation.com/files/192431/original/file-20171030-18689-132a24x.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/wannacry-ransomware-attack-on-notebook-screencyber-644143564">supimol kumying/Shutterstock</a></span></figcaption></figure><p>A report from the parliamentary <a href="https://www.nao.org.uk/report/investigation-wannacry-cyber-attack-and-the-nhs/">National Audit Office</a> into the WannaCry ransomware attack that brought down significant parts of Britain’s National Health Service in May 2017 has predictably been reported as blaming <a href="https://www.nhs.uk/NHSEngland/thenhs/about/Pages/authoritiesandtrusts.aspx">NHS trusts</a> and smaller organisations within the care system for failing to ensure that appropriate computer security measures such as software updates and secure firewalls were in place. </p>
<p>But the central NHS IT organisation, <a href="https://digital.nhs.uk/">NHS Digital</a>, provided security alerts and the correct patches that would have protected vulnerable systems well before WannaCry hit. This is not a cybersecurity failure in the practicalities, but a failure of cybersecurity management at the top level. </p>
<p>Despite the extensive news coverage it received, WannaCry was a major wake-up call for the NHS rather than a downright disaster. It <a href="http://www.npr.org/sections/alltechconsidered/2017/05/16/528570788/from-kill-switch-to-bitcoin-wannacry-showing-signs-of-amateur-flaws">wasn’t a sophisticated attack</a>. But any attack based on an actual <a href="https://www.fireeye.com/current-threats/what-is-a-zero-day-exploit.html">zero-day exploit</a> – a software flaw creating a security hole that is not yet known to the manufacturer or has not been made public, and so no defence or patch exists to prevent the attack succeeding - could hit the NHS much harder than WannaCry did. </p>
<p>Given the lessons learned discussed in the NAO report, hopefully the NHS will be better prepared next time. And as there will definitely be a next time, the NHS had better have learned its lessons, because the implications of not doing so could be much greater.</p>
<h2>Failing to plan is planning to fail</h2>
<p>As it happened, much of the damage caused by WannaCry - including many of the more than 19,000 missed appointments – did not relate directly to the attack. The NAO report makes it clear that the NHS as a whole lacked a proper response to a national cybersecurity incident. The business continuity plan had not been tested against such a serious attack. Although <a href="https://www.nursingtimes.net/opinion/what-happened-when-the-nhs-was-affected-by-the-wannacry-ransomware-attack/7020962.article">only a relatively small number</a> of NHS organisations were actually infected by WannaCry, other parts of the NHS shut down their systems as a precaution to prevent WannaCry spreading until they were sure what to do. Email systems were switched off without first establishing alternatives, leading to improvisation by telephone and WhatsApp.</p>
<p>More broadly, it has become clear that decentralisation has left NHS cybersecurity very exposed when under attack. NHS Digital provides alerts and patches, of course, but there appears to be no mechanism for anyone to check, let alone enforce, that they are implemented. In any case, security alerts run a risk of being drowned in the stream of “cry wolf” messages from the cybersecurity industry. The NHS trust boards take little ownership of cybersecurity matters, and are not being held accountable because the <a href="http://www.cqc.org.uk/">Care Quality Commission</a>, the NHS regulator, has not included it in their inspections.</p>
<p>The official reaction from NHS Digital to the report was <a href="https://digital.nhs.uk/article/7908/NHS-Digital-responds-to-report-on-WannaCry-cyber-incident">brief</a> – no wonder, as it emerges from the affair having performed what was expected of it. NHS Digital offered on-site cybersecurity assessments at 88 NHS trusts in the years before the WannaCry incident, failing all of them. But without powers of enforcement, it was unable to press for the changes and preventative measures required to improve security. NHS Digital’s own review of the WannaCry incident (as mentioned in the NAO report) had established that most trusts did not even think that cybersecurity was a risk to patient outcomes – a naive and dangerous view in an organisation heavily dependent on integrated digital systems.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/192442/original/file-20171030-18700-1dxhffw.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/192442/original/file-20171030-18700-1dxhffw.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=401&fit=crop&dpr=1 600w, https://images.theconversation.com/files/192442/original/file-20171030-18700-1dxhffw.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=401&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/192442/original/file-20171030-18700-1dxhffw.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=401&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/192442/original/file-20171030-18700-1dxhffw.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=504&fit=crop&dpr=1 754w, https://images.theconversation.com/files/192442/original/file-20171030-18700-1dxhffw.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=504&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/192442/original/file-20171030-18700-1dxhffw.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=504&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The decentralisation of the NHS means that no one is in charge of enforcing the cybersecurity practices that would have prevented WannaCry.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/warrington-uk-march-6-2016-view-393927661">Marbury/Shutterstock</a></span>
</figcaption>
</figure>
<h2>No one left holding the reins</h2>
<p>The NAO report acknowledges that NHS trusts could not be blamed for some of the missing software updates. Some medical instruments such as MRI scanners are controlled by software written for old and unsupported versions of Windows, for example, or in some cases by companies that have since gone out of business. Decoupling these machines from the network would solve the most immediate cybersecurity problems, but at the expense of complicating their use and increasing the chance of human error. Neither the NAO nor NHS Digital appear to have a solution yet. </p>
<p>For small NHS organisations, such as individual GP practices, there is likely to be an issue of resources. Who will have the time, and at what point in their already full working day, to ensure computers are updated? Should the many NHS receptionists wait for their Windows updates to complete at the start of their day, or help their patients?</p>
<p>If the lack of resources doesn’t already point at government underfunding of the NHS, the report certainly points to failures at the national level, to <a href="https://www.england.nhs.uk/">NHS England</a> and the <a href="https://www.gov.uk/government/organisations/department-of-health">Department of Health</a>. Provided with cybersecurity recommendations by both <a href="https://www.gov.uk/government/publications/review-of-data-security-consent-and-opt-outs">the National Data Guardian</a> and the <a href="http://www.cqc.org.uk/publications/themed-work/safe-data-safe-care">Care Quality Commission</a> by July 2016, <a href="https://www.gov.uk/government/consultations/new-data-security-standards-for-health-and-social-care">neither body responded until July 2017</a>, months after WannaCry. The urgent need for effective, national-level cybersecurity incident planning in such a decentralised system as the NHS must be clear by now. </p>
<p>The NHS was spared the full impact of a cyber-attack this time, mainly because the technical solution – a “kill-switch” in the ransomware – was quickly discovered by <a href="https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html">MalwareTech researcher</a> <a href="http://uk.businessinsider.com/marcus-hutchins-is-the-22-year-old-who-saved-the-world-from-a-malware-virus-2017-5?r=US&IR=T">Marcus Hutchins</a>. Next time the NHS might not be so lucky, though new research has been commissioned to this end. Projects such as EPSRC <a href="http://gow.epsrc.ac.uk/NGBOViewGrant.aspx?GrantRef=EP/P011772/1">EMPHASIS</a> will look at not only the technical aspects of ransomware attacks, but also their economic, psychological and social aspects to obtain a more rounded understanding of Ransomware. </p>
<p>Not only will this interdisciplinary approach increase our understanding of ransomware attacks, but it will also help us to quickly ascertain whether or not the attack is socially engineered – triggered by users opening attachments or clicking on infected web sites – or triggered through technological means such as by a worm, as was the case with WannaCry and <a href="https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/">not-Petya</a> – the latter seeking to <a href="https://securelist.com/destructive-malware-five-wipers-in-the-spotlight/58194/">disrupt and destructively wipe data</a> without even attempting to extort money. It’s also important to understand the new means of payments via <a href="https://www.forbes.com/sites/forbestechcouncil/2017/08/03/how-cryptocurrencies-are-fueling-ransomware-attacks-and-other-cybercrimes/#8b9ef543c152">cryptocurrencies such as bitcoin</a>, because <a href="https://theconversation.com/cryptolocker-has-you-between-a-back-up-and-a-hard-place-20687">ransomware</a> is usually crime of extortion. With a better understanding of our attackers and their motivations we will be better placed to defend against them.</p><img src="https://counter.theconversation.com/content/86501/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Eerke Boiten receives funding from EPSRC EP/P011772/1 EMPHASIS (EconoMical, PsycHologicAl and Societal Impact of RanSomware).</span></em></p><p class="fine-print"><em><span>David S. Wall receives funding from EPSRC EP/P011721/1 EMPHASIS (EconoMical, PsycHologicAl and Societal Impact of RanSomware) and he is a member of the RUSI SHOC (Strategic Hub on Organised Crime).</span></em></p>It turns out you can’t ensure cyber-security in the world’s fifth-largest employer if there’s no one in charge of making it happen.Eerke Boiten, Professor of Cyber Security, School of Computer Science and Informatics, De Montfort UniversityDavid S. Wall, Professor of Criminology, University of LeedsLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/822822017-09-26T00:17:32Z2017-09-26T00:17:32ZBy concealing identities, cryptocurrencies fuel cybercrime<figure><img src="https://images.theconversation.com/files/186884/original/file-20170920-16382-1vgnjm0.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Can criminals use cryptocurrency to hide their identities and activities?</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/hacker-stealing-dollars-bank-557329258">Elnur/Shutterstock.com</a></span></figcaption></figure><p>When hackers hold their victims’ data for ransom, as happened in the WannaCry and NotPetya <a href="https://www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losses/">ransomware attacks</a> that spread across the globe in mid-2017, a key to the criminals’ success is getting away with the money. That often means they use cryptocurrencies like bitcoin to collect payment, hoping to remain <a href="https://doi.org/10.1108/JMLC-07-2016-0027">hidden behind a digital mask</a>. </p>
<p>The WannaCry hackers went a step farther, though. They <a href="https://arstechnica.com/gadgets/2017/08/researchers-say-wannacry-operator-moved-bitcoins-to-untraceable-monero/">converted their bitcoins into Monero</a>, another e-currency designed to offer <a href="https://www.monero.how/how-does-monero-privacy-work">even stronger privacy</a>. </p>
<p>At the <a href="http://www.initc3.org/">Initiative for Cryptocurrencies and Contracts</a>, we have explored the ways cryptocurrency systems protect users’ anonymity. Anonymity in cryptocurrencies is fueling crime by enabling criminals to evade identification by law enforcement. We believe that this problem will get worse as cryptocurrencies evolve stronger privacy protections and become more flexibly programmable. We also believe there’s no simple solution.</p>
<h2>Masking criminal identities</h2>
<p>All cryptocurrency systems work in roughly the same way. Groups of computers receive transaction information directly from users who want to send each other money. The computers order and permanently record these transactions in a public ledger so that anyone can read them. The <a href="https://theconversation.com/blockchains-focusing-on-bitcoin-misses-the-real-revolution-in-digital-trust-58125">public ledger</a> also makes it possible to keep track of how much currency individual users own. Developers tweak the code in <a href="https://www.technologyreview.com/s/607947/the-cryptocurrency-market-is-growing-exponentially/">different cryptocurrency systems</a> to add additional features, like fast transaction processing or improved anonymity.</p>
<p>The first major cryptocurrency system, bitcoin, allows users to conceal their real names. But users’ transaction amounts and bitcoin account numbers (known as “addresses”) are <a href="https://twitter.com/actual_ransom">visible to anyone</a> – even people who don’t use bitcoin but know how to read the transaction ledger. This approach offers more privacy than credit cards and bank accounts, even against powerful entities like governments who might try to trace money obtained by criminals. Bitcoin’s privacy both attracts users – law-abiding and otherwise – and <a href="https://www.fincen.gov/news/news-releases/fincen-awards-recognize-law-enforcement-success-stories-supported-bank-secrecy">raises law enforcement agencies’ suspicions</a>.</p>
<p>It is true that bitcoin and other cryptocurrencies create opportunities for tax evasion, ransomware and <a href="http://dl.acm.org/citation.cfm?id=2488408">illicit marketplaces</a> selling everything from narcotics to illegal arms. Some concerns, though, like the potential uses for terrorists, <a href="https://blogs.wsj.com/riskandcompliance/2017/03/07/the-morning-risk-report-terrorism-financing-via-bitcoin-may-be-exaggerated/">are probably overblown</a>.</p>
<p>When crimes happen that involve bitcoin, law enforcement and security experts can exploit the system’s privacy defects. They study illicit activity by <a href="https://www.sciencemag.org/news/2016/03/why-criminals-cant-hide-behind-bitcoin">analyzing chains of transactions</a>. Sometimes they can trace criminals to systems where their true identities can be discovered.</p>
<p>If this isn’t possible, they can often still obtain clues about criminals’ behavior. For example, analysis of the bitcoin transaction patterns of WannaCry quickly showed that victims would not automatically receive decryption keys for their ransom payments. To identify a payer, bitcoin requires that the payer send payment to a unique address. This address acts like a kind of transaction serial number. WannaCry victims were all told to pay into <a href="https://www.redsocks.eu/news/ransomware-wannacry/">just three bitcoin addresses</a>. Because payments were commingled in this way, investigators realized that the WannaCry perpetrators <a href="https://www.wired.com/2017/05/wannacry-ransomware-hackers-made-real-amateur-mistakes/">could not figure out</a> which victims actually paid the ransom.</p>
<p>Systems with stronger privacy have arisen to shield users – and criminals – from such scrutiny. One type, called “mixes,” such as <a href="https://eprint.iacr.org/2016/824">CoinShuffle++</a> and <a href="https://eprint.iacr.org/2016/575">TumbleBit</a>, bundle transactions together, allowing bitcoin users to launder their money and achieve stronger anonymity. Distinct new cryptocurrencies have arisen that offer very strong privacy using powerful built-in mixes. These include <a href="https://www.getmonero.org/">Monero</a>, <a href="https://z.cash/">Zcash</a> and <a href="https://www.coindesk.com/sorting-hat-time-mimblewimble-weighs-own-blockchain-launch/">MimbleWimble</a>. </p>
<p>Their success has been limited so far. <a href="http://hackingdistributed.com/2017/04/19/monero-linkability/">Technical problems</a> are one reason, but mainly their technical complexity and limited software support makes them hard for people to use. Ransomware usually requests payment in bitcoin. It is simply easier for victims to buy bitcoins than more exotic cryptocurrencies that better conceal ransomware creators’ identities. Ransomware creators hope to get the best of both worlds – enabling easy payment for victims in bitcoins, but then converting ransom payments to currencies like Monero to obtain strong privacy. Someday, once privacy-hardened cryptocurrencies are easier to use, though, ransomware creators and other criminals will be able to bypass this two-step process.</p>
<h2>Criminal smart contracts</h2>
<p>Cryptocurrencies are not limited to simple money transfers. Newer systems like <a href="http://www.ethereum.org">Ethereum</a> also include in the public ledger not just a record of which account sent money to whom, but small computer programs called “smart contracts.” Once entered into the ledger, these programs remain forever executable. They can store and send money in arbitrarily complex ways. Any user – or another smart contract – can trigger execution of a smart contract simply by sending it a transaction.</p>
<p>When autonomous smart contracts are combined with anonymous cryptocurrency, they provide opportunities to handle money in complicated ways that hackers can exploit. Twice, money has been <a href="https://thehackernews.com/2017/07/ethereum-cryptocurrency-hacking.html">stolen from Ethereum contracts</a> in <a href="http://hackingdistributed.com/2017/07/22/deep-dive-parity-bug/">heists</a> that each involved more money than the <a href="https://en.wikipedia.org/wiki/List_of_bank_robbers_and_robberies#United_States">largest bank robbery in the United States</a>. The identities of the thieves remain unknown.</p>
<p>In the future, “<a href="http://www.arijuels.com/wp-content/uploads/2013/09/Gyges.pdf">criminal smart contracts</a>” may emerge. These might be programmed to make automatic payments when specific secrets are stolen, when particular websites are hacked and defaced, or even for physical crimes ranging from vandalism to terrorism. A person who wanted a particular crime to be committed could post a smart contract reward to be paid out to the criminal who actually does the deed. Someone seeking to claim the reward would, before committing the crime, add an encoded message to the smart contract containing specific details only the criminal would know beforehand – such as a unique phrase or long string of numbers to be posted on a hacked website.</p>
<p>When the crime is committed, the person who did the deed would decode the added message, revealing the details that had been specified in advance. The smart contract could then check the actual details of the crime and, if they matched, pay out the reward. The anonymity of the underlying cryptocurrency would hide the criminal’s identity. </p>
<p>Today, smart contracts cannot easily obtain trustworthy data from the internet about crimes like vandalism in a form that computer programs can easily understand. So criminal smart contracts have not yet come about. But advances in crime driven by smart contracts will eventually emerge, aided by continuing improvements in anonymity technologies.</p>
<h2>The hard quest for balance</h2>
<p>Anonymity isn’t all bad, of course. On the contrary, it’s a key ingredient of privacy-preserving systems, and necessary to prevent overreach and abuses by governments. Cryptocurrency cannot thrive without privacy protections. What’s hard is finding a socially responsible blend of privacy and accountability. </p>
<p>Today, law enforcement authorities can exploit privacy weaknesses in systems like bitcoin to identify certain cryptocurrency as belonging to criminals and thus as “tainted.” They <a href="https://thenextweb.com/eu/2017/02/21/danish-police-hunt-down-criminals-using-bitcoin/">try to catch criminals</a> when, for example, they convert tainted currency into ordinary currency like U.S. dollars or euros. This strategy will no longer work when stronger privacy technologies conceal tainted cryptocurrency.</p>
<p>Scientists have for decades sought to design <a href="https://pdfs.semanticscholar.org/e6c8/c217fb3f94f17cfc79efd135ae0525033cc6.pdf">systems that balance law enforcement needs with individual privacy</a> in digital currency. Most of these systems provide what is called “conditional anonymity,” allowing authorities to learn user identities selectively through a technical process that can involve courts or other overseers. Appealing as it sounds, <a href="https://theconversation.com/bypassing-encryption-lawful-hacking-is-the-next-frontier-of-law-enforcement-technology-74122">this approach is unworkable</a>. If one authority, say the U.S. federal court system, has the ability to strip users of anonymity, then all authorities will want it. Privacy will then be meaningless.</p>
<p>Crime-fighting tools require empowerment of authorities. Cryptocurrencies are innately anti-authority technologies. How this tension is resolved will determine the future of the world’s monetary systems. There is no simple answer.</p><img src="https://counter.theconversation.com/content/82282/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Ari Juels receives relevant funding from the National Science Foundation. He is a member of the Initiative for CryptoCurrencies and Contracts, which is funded by industry partners listed at <a href="http://www.initc3.org/partners.html">http://www.initc3.org/partners.html</a>. He advises SmartContract.com. </span></em></p><p class="fine-print"><em><span>Iddo Bentov is a member of the Initiative for CryptoCurrencies and Contracts, which is funded by industry partners listed at <a href="http://www.initc3.org/partners.html">http://www.initc3.org/partners.html</a>.</span></em></p><p class="fine-print"><em><span>Ittay Eyal is a member of the Initiative for CryptoCurrencies and Contracts, which is funded by industry partners listed at <a href="http://www.initc3.org/partners.html">http://www.initc3.org/partners.html</a>. </span></em></p>As cryptocurrency systems improve, they will better protect criminals’ identities and even allow people to offer anonymous rewards for crimes they want committed.Ari Juels, Professor of Computer Science, Jacobs Technion-Cornell Institute, Cornell Tech, and Co-Director, Initiative for CryptoCurrencies and Contracts (IC3), Cornell UniversityIddo Bentov, Postdoctoral Associate in Computer Science, Cornell UniversityIttay Eyal, Research Associate, Computer Science and Associate Director, Initiative For Cryptocurrencies and Contracts (IC3), Cornell UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/801152017-09-12T02:17:49Z2017-09-12T02:17:49ZAre cryptocurrencies a dream come true for cyber-extortionists?<figure><img src="https://images.theconversation.com/files/185308/original/file-20170908-32268-1xlgj20.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">More cryptocurrencies appear all the time.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-illustration/set-cryptocurrencies-golden-bitcoin-on-front-683818258">Wit Olszewski/Shutterstock.com</a></span></figcaption></figure><p>When malicious software takes over <a href="http://metro.co.uk/2017/06/27/cyber-attack-similar-to-wannacry-virus-hits-companies-and-airports-in-europe-6738752/">computers around the world</a>, <a href="https://www.symantec.com/connect/blogs/petya-ransomware-outbreak-here-s-what-you-need-know">encrypts their data</a> and demands a ransom to decode the information, regular <a href="https://www.reuters.com/article/us-ukraine-cyber-attacks-deputypm-idUSKBN19I1P8">activities of governments</a>, <a href="http://www.wired.co.uk/article/petya-malware-ransomware-attack-outbreak-june-2017">companies</a> and <a href="http://money.cnn.com/2017/05/16/technology/hospitals-vulnerable-wannacry-ransomware/index.html">hospitals</a> slam to a halt. Sometimes security researchers release a fix that allows computer owners to <a href="https://noransom.kaspersky.com/">decrypt their machines without paying</a>, but many people are forced to pony up to free their data.</p>
<p>In 2016, the FBI estimated that the <a href="https://news.vice.com/story/ransomware-how-hackers-make-you-pay">ransomware industry took in US$1 billion</a> – and that’s only the cases <a href="https://doi.org/10.1109/MSP.2006.27">officials know about</a>. All that money isn’t paid in cash. Before digital currencies existed, extortionists asked victims to send money by more formal transfer companies like Western Union or make deposits to bank accounts. Those were easily traced. Today, ransomware attacks demand payment in bitcoin and its ilk, systems praised by supporters for their transaction speed and <a href="https://qz.com/1028936/watch-these-bitcoin-ransom-payments-get-lost-in-the-expanse-of-the-blockchain/">protection of users’ anonymity</a>. </p>
<p>In researching cybercrime and cybersecurity for more than a decade, I have found that obtaining cybercrime proceeds is often the <a href="https://link.springer.com/book/10.1057/9781137021946">biggest challenge that cybercriminals face</a>. In this regard, diffusion of cryptocurrencies is a major development that enables cybercriminals to achieve their goals. In fact, the escalation of ransomware attacks and the increasing prominence of cryptocurrencies may be connected. Some companies have invested in bitcoin and other cryptocurrencies specifically so they can <a href="https://www.technologyreview.com/s/601643/companies-are-stockpiling-bitcoin-to-pay-off-cybercriminals/">pay extortionists if it ever becomes necessary</a>. That helps contribute to the rapid growth in use and value of e-currencies. And as digital currencies become more common, ransomware attackers will have an easier time hiding their illicit transactions among the growing crowd of legitimate transfers.</p>
<h2>Using cryptocurrencies in cyber extortion</h2>
<p>The extortionists behind most ransomware attacks demand payments in bitcoin, the most popular cryptocurrency. The WannaCry attackers demanded <a href="https://www.theguardian.com/technology/2017/may/15/dont-pay-ransomware-demands-cybersecurity-experts-say-wannacry">between $300 and $600</a> per computer; the Petya ransomware <a href="https://www.cnbc.com/2017/06/28/ransomware-cyberattack-petya-bitcoin-payment.html">wanted $300 in bitcoins</a> before providing a code that would let victims decrypt their data. Not many people actually pay, though: WannaCry victims paid only <a href="https://www.elliptic.co/wannacry/">about $241,000 in bitcoins to the extortionists</a>. If everyone infected had paid, the criminals would have received at least $60 million. It translated to a payout rate of 0.4 percent. Even fewer paid the Petya perpetrators: They got <a href="https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX?sort=0">just 66 payments</a>, totaling barely over 4 bitcoins, or about $18,200.</p>
<p>Other attacks are more successful: In June, a ransomware attack hit <a href="https://www.theregister.co.uk/2017/06/20/south_korean_webhost_nayana_pays_ransom/">more than 150 servers</a> owned by South Korean web hosting firm Nayana. More than 3,400 of the company’s customers were affected – mostly small businesses running their websites on Nayana’s equipment. Nayana itself stepped up, taking loans to <a href="http://www.inforisktoday.com/south-korean-hosting-firm-pays-1-million-ransom-a-10025">cover a payment of more than $1 million</a> in bitcoins to the attackers, saying it had <a href="http://www.straitstimes.com/asia/asia-briefs-firms-15m-payout-to-hackers-criticised">to save its clients’ sites</a>.</p>
<p>The attackers don’t always need to make much money to be effective. Many cybersecurity researchers believe that Petya attacks were carried out <a href="https://www.wired.com/story/petya-ransomware-ukraine/">with political motives</a> rather than for financial gains. But ransomware has a much higher payout rate than other common cybercrimes. One study found that for every 12.5 million spam emails sent promoting a fake online pharmacy, the <a href="https://doi.org/10.1145/1455770.1455774">scammers got only one response</a>. That’s a success rate of about 0.000008 percent. They make a lot of money – <a href="http://www.pcworld.com/article/153575/viagra_spam_study.html">up to $3.5 million a year</a> – only by sending out enormous numbers of messages.</p>
<h2>Trusting cyberthieves?</h2>
<p>One reason cybercrime success rates are low is that victims don’t trust the extortionists to <a href="https://www.nytimes.com/2017/05/13/world/asia/cyberattacks-online-security-.html">actually unlock their data</a> once they get paid. In 2016, about a quarter of the organizations that paid ransoms were <a href="http://economictimes.indiatimes.com/small-biz/money/indian-companies-wannacry-over-bitcoin-payments-too/articleshow/58709798.cms">not able to recover their data</a>. </p>
<p>The WannaCry attackers were particularly bad: Their system was labor-intensive, requiring the criminals to manually connect payments with encrypted files before letting victims decode them. In fact, a <a href="http://www.economist.com/news/science-and-technology/21722158-it-has-been-neglected-too-long-wannacry-should-make-people-treat-cyber-crime">flaw in the WannaCry attack software</a> made it almost impossible to decrypt a paying victim’s data. </p>
<p>More sophisticated methods do exist, including those that incorporate what are called “<a href="https://dx.doi.org/10.1007/978-3-662-53357-4_6">smart contracts</a>,” another aspect of some cryptocurrency systems that runs a particular program as part of completing a transaction. In those ransomware attacks, making payment <a href="https://qz.com/985093/inside-the-digital-heist-that-terrorized-the-world-and-made-less-than-100k/">automatically releases the information</a> a victim needs to decrypt and recover hijacked files.</p>
<h2>Preparing for future ransomware</h2>
<p>The fear of ransomware is growing. In mid-2016, a study found that <a href="http://www.financemagnates.com/cryptocurrency/news/33-of-uk-firms-are-buying-bitcoin-in-anticipation-for-cyber-attacks/">one-third of British firms</a> had bought bitcoins just in case they needed to pay off ransomware attackers. More than 35 percent of large firms, those with more than 2,000 employees, reported being <a href="http://www.financemagnates.com/cryptocurrency/news/33-of-uk-firms-are-buying-bitcoin-in-anticipation-for-cyber-attacks/">willing to pay as much as $65,000</a> to unlock critical files. Even <a href="https://www.technologyreview.com/s/601643/companies-are-stockpiling-bitcoin-to-pay-off-cybercriminals/">Cornell University was reported</a> <a href="https://twitter.com/el33th4xor/status/738331965917700096">to be stockpiling bitcoins</a> in case of a future ransomware attack.</p>
<p>At the same time, bitcoin and other similar systems are becoming much more popular. In 2016, the total value of all cryptocurrencies was <a href="https://dailyfintech.com/2016/01/14/what-does-the-future-hold-for-blockchain-and-insurance/">0.025 percent of the world’s GDP</a>. By August 2017, that number had increased more than eight-fold, <a href="https://cointelegraph.com/news/cryptocurrency-market-cap-reaches-record-161-bln-investments-flow">to 0.21 percent of global GDP – about $162 billion</a>. The World Economic Forum projects cryptocurrencies will hold <a href="http://www3.weforum.org/docs/WEF_GAC15_Technological_Tipping_Points_report_2015.pdf">10 percent of global GDP by 2027</a>.</p>
<p>These cycles are self-reinforcing: The more transactions there are involving cryptocurrencies, the harder it will be to <a href="https://qz.com/1028936/watch-these-bitcoin-ransom-payments-get-lost-in-the-expanse-of-the-blockchain/">trace where the money is going</a>. As a result, cybercriminals will use cryptocurrencies more often – forcing their victims (and even potential targets) to invest in cryptocurrencies, too.</p><img src="https://counter.theconversation.com/content/80115/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Nir Kshetri does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Cybercriminals increasingly depend on e-currencies to profit from their misdeeds. They, and their potential victims, could be driving some of the growth in cryptocurrency markets.Nir Kshetri, Professor of Management, University of North Carolina – GreensboroLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/806562017-07-17T12:35:52Z2017-07-17T12:35:52ZWhy has healthcare become such a target for cyber-attackers?<figure><img src="https://images.theconversation.com/files/177709/original/file-20170711-6506-1wqwogx.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Why did I click "download"?</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>More than <a href="https://pages.bitglass.com/Healthcare-Breach-Report-2017.html">16m patient records</a> were stolen from healthcare organisations in the US and related parties in 2016. That year, healthcare was the <a href="https://assets.documentcloud.org/documents/3527813/IBM-XForce-Index-2017-FINAL.pdf">fifth most targeted industry</a> when it came to cyber-attacks. And earlier this year, Britain’s National Health Service <a href="https://theconversation.com/nhs-ransomware-cyber-attack-was-preventable-77674">was crippled</a> by a ransomware attack that locked up the computers holding many of its records and booking systems. </p>
<p>But it’s not just health data and services that are at risk from cyber-attacks – it’s also human lives. In 2007, the then US vice-president, Dick Cheney, had his <a href="edition.cnn.com/2013/10/20/us/dick-cheney-gupta-interview/">implanted heart defibrillator modified</a> in order to avoid “death by hacking”, a technology weakness that US officials <a href="http://money.cnn.com/2017/01/09/technology/fda-st-jude-cardiac-hack/index.html">warned of again</a> just recently. Any medical device connected to a network is potentially at risk from being taken over and exploited by hackers, from <a href="http://www.bbc.co.uk/news/technology-34390165">MRI machines</a> to <a href="journals.plos.org/plosone/article?id=10.1371/journal.pone.0040200">electric wheelchairs</a>.</p>
<p>As connected technology becomes even more embedded in healthcare, this cyber-threat is only likely to grow. But if we want to protect our health from cyber-attacks, we shouldn’t fear technology. Instead, we need to understand it better and realise that the threat becomes much worse when people make simple mistakes.</p>
<h2>What is the risk to healthcare?</h2>
<p>The most common cyber-threats to healthcare are data theft attacks. They typically start from something like a phishing attack. For example, if you are a doctor with access to patients’ records, an attacker may send you an e-mail and convince you to click a link or attachment that downloads a piece of software known as malware to your computer.</p>
<p>The attacker can then use this software to gain access to the organisation’s financial, administrative and clinical information systems. In the case of the recent “Wannacry” attack that affected the NHS, the malware (in this instance “<a href="https://theconversation.com/what-is-ransomware-and-how-to-protect-your-precious-files-from-it-54048">ransomware</a>”) locked users out of their computers and demanded money to release them.</p>
<p>These attacks can also develop into “<a href="https://www.fireeye.com/current-threats/anatomy-of-a-cyber-attack.html">advanced persistent threats</a>” against healthcare networks. These occur when malware enters a health network and remains there unnoticed while keeping in contact with the attacker. From there it can spread throughout the network, even if the original download is detected and removed. Then it can steal data and direct network traffic to the attacker so they can see exactly what is happening in the system in real time.</p>
<p>Attackers can also use the health network to spread into connected medical devices and equipment such as ventilators, X-ray machines and medical lasers. From here they can create a “<a href="https://deceive.trapx.com/rs/929-JEW-675/images/AOA_Report_TrapX_MEDJACK.2.pdf">back door</a>” that will allow them to maintain access even if software is updated to improve security.</p>
<p>It’s also possible that attackers could one day use <a href="http://lesswrong.com/lw/mgf/a_map_agi_failures_modes_and_levels/">artificial intelligence</a> to mount more complex attacks. For example, hackers could use an intelligent system to block algorithms in the healthcare network that manage prescriptions or drug libraries and replace them with fakes.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/177526/original/file-20170710-29720-qpkf1k.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/177526/original/file-20170710-29720-qpkf1k.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=432&fit=crop&dpr=1 600w, https://images.theconversation.com/files/177526/original/file-20170710-29720-qpkf1k.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=432&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/177526/original/file-20170710-29720-qpkf1k.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=432&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/177526/original/file-20170710-29720-qpkf1k.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=543&fit=crop&dpr=1 754w, https://images.theconversation.com/files/177526/original/file-20170710-29720-qpkf1k.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=543&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/177526/original/file-20170710-29720-qpkf1k.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=543&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">How the risk spreads.</span>
<span class="attribution"><a class="source" href="http://immortality-roadmap.com/AIfails.pdf">Alexey Turchin</a></span>
</figcaption>
</figure>
<h2>Why is healthcare such a target?</h2>
<p>Yet any organisation with a computer is at risk from cyber-attacks and there are arguably far more obvious targets for those wanting to extort money. The recent attack on the NHS, for example, <a href="https://theconversation.com/how-wannacry-caused-global-panic-but-failed-to-turn-much-of-a-profit-77740">yielded very little ransom</a>.</p>
<p>Part of the reason for the threat against the healthcare sector is that it is classed as <a href="https://www.cpni.gov.uk/critical-national-infrastructure-0">national critical infrastructure</a>, alongside water, electricity and transport networks. This makes it an attractive target for those hackers wanting to cause chaos, especially from a hostile foreign country. Attacking a healthcare organisation that is part of a wider network of infrastructure could also provide a way in to other critical facilities.</p>
<p>There are also a huge number of opportunities for attacks on healthcare systems simply due to the extent to which they rely on technology. Healthcare today makes massive use of expensive technology, not just in computer systems and hospital equipment but also devices attached to and even embedded in the human body, such as fitness monitors or digital pacemakers. There are also many ways in for a healthcare hacker, from data networks to mobile applications and even non-medical systems such as CCTV. </p>
<p>In particular, the spread of the <a href="https://theconversation.com/explainer-the-internet-of-things-16542">Internet of Things</a>, the connection of increasing numbers of devices and objects to the internet, is increasing the number of potential access points for hackers. Unlike many of the <a href="https://theconversation.com/could-your-kettle-bring-down-the-internet-67650">more trivial</a> uses for the Internet of Things, connected medical devices have obvious benefits because they can instantly exchange useful data or instructions with medical staff. This is where some of the greatest dangers lie because the devices are often involved in critical procedures or treatments. Interference with the signals to a robotic surgical tool, for example, would be devastating. </p>
<h2>How can we protect healthcare from attacks?</h2>
<p>Most of the attacks against health systems fall under the category of missile attacks. They cannot spontaneously harm the attacker and leave limited traces, but can cause significant damage. This makes it very difficult to track down the attackers or predict future attacks.</p>
<p>But healthcare organisations have already become more aware of the danger they are in and started to take measures to protect themselves, for example by building cyber-security into their <a href="https://www.nth.nhs.uk/content/uploads/2014/07/information-technology-strategy-2012-2017.pdf">information technology strategies</a>. At a delivery level, hospitals can establish new security standards and better ways to effectively integrate the new interconnected systems as they emerge.</p>
<p>But healthcare systems suffer from the same inherent problems as any technology. Even when a security team thinks is has a grip on a problem, another often appears. When one is solved, many more are often generated. What’s more, they are designed by humans for humans, and so it’s fair to assume they are vulnerable by default thanks to human error. </p>
<p>Although you can train staff as best you can, it only takes one person clicking on a rogue attachment to let in malware that can disrupt the whole system. What’s more, the fear of legal costs and responsibilities might lead some organisations to under-report incidents and take action that could increase the threat, for example by paying ransoms to hackers. In reality, the reputation and trust of healthcare organisations depends on them understanding the true extent of the threat and taking sufficient measures to guard against it.</p><img src="https://counter.theconversation.com/content/80656/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Myrsini Athinaiou receives funding from the Engineering and Physical Sciences Research Council (EPSRC). </span></em></p>Confidential data and even human lives are at risk thanks to the huge spread of connected technology in healthcare.Myrsini Athinaiou, PhD Student in Computing, Engineering and Mathematics, University of BrightonLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/802662017-06-30T02:04:16Z2017-06-30T02:04:16ZThree ways the ‘NotPetya’ cyberattack is more complex than WannaCry<figure><img src="https://images.theconversation.com/files/176153/original/file-20170629-31318-16rgqnl.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">NotPetya is something a little different.</span> <span class="attribution"><a class="source" href="http://one.aap.com.au/#/search/petya">EPA/ROB ENGELAAR</a></span></figcaption></figure><p>The WannaCry ransomware was barely out of the headlines when another cyberattack took down computer systems around the world.</p>
<p>This time, a piece of malware dubbed “NotPetya” is to blame. And unlike WannaCry, it has no clear “<a href="https://theconversation.com/heres-how-the-ransomware-attack-was-stopped-and-why-it-could-soon-start-again-77745">kill switch</a>” as it spreads across infected networks.</p>
<p>NotPetya has reportedly hit several global organisations so far, including the American pharmaceutical company <a href="http://fortune.com/2017/06/27/petya-ransomware-cyber-attack-merck/">Merck</a> and, in Australia, <a href="http://www.abc.net.au/news/2017-06-28/cadbury-chocolate-factory-targeted-in-ransomware-attack/8658222">Cadbury</a>.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"879716775021170689"}"></div></p>
<p>The attack was initially classed as ransomware: malicious software that holds a user to ransom by encrypting their files and blocking access without a “key”. It was a reasonable assumption given the threatening message displayed to victims – but the picture is more complicated.</p>
<p>NotPetya is distinct from WannaCry in a number of important ways – particularly, money doesn’t seem to be its end goal.</p>
<h2>1. It’s about disruption not profit</h2>
<p>Unlike other ransomware incidents, NotPetya seems to be aimed at disruption rather than criminal profiteering (or perhaps just bad design). </p>
<p>First, the amount requested by the ransomers is relatively small – only US$300. This seems to place a low value on the loss of access that the malware causes. </p>
<p>Secondly, infected machines direct the user to make payment to one Bitcoin account. Users are also referred to a single email address to obtain the keys necessary to decrypt their data. Unfortunately, many users have now discovered that the email account <a href="https://posteo.de/en/blog/info-on-the-petrwrappetya-ransomware-email-account-in-question-already-blocked-since-midday">has been closed</a> by Posteo, the email provider. </p>
<p>This means that, even having made payment for the ransom, end users are unable to recover their data. Locking yourself out from your victims with a fixed address in this manner just doesn’t make good business sense.</p>
<p>This points either to amateurish implementation, or to the fact that NotPetya may have another purpose. </p>
<p><a href="https://arstechnica.com/security/2017/06/petya-outbreak-was-a-chaos-sowing-wiper-not-profit-seeking-ransomware/">Some reports</a> suggest the ransom demands may be a media lure to maximise public attention, while other researchers question whether recovery of encrypted data <a href="https://threatpost.com/little-hope-to-recover-data-lost-to-petya-ransomware/126598/">was ever possible</a>.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"880075102897000448"}"></div></p>
<p>In some circles, this attack has <a href="https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b">been classified</a> as a “wiper” (in which data or even entire disks are deleted or modified beyond repair), but this is still to be firmly determined.</p>
<p>Whatever the case, if the perpetrators wanted to make money they have gone about it all wrong.</p>
<h2>2. Ukraine seems to be the centre of the damage</h2>
<p>Unlike WannaCry, which made headlines after it shut down the computer systems of British hospitals among other organisations, the largest number of NotPetya incidents have been reported in Ukraine.</p>
<p>The malware uses an “exploit” – a tool that can take advantage of a specific vulnerability on a computer – to remotely execute code on vulnerable Windows operating systems. This vulnerability, called <a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx">MS17-010</a>, was patched by Microsoft in March. The instances of compromised systems suggests that many organisations and individuals have failed to install the patch. </p>
<p>One possible explanation for high levels of non-patched systems could be the prevalence of <a href="http://www.state.gov/e/eb/rls/othr/ics/investmentclimatestatements/index.htm?year=2016&dlid=254427">pirated software</a> in Ukraine.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"879777258730278914"}"></div></p>
<p>Another <a href="https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/">distribution mechanism</a> used by the malware appears to be a software updater linked to the Ukrainian tax accounting software, M.E.Doc.</p>
<p>While there is no clear evidence pointing to the perpetrators of this attack, its motivations could be political. Unlike WannaCry, NotPetya is seriously disrupting businesses rather than making money, or else is masking its other intentions.</p>
<h2>3. It may not even be ransomware</h2>
<p>While NotPetya uses an edited version of the same <a href="http://www.wired.co.uk/article/what-is-eternal-blue-exploit-vulnerability-patch">EternalBlue</a> software exploit as the WannaCry ransomware to remotely run code on the victim’s Windows computer, it differs in many key ways.</p>
<p>Whereas WannaCry only encrypted certain files (typically users’ most important data), NotPetya also prevents access to the entire operating system. It does this by <a href="https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b">writing over key parts of the hard disk</a> as well as <a href="https://blog.trendmicro.com/trendlabs-security-intelligence/large-scale-ransomware-attack-progress-hits-europe-hard/">encrypting users’ files</a>. </p>
<p>Traditional encryption ransomware typically has a key available to recover your files. With NotPetya, there is no key to facilitate recovery (despite the promises shown on screen). There is <a href="https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/">evidence</a> that the allegedly unique ID shown to the victim is actually random data that could never result in a decryption key being provided.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"880437324005376001"}"></div></p>
<p>While it is still too early to provide a definitive analysis of this cyberattack, it is clear this is a new twist in online warfare. </p>
<p>The code has been carefully designed to take advantage of vulnerable systems while the user is duped into believing that it’s possible to recover their files. The ransomware distraction may have been a careful misdirection to hide the true intentions of the mayhem.</p>
<p>We can expect this trend to continue and that organisations (and individuals) need to be more proactive in keeping their operating systems up to date and their data backed up.</p><img src="https://counter.theconversation.com/content/80266/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Paul Haskell-Dowland is affiliated with the International Federation for Information Processing (IFIP) Technical Committee 11 and is a member of the ACS and BCS.</span></em></p>Mayhem, not money, seems to be the ultimate aim of the latest attack unleashed on computer networks around the world.Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/780362017-05-30T07:12:56Z2017-05-30T07:12:56ZWhen it comes to ransomware, it’s sometimes best to pay up<figure><img src="https://images.theconversation.com/files/171277/original/file-20170529-25198-1h8mids.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Businesses struck by ransomware have to make some hard decisions.</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/christiaancolen/20012126873/in/photolist-wupo7e-x9LUA6-xrgEL4-wupomH-Tx3QHK-TDNAMg-T142AB-SWrePq-SLfyJY-Sq9NyG-SLfye9-SLfxWf-SNGXeH-RL72uP-RHwtaY-Sq9PcA-SLfy4E-SNGXq4-T143gz-T1434v-RL76Hi-RLYbhv-SNGXx8-UgTZsC-TDYUKs-SNGSzc-SNGXHP-T1445t-SWregb-SWrekQ-SWresd-Sq9LXW-RL71Pa-Sq9NkW-Sq9LPu-SWrevu-Sq9MHo-Sq9MqE-Sq9MAu-SNGSr6-Sq9N3m-SNGSda-SWreXw-SWreno-U3k9Bz-UeUmQ4-UbjUVd-SXwrAU-UbjUTQ-UbjUZS">Christiaan Colen/Flickr</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span></figcaption></figure><p>Companies hit by ransomware are faced with an ethical dilemma: pay up to save their now-encrypted data, or hold the moral high ground and lose it all.</p>
<p>This is a question many companies may have to face. The recent <a href="https://theconversation.com/massive-global-ransomware-attack-highlights-faults-and-the-need-to-be-better-prepared-77673">WannaCry cyber-attack</a>, which targeted the data of organisations including UK hospitals, is part of a growing <a href="http://dx.doi.org/10.1016/S1353-4858(16)30096-4">and lucrative</a> “industry”. </p>
<p>In most cases, the perpetrators attempt to <a href="https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5300711/">encrypt a business’s data</a> and then refuse to share the decryption key <a href="http://www.sciencedirect.com/science/article/pii/S1353485808700102">unless a ransom is paid</a>. WannaCry <a href="http://www.cnbc.com/2017/05/15/wannacry-ransomware-hackers-have-only-made-50000-worth-of-bitcoin.html">reportedly demanded</a> that companies pay upwards of US$300 in Bitcoin.</p>
<p>Of course, there are ways to protect yourself. Up-to-date software and effective backups are good controls for ransomware, but many people fail to keep up. For examples, an estimated <a href="http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0">7% of computers</a> globally still use Windows XP software, despite Microsoft having <a href="https://support.microsoft.com/en-us/help/14223/windows-xp-end-of-support">ended support</a> for the platform. In the case of WannaCry, this was an important vulnerability.</p>
<p>Paying up may be the rational choice for an individual business, but given that cybercriminals go where the money is, the repercussions for others could be significant.</p>
<h2>The case for paying up</h2>
<p>Pop-culture morality tells us a ransom should not be paid; movies tell us that paying the ransom means the bad guys win. </p>
<p>In the real world, however, businesses faces a serious dilemma. Paying the ransom could save the business and keep staff employed, but the cybercriminal will probably feel encouraged to continue their attacks. </p>
<p>Ultimately, businesses held to ransom have at least four choices:</p>
<ul>
<li>Refuse to pay the ransom and risk the possibility that the criminals will carry out their threats</li>
<li>Call authorities to launch a criminal investigation, although whether the data will be decrypted <a href="https://link.springer.com/chapter/10.1007/978-3-319-38930-1_3">is uncertain</a><br></li>
<li>Attempt to use decryption tools to access the data. One such method is “brute force” – a trial and error computational method to guess all possible variants of the decryption key – but <a href="http://www.analysisofappliedmathematics.org/wp-content/uploads/2016/09/Journal_of_Applied_Mathematics_Jan_2017.pdf#page=5">some mathematicans estimate</a> that’s beyond the processing power of most computers.</li>
<li>Pay the ransom and hope you get your data back.</li>
</ul>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/cZ543_0bjbw?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Ransomware ‘WannaCry’ attack explained.</span></figcaption>
</figure>
<p>Several factors may affect the decision, including whether the victim expects that the encrypted data will be returned once payment is made, or how embarrassing it will be to inform clients about the incident. </p>
<p>The value of the data is also important. If the data held hostage is not integral, then the business is obviously less likely to pay.</p>
<h2>Thinking about others</h2>
<p>The victim’s consideration of the consequences of <a href="http://arxiv.org/abs/1703.06660">their choice for others</a> is also important.</p>
<p>Economically, rather like <a href="http://www.jstor.org/stable/4226625?seq=1#page_scan_tab_contents">the decision</a> of an individual trawler to over-fish the seas or a factory to pollute the air, <a href="http://dx.doi.org/10.1007/978-1-4614-7883-6_576-1">paying the ransom</a> creates a “negative externality”. </p>
<p>That is, paying the ransom may benefit the cybercriminal as well as the business and its survival, but it’s a sub-optimal choice from the perspective of the wider community. The business that pays the ransom obtains all the benefits of their choice, but much of the cost is borne by others, who may become the victim of emboldened cybercriminals. </p>
<p>The moral dilemma is difficult: paying the ransom saves the business but hurts others. However, not paying the ransom is to feel morally superior while waiting in the unemployment line.</p>
<h2>How to fight ransomware</h2>
<p>Avoiding such a dilemma entirely requires businesses to prepare for ransomware attacks.</p>
<p>There are several key <a href="https://www.anao.gov.au/work/better-practice-guide/business-continuity-management-building-resilience-public-sector-entities">actions and responses</a> a company can take to blunt <a href="https://doi.org/10.1093/itnow/bww102">the impact of a cyber-attack</a>. Chani Simms, co-founder of Meta Defence Labs, has suggested, among other things:</p>
<ul>
<li>Implementing preventive controls to make attacks less successful, such as regularly “patching” software and training staff in good information security practices.</li>
<li>Ensuring data is backed up offline and business continuity plans are in place.</li>
<li>If an attack is still successful, quickly isolating infected computers to limit losses. </li>
</ul>
<p>Such simple strategies are estimated to mitigate most cyber intrusions as well as ransomware. Yet the risk remains that ransomware creators will find a vulnerability, encrypt important data and leave the business with a sticky choice.</p>
<p>Until someone creates a ransomware-proof software system, some might decide that paying up is the rational choice.</p><img src="https://counter.theconversation.com/content/78036/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Micheal Axelsen is a fellow of CPA Australia and a member of ISACA. </span></em></p>Movies tell us that paying a ransom means the bad guys win, but in the real world it’s not that simple.Micheal Axelsen, Lecturer (Business Information Systems), The University of QueenslandLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/779302017-05-23T03:47:50Z2017-05-23T03:47:50ZWhat are software vulnerabilities, and why are there so many of them?<figure><img src="https://images.theconversation.com/files/169999/original/file-20170518-12263-iatux6.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">It's software: There's always a way in.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-illustration/elite-hacker-entering-room-through-keyhole-420468124">BeeBright via shutterstock.com</a></span></figcaption></figure><p>The recent WannaCry ransomware attack spread like wildfire, taking advantage of flaws in the Windows operating system to take control of <a href="http://www.cbsnews.com/news/cyberattack-wannacry-ransomware-north-korea-hackers-lazarus-group/">hundreds of thousands of computers worldwide</a>. But what exactly does that mean?</p>
<p>It can be useful to think of hackers as burglars and malicious software as their burglary tools. Having researched cybercrime and technology use among criminal populations for more than a decade, I know that both types of miscreants want to find ways into secure places – computers and networks, and homes and businesses. They have a range of options for how to get in.</p>
<p>Some burglars may choose to simply smash in a window or door with a crowbar, while others may be stealthier and try to pick a lock or sneak in a door that was left open. Hackers operate in a similar fashion, though they have more potential points of entry than a burglar, who is typically dependent on windows or doors.</p>
<p>The weaknesses hackers exploit aren’t broken windowpanes or rusty hinges. Rather, they are flaws in software programs running on a computer. Programs are written by humans, and are inherently imperfect. Nobody writes software completely free of errors that create openings for potential attackers.</p>
<h2>What are these flaws, really?</h2>
<p>In simple terms, a vulnerability can be an error in the way that user management occurs in the system, an error in the code or a flaw in how it responds to certain requests. One common vulnerability allows an attack called a <a href="https://secure.php.net/manual/en/security.database.sql-injection.php">SQL injection</a>. It works on websites that query databases, such as to search for keywords. An attacker creates a query that itself contains code in a database programming language called SQL.</p>
<p>If a site is not properly protected, its search function will <a href="https://www.cisco.com/c/en/us/about/security-center/sql-injection.html">execute the SQL commands</a>, which can allow the attacker access to the database and potentially control of the website. </p>
<p>Similarly, many people use programs that are supported by the <a href="https://www.codecademy.com/learn/learn-java">Java programming language</a>, such as Adobe Flash Player and various Android applications. There are <a href="https://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-19117/Oracle-JRE.html">numerous vulnerabilities in the Java platform</a>, all of which can be exploited in different ways, but most commonly through getting individuals to <a href="https://doi.org/10.1145/2901739.2901773">download “plug-ins” or “codecs” to software</a>. These plug-ins actually contain malicious code that will take advantage of the vulnerability and compromise the machine. </p>
<h2>Flaws are everywhere</h2>
<p>Vulnerabilities exist in all types of software. <a href="https://arstechnica.com/security/2017/05/wcry-is-so-mean-microsoft-issues-patch-for-3-unsupported-windows-versions/">Several versions of the Microsoft Windows operating system</a> were open to the WannaCry attack. For instance, the popular open-source web browser Firefox has had <a href="https://www.cvedetails.com/product/3264/Mozilla-Firefox.html?vendor_id=452">more than 100 vulnerabilities identified in its code each year</a> since 2009. Fifteen different vulnerabilities have been identified in Microsoft Internet Explorer browser variants <a href="https://www.cvedetails.com/product/9900/Microsoft-Internet-Explorer.html?vendor_id=26">since the start of 2017</a>.</p>
<p>Software development is not a perfect process. Programmers often work on timelines set by management teams that attempt to set reasonable goals, <a href="https://blog.keen.io/how-should-deadlines-be-used-in-software-engineering-9eb23d513e8d">though it can be a challenge to meet those deadlines</a>. As a result, developers do their best to design secure products as they progress but may not be able to identify all flaws before an anticipated release date. Delays may be costly; many companies will release an initial version of a product and then, when they find problems (or get reports from users or researchers), fix them by releasing security updates, sometimes called patches because they cover the holes.</p>
<p>But software companies can’t support their products forever – to stay in business, they have to keep improving programs and selling copies of the updated versions. So after some amount of time goes by, they stop issuing patches for older programs. </p>
<p>Not every customer buys the latest software, though – so many users are still running old programs that might have <a href="https://arstechnica.com/security/2017/05/wcry-is-so-mean-microsoft-issues-patch-for-3-unsupported-windows-versions/">unpatched flaws</a>. That gives attackers a chance to find weaknesses in old software, even if newer versions don’t have the same flaws.</p>
<h2>Exploiting the weaknesses</h2>
<p>Once an attacker identifies a vulnerability, he can write a new computer program that uses that opportunity to get into a machine and take it over. In this respect, an exploit is similar to the way burglars use tools like crowbars, lock picks or other means of entry into a physical location. </p>
<p>They find a weak point in the system’s defenses, perhaps a network connection that hasn’t been properly secured. If attackers can manage to gain contact with a target computer, they can learn about what sort of system it is. That lets them identify particular approaches – accessing specific files or running certain programs – that can give them increasing control over the machine and its data. In recent years, attackers began targeting web browsers, which are allowed to connect to the internet and often to run small programs; they have many vulnerabilities that can be exploited. Those initial openings can give an attacker control of a target computer, which in turn can be used as a point of intrusion into a larger sensitive network.</p>
<p>Sometimes the vulnerabilities are discovered by the software developers themselves, or users or researchers who alert the company that a fix is needed. But other times, hackers or government spy agencies figure out how to break into systems and <a href="https://theconversation.com/should-spies-use-secret-software-vulnerabilities-77770">don’t tell the company</a>. These weaknesses are called “zero days,” because the developer has had no time to fix them. As a result, the software or hardware has been compromised until a patch or fix can be created and distributed to users. </p>
<p>The best way users can protect themselves is to <a href="https://theconversation.com/why-installing-software-updates-makes-us-wannacry-77667">regularly install software updates</a>, as soon as updates are available.</p><img src="https://counter.theconversation.com/content/77930/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Thomas Holt does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>It can be useful to think of hackers as burglars and malicious software as their burglary tools. Both types of miscreants want to find ways into secure places and have many options for entry.Thomas Holt, Associate Professor of Criminal Justice, Michigan State UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/777702017-05-19T01:02:23Z2017-05-19T01:02:23ZShould spies use secret software vulnerabilities?<figure><img src="https://images.theconversation.com/files/170032/original/file-20170518-12257-625y70.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">When is it okay for the government to keep a secret?</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/whispering-words-145530742">sharpshutter via shutterstock.com</a></span></figcaption></figure><p>The 2017 WannaCry ransomware attack <a href="http://www.cbsnews.com/news/cyberattack-wannacry-ransomware-north-korea-hackers-lazarus-group/">infected about 300,000 computers in 150 countries</a>, and cost computer users <a href="http://www.nbcnews.com/tech/security/total-paid-malware-ransom-how-exploit-spread-n759531">thousands of dollars in ransom money</a> and <a href="http://www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losses/">billions in lost productivity</a>. </p>
<p>The attack took advantage of a vulnerability in the Windows operating system that the federal government had been aware of for years but had chosen not to tell Microsoft about until just months before the WannaCry attack began. That history and the potential for <a href="https://www.engadget.com/2017/05/16/shadow-brokers-nsa-june/">more releases in the coming weeks</a> have intensified the debate around how governments and spy agencies should act when they discover weaknesses in computer software. </p>
<p>It’s a choice of how best to protect the public: <a href="https://www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16/50670b16-3978-11e7-a058-ddbb23c75d82_story.html">Exploit software vulnerabilities to collect intelligence information</a> that may help keep people safe? Or disclose the flaw, letting the software company fix it and <a href="https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/">protect millions of regular computer users from malicious attacks</a> by hackers?</p>
<h2>Exposing WannaCry</h2>
<p>For years, <a href="https://www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16/50670b16-3978-11e7-a058-ddbb23c75d82_story.html">the U.S. National Security Agency used a flaw in the Windows operating system</a>, nicknamed “EternalBlue,” to spy on intelligence targets, gathering information from their computer files and electronic communications. But the NSA didn’t tell Microsoft about the flaw in the company’s software until early 2017. The company <a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx">quickly issued a fix</a> users could download and install. <a href="https://theconversation.com/why-installing-software-updates-makes-us-wannacry-77667">Many people didn’t</a>, though.</p>
<p>In April, a hacking group called the <a href="https://www.engadget.com/2017/04/14/shadow-brokers-dump-windows-zero-day/">Shadow Brokers reported that it had breached the network</a> of, and stolen information from, computers used by the Equation Group, which has not identified itself but is <a href="http://www.reuters.com/article/us-usa-cyberspying-idUSKBN0LK1QV20150216">widely believed to be part of the NSA</a>. The Shadow Brokers revealed <a href="https://theconversation.com/after-the-nsa-hack-cybersecurity-in-an-even-more-vulnerable-world-64090">information about extremely sophisticated digital tools</a> for attacking military, political and economic targets worldwide. One of those tools was “EternalBlue.”</p>
<p>In May, a hacker or hacking group released a piece of malicious software using “EternalBlue” to hijack computers, encrypt the data on them and charge victims a ransom to restore access to their information. </p>
<p>If the NSA had told Microsoft about the flaw five years ago, things could have unfolded differently. In particular, users could have had much more time to update their software – which would have <a href="https://theconversation.com/why-installing-software-updates-makes-us-wannacry-77667">substantially increased the number of people protected</a> against the vulnerability.</p>
<h2>Using ‘zero days’</h2>
<p>The most serious cyberattacks are those that use previously unknown vulnerabilities. They are called “zero day” exploits because the developers had no time to fix it before trouble began, and nobody is protected. The NSA may know of <a href="https://jia.sipa.columbia.edu/online-articles/healey_vulnerability_equities_process">hundreds, or even thousands, of them</a>. Spy agencies of other countries, including <a href="https://www.nytimes.com/2014/04/13/us/politics/obama-lets-nsa-exploit-some-internet-flaws-officials-say.html?_r=1">China, Russia, Iran and North Korea</a>, are also working to find zero-day vulnerabilities.</p>
<p>Using these vulnerabilities can be effective. For instance, the NSA used four zero-day vulnerabilities as part of a series of cyberattacks on Iran’s nuclear enrichment sites. That effort, officially code-named “Olympic Games,” created the program known to the public as “<a href="https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/">Stuxnet</a>,” which damaged about 1,000 centrifuges and <a href="https://www.nytimes.com/2014/04/13/us/politics/obama-lets-nsa-exploit-some-internet-flaws-officials-say.html?_r=1">may have helped force Iran to negotiate</a> with the U.S. about its nuclear program.</p>
<h2>Should they keep the secret?</h2>
<p>By not telling software companies about newly identified vulnerabilities, government agencies such as the NSA and CIA serve their own purposes of finding ways to gather intelligence undetected. But they also <a href="https://fcw.com/articles/2017/03/13/zero-day-stockpile-carberry.aspx">endanger critical systems of governments and regular users alike</a>. </p>
<p>The U.S. does not have strong and clear policies with which to handle this problem. In January 2014, the <a href="https://jia.sipa.columbia.edu/online-articles/healey_vulnerability_equities_process">Obama administration ordered spy agencies</a> to <a href="https://www.wired.com/2014/04/obama-zero-day/">disclose weaknesses they find</a> – but with a significant loophole: If a software flaw has “a clear national security or law enforcement” use, the government can <a href="http://www.reuters.com/article/us-apple-encryption-review-idUSKCN0WW2OL">keep the flaw secret</a> and exploit it.</p>
<p>These are <a href="http://dx.doi.org/10.1080/01972243.2016.1177764">complex trade-offs</a> involving many questions: What might spies learn by exploiting the vulnerability? How likely is it that adversaries could find it? What might happen if they use it? <a href="https://www.wired.com/2017/05/governments-wont-let-go-secret-software-bugs/">Can the secret be kept securely and reliably</a>? Regardless of the <a href="http://dx.doi.org/10.1145/2535813.2535818">ethics questions</a> about how these agencies should best carry out their duty of protecting the public, the decision will likely end up as a political one, about <a href="https://jia.sipa.columbia.edu/online-articles/healey_vulnerability_equities_process">how the government should use its power</a>.</p><img src="https://counter.theconversation.com/content/77770/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Nir Kshetri does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>What’s the best way for spy agencies to protect the public: secretly exploit software flaws to gather intelligence, or warn the world and avert malicious cyberattacks?Nir Kshetri, Professor of Management, University of North Carolina – GreensboroLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/777402017-05-18T09:11:13Z2017-05-18T09:11:13ZHow WannaCry caused global panic but failed to turn much of a profit<figure><img src="https://images.theconversation.com/files/169840/original/file-20170517-30098-w6ungw.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">No money, no access.</span> <span class="attribution"><span class="source">shutterstock.com</span></span></figcaption></figure><p>The WannaCry cyber-attack led to <a href="http://www.bbc.co.uk/news/technology-39920141">panic across the globe</a>, showing just how important it is for organisations to have secure operating systems. This was not even the most sophisticated malware around. Numerous networks could easily cope with it and it largely hit legacy operating systems such as Windows XP. </p>
<p>In most corporate infrastructures, there would be no sign of Windows XP – and it seems unbelievable from a security perspective that the national health service of an advanced economy such as the UK would run its critical infrastructure on such an <a href="https://theconversation.com/nhs-ransomware-cyber-attack-was-preventable-77674">unsafe, antiquated system</a>. </p>
<p>But perhaps the most striking aspect of this recent attack is how unsuccessful it has been in terms of generating a ransom. As well as the NHS in the UK, it hit French car manufacturer Renault, US delivery service FedEx, Russia’s interior ministry and Spanish telecoms and gas companies. Yet ransom payments currently appear to total less <a href="https://www.elliptic.co/wannacry/">than US$100,000</a>.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/169858/original/file-20170517-30098-rh0kav.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/169858/original/file-20170517-30098-rh0kav.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/169858/original/file-20170517-30098-rh0kav.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=236&fit=crop&dpr=1 600w, https://images.theconversation.com/files/169858/original/file-20170517-30098-rh0kav.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=236&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/169858/original/file-20170517-30098-rh0kav.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=236&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/169858/original/file-20170517-30098-rh0kav.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=296&fit=crop&dpr=1 754w, https://images.theconversation.com/files/169858/original/file-20170517-30098-rh0kav.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=296&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/169858/original/file-20170517-30098-rh0kav.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=296&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">The chart shows the current balance of the three Bitcoin addresses known to be associated with the WannaCry ransomware.</span>
<span class="attribution"><span class="source">Elliptic</span></span>
</figcaption>
</figure>
<p>This is minuscule when we compare it to other ransomware attacks. CryptoWall <a href="http://www.washingtontimes.com/news/2015/nov/2/cybercriminals-rake-in-325m-cryptowall-ransomware/">made its author US$325m</a> with over 406,000 attempted infections.</p>
<p>The interesting thing about the WannaCry ransomware is that it mostly hit large organisations with legacy networks – and they will often not pay ransoms as they have backups or run their data from a central server. Thus, despite more than 200,000 infections worldwide, there have been fewer than 200 payments.</p>
<p>The weak impact is because this is a different type of ransomware. The most successful ones spread through spear phishing emails and target individuals and small businesses, which often do not have back-ups. This ransomware was different in that it spread of its own accord through unpatched systems (systems that had not followed recent warnings to protect against a virus and back-up their files) – as a worm. But it is humans that are generally <a href="http://search.proquest.com/docview/206792454?pq-origsite=gscholar">the weakest link</a> when it comes to information security.</p>
<h2>The perfect crime?</h2>
<p>Ransomware is almost the perfect IT crime. If an online criminal can trick you into installing malware, they can then lock your files and hold them ransom until you pay them a release fee. Only a secret encryption key, which they hold, can release the files. </p>
<p>It is simple, but highly effective. No virus scanner or law enforcement professional will be able to unlock your files unless they have the magic encryption key, and the longer the target takes to pay for it, the greater the risk there is to their business. As with any malware, though, there might be bugs in the software, so there’s no guarantee that you’ll get your files back, even if you do as the blackmailers say. And there’s always the risk that they will just ask for more money once you pay them. Some malware increases its ransom demands over time, ultimately deleting all the files affected.</p>
<p>Nonetheless, it means that the success rate of the crime is incredibly high – <a href="http://www.trendmicro.co.uk/media/misc/ransomware-the-truth-behind-the-headlines.pdf">at around 65%</a>, as sensitive and important documents are often the target of the infection.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/169322/original/file-20170515-6996-1q692go.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/169322/original/file-20170515-6996-1q692go.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/169322/original/file-20170515-6996-1q692go.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=254&fit=crop&dpr=1 600w, https://images.theconversation.com/files/169322/original/file-20170515-6996-1q692go.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=254&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/169322/original/file-20170515-6996-1q692go.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=254&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/169322/original/file-20170515-6996-1q692go.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=319&fit=crop&dpr=1 754w, https://images.theconversation.com/files/169322/original/file-20170515-6996-1q692go.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=319&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/169322/original/file-20170515-6996-1q692go.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=319&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Success rate for ransomware.</span>
<span class="attribution"><span class="source">Trent Micro - New Research: Uncovering the Truth About Ransomware</span></span>
</figcaption>
</figure>
<h2>Increasing infections</h2>
<p>Computer security firm Trend Micro <a href="http://www.trendmicro.co.uk/newsroom/pr/uk-businesses-bullish-about-ransomware-but-majority-pay-up-when-attacked/">surveyed over 300 IT decision makers</a> in the UK in September 2016 and found that 44% of businesses have been affected by ransomware over the last two years. The same survey found 79 new types of ransomware in the first nine months of that year. This compared to just 29 in the whole of 2015.</p>
<p>This is a great worry for many companies. The impact on those affected by the infection can be costly, with an average of 33 person hours taken to fix it.</p>
<p>In around 20% of the cases, £1,000 was requested, with an overall average of £540. Some large organisations faced demands of as much as £1m. But for many companies, this is the tip of the iceberg as it can be costly for a company in terms of reputation as customers could start seeing them as untrustworthy.</p>
<p>Perhaps the most frightening statistic that Trend Micro found was that in one in five cases, even when the company paid the ransom, they were unable to recover their important files – indicating that the ransomware service is not quite as robust as it should be.</p>
<p>If you ask many security professionals, the recent WannaCry ransomware was fairly easy to defend against, and was fairly unsophisticated. What it clearly shows is that there is still more success in tricking individuals than in spreading malware across large networks. The NHS does, though, need to make sure that not one unpatched computer ever goes near its network, and that employees understand that they shouldn’t click on suspicious links. </p>
<p>Meanwhile, with law enforcement agencies <a href="http://www.bbc.co.uk/news/technology-39924318">focused</a> on the three Bitcoin wallets associated with WannaCry to try and find out who profits, there will be a whole lot more ransomware that goes unreported and unnoticed.</p><img src="https://counter.theconversation.com/content/77740/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Bill Buchanan does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The cyber-attack hit 200,000 computers and a number of big global organisations. But it hasn’t made much in ransom money.Bill Buchanan, Head, The Cyber Academy, Edinburgh Napier UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/777452017-05-17T12:42:30Z2017-05-17T12:42:30ZHere’s how the ransomware attack was stopped – and why it could soon start again<figure><img src="https://images.theconversation.com/files/169775/original/file-20170517-24350-u0klak.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>The ransomware cyber attack that has so far affected around <a href="https://www.ft.com/content/74ae2600-39a3-11e7-ac89-b01cc67cfeec">300,000 computers in 150 countries</a> could have been much worse. In fact, it still could be. The spread of the malicious software (malware), nicknamed <a href="https://docs.microsoft.com/en-us/msrc/customer-guidance-for-wannacrypt-attacks">WannaCry or WannaCrypt</a>, has been halted several times by researchers who have identified flaws in the program known as kill switches. But cybercriminals are already fighting back by altering the code, leading to a game of cat and mouse as researchers then have to hunt for a new kill switch.</p>
<p><a href="https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx">Ransomware is a type of malware</a> that blocks access to a computer until money is paid to release it. It is normally spread as an attachment on an email but WannaCry is different because it can spread through a local network on its own. </p>
<p>It looks for other computers running a file and printer sharing protocol called <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa365233(v=vs.85).aspx">Server Message Block</a> (SMB), which is found in older operating systems such as Windows XP that no longer receive routine security updates. It then uses a flaw in SMB to spread to other computers without their users having to download the file. This explains why more computers have been affected than is typical with this kind of malware.</p>
<p>The Achilles heel of malware is the need to call home to its operator. For ransomware, there has to be a mechanism for the program’s operator to collect the ransom money and unlock the data. These communications can provide a way for law enforcement to track down the cybercriminals, so they often build into their malware something called a kill switch.</p>
<p>Generally, a kill switch is a mechanism for turning off a device or a piece of software remotely – and abruptly – in an emergency, such as when it has been stolen or accessed without authorisation. In malware, a kill switch is a way for the operator to terminate their connection to the software to prevent authorities from discovering their identity.</p>
<p>One kill switch method is to redirect the malware’s communications to a “sinkhole” server, which can render it ineffective. Investigators can study the malware and look for such a kill switch or a way to take over the software.</p>
<p>A sophisticated piece of malware will often run its control communication across multiple unregistered internet domains. By periodically changing the domain it uses, the software can thwart attempts to understand or neutralise it. This means investigators need to constantly adapt and register any new domains the malware may try to use to make the sinkhole effective.</p>
<h2>Accidental death</h2>
<p>In the case of WannaCry, a researcher using the pseudonym MalwareTech ended up <a href="https://www.ncsc.gov.uk/blog-post/finding-kill-switch-stop-spread-ransomware-0">accidentally activating the kill switch</a> when he tried to create a sinkhole in order to study the software. WannaCry included code that looked to check if a specified domain had been registered. If it received a response from the domain, it shut down. If not, it continued to work. So when MalwareTech registered the domain, it effectively activated the kill switch.</p>
<p>This kill switch was probably inserted to prevent investigators studying the software in a closed virtual environment <a href="stackoverflow.com/questions/2126174/what-is-sandboxing">called a “sandbox”</a>. These typically respond to all communication attempts by the malware with signals from registered domains. So when WannaCry received a response from the domain, it was tricked into thinking it was in a sandbox and shut down to protect itself.</p>
<p>The problem is that modifying WannaCry’s code so it looks for a different unregistered domain will allow new versions of the software to continue running. In fact, one new variant of the malware has <a href="https://qz.com/983569/a-second-wave-of-wannacry-infections-has-been-halted-with-a-new-killswitch/">already been stopped</a> after researchers registered the new domain, activating the related kill switch.</p>
<p>An interesting paradox is that WannaCry was developed using a surveillance tool called EternalBlue created by the US National Security Agency (NSA) and leaked by a group of hackers known by the pseudonym Shadow Brokers. They are now claiming to have further harmful source code for WannaCry and are <a href="http://indianexpress.com/article/technology/tech-news-technology/wannacry-ransomware-shadow-brokers-hacker-group-threatens-to-sell-code-4659765/">threatening to release it into the wild</a> for anyone to modify freely. Based on the history of previous similar malware, copycats are extremely likely. With major modifications to the source code, the recent updates made to anti-malware software will become futile as the the cycle begins again. </p>
<p>Researchers are even questioning why WannaCry’s kill switch existed at all given that it was so easy to discover and execute. The danger is that WannaCry was just a test to illicit the response of defenders so deadlier variants can be unleashed later.</p><img src="https://counter.theconversation.com/content/77745/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Adrian Winckles receives funding from iCure/DCMS for Cyber Security Innovation
Member of Open Web Application Security PRoject European Board & Cambridge Chapter Leader
BCS Vice Chair Cybercrime Forensics Special Interest Group
UK Cyber Security Forum - Cambridge Cluster Chair</span></em></p>Things might not be over for the WannaCry malware.Adrian Winckles, Senior Lecturer in Cyber Security, Anglia Ruskin UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/778022017-05-16T15:06:54Z2017-05-16T15:06:54ZAre public sector organisations more at risk from cyber-attacks on old computers?<p><a href="https://www.theguardian.com/society/2017/may/12/global-cyber-attack-nhs-trusts-malware">Hospitals across Britain</a> were crippled by the <a href="https://theconversation.com/nhs-ransomware-cyber-attack-was-preventable-77674">recent ransomware cyber-attack</a>, making the country’s National Health Service one of the most high-profile victims of the global incident. </p>
<p>The government has been criticised for <a href="http://www.dailymail.co.uk/news/article-4503522/Government-scrapped-support-NHS-two-years-ago.html">cutting IT support</a> for the health service and <a href="https://theconversation.com/nhs-ransomware-cyber-attack-was-preventable-77674">failing to replace</a> old computer systems. Meanwhile, ministers <a href="http://www.telegraph.co.uk/news/2017/05/14/nhs-repeatedly-warned-improve-security-defence-secretary-says/">hit out</a> at NHS bosses for not improving cybersecurity, amid reports that an upgrade that could have prevented the attack was <a href="http://news.sky.com/story/nhs-cyberattack-trusts-were-told-about-security-patch-last-month-10878700">made available a month ago</a>.</p>
<p>This story doesn’t feel too surprising. Anyone who regularly deals with public services in person will probably have seen government employees struggling with outdated computer systems. Certainly, other major state-run organisations have also been <a href="http://money.cnn.com/2017/05/15/technology/ransomware-whos-been-hit/">hit by the ransomware</a>, including German railway company Deutsche Bahn and the US Department of Homeland Security. But is the public sector really any worse than the private sector at keeping its IT security up to date and avoiding cybercrime?</p>
<p>The recent “WannaCry” attack was made possible by a flaw in the 15-year-old Windows XP operating system. Software manufacturers often provide updates or patches to their products after they discover such a flaw, to prevent cyber-criminals from exploiting it. However, Microsoft <a href="https://www.microsoft.com/en-gb/windowsforbusiness/end-of-xp-support">stopped routinely updating XP</a> in 2014, and those still using it have to pay for custom support to receive any further patches.</p>
<p>Once the company became aware of the WannaCry flaw, it was quick to release a patch back in March. But because many customers were still using unsupported versions of XP, WannaCry rapidly infected a large number of systems when it emerged in May. Microsoft then <a href="https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/">made its patch available</a> to all XP users but many of those who didn’t update immediately were caught out. This is exactly what happened within the NHS.</p>
<p>The government has long acknowledged the need to update its old IT systems. When public XP support ended in 2014, <a href="https://www.theguardian.com/technology/2014/apr/07/uk-government-microsoft-windows-xp-public-sector">the government said</a> it expected the majority of its machines to be upgraded within a year. It then ended NHS funding for custom XP support, <a href="http://uk.businessinsider.com/why-the-uk-government-stopped-paying-for-windows-xp-2017-5">reportedly in an attempt to encourage</a> health service bosses to upgrade their systems. But a <a href="http://www.computerweekly.com/microscope/news/450404337/Citrix-channel-needs-to-give-NHS-some-TLC">report at the end of 2016</a> suggested that 90% of NHS trusts still had at least one XP system.</p>
<p>The most likely reason that out-of-date systems are still being used is the cost of upgrading them. In most cases, a new version of Windows or another operating system would also need a new computer that was powerful enough to run it, and potentially new bespoke hardware and software to enable the organisation to do its job. For example, a hospital X-ray department using an XP-based machine might need a new version of the software that controls its X-ray machines.</p>
<p>Public sector agencies also have a luxury in the form of highly-skilled government experts from the likes of the <a href="https://www.ncsc.gov.uk/">National Cyber Security Centre</a> who are available to ensure that critical services, such as the NHS, are kept operational. So even if the recent ransomware attack acts as a necessary wake-up call, there’s still a perceived safety net.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/169558/original/file-20170516-11966-1kq1u01.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/169558/original/file-20170516-11966-1kq1u01.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/169558/original/file-20170516-11966-1kq1u01.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/169558/original/file-20170516-11966-1kq1u01.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/169558/original/file-20170516-11966-1kq1u01.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/169558/original/file-20170516-11966-1kq1u01.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/169558/original/file-20170516-11966-1kq1u01.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Small firms don’t have IT departments to protect them.</span>
<span class="attribution"><span class="source">Shutterstock</span></span>
</figcaption>
</figure>
<h2>Private problem</h2>
<p>However, WannaCry didn’t just affect the public sector. Around <a href="http://uk.businessinsider.com/europol-said-there-are-200000-cyberattack-victims-and-the-number-will-go-up-2017-5">200,000 victims</a> in 150 countries have been affected, according to EU police force Europol, many of them businesses including major corporations such as <a href="http://money.cnn.com/2017/05/15/technology/ransomware-whos-been-hit/">Nissan, FedEx and Hitachi</a>. <a href="https://netmarketshare.com/">One source</a> suggests that more than 10% of all desktop PCs run Windows XP, and a significant portion of those victims will likely be small businesses. In general, there is no specific evidence that public sector organisations suffer cyber-attacks disproportionately.</p>
<p>Although the NHS is clearly under tight financial constraints, governments have significant resources to mitigate cyber-threats and can raise large amounts of money if politicians choose to do so. In the UK, the National Cyber Security Centre alone has a £1.9 billion investment. </p>
<p>It is a completely different picture for small companies that don’t have easy access to cash for upgrades or access to the highly-skilled resources of government experts or even IT departments. Often they don’t even have the awareness that there’s a problem to begin with. There are government-backed initiatives to help small companies with cybersecurity, such as the UK’s <a href="https://www.cyberaware.gov.uk/cyberessentials/">Cyber Essentials</a>, but these don’t have the scale to reach everyone or even identify and help those most in need. We can certainly question whether they are having much impact given the scale of the recent Ransomware attack.</p>
<p>Cyber-attacks on the scale of WannaCry may remind organisations about the need to maintain their IT security. Getting people to understand how is still a serious challenge. Public sector organisations might too often rely on outdated computer systems but at least they’re better placed than much of the private sector to do something about it.</p><img src="https://counter.theconversation.com/content/77802/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Simon Parkinson does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Small businesses are the forgotten casualties of the recent WannaCry ransomware attack.Simon Parkinson, Senior Lecturer in Informatics, University of HuddersfieldLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/777032017-05-16T06:15:07Z2017-05-16T06:15:07ZWhat the underground market for ransomware looks like<figure><img src="https://images.theconversation.com/files/169460/original/file-20170516-11956-1jeph5f.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The market for exploiting software vulnerabilities can be traced back to the 90s where "phreaking" - modifying telecommunications technology - was popular.</span> <span class="attribution"><span class="source">Jennifer/Flickr</span>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span></figcaption></figure><p>The attack of ransomware “WannaCry” has put governments and businesses around the world on edge, but in fact the underground market for exploit or software vulnerabilities bugs like this has been an existence at least since the 1990s.</p>
<p>Informal sharing of these vulnerabilities goes back to the dawn of computing - notably phone “phreaking” - tinkering with telecommunication devices and the <a href="http://www.worldcat.org/title/hackers-heroes-of-the-computer-revolution/oclc/10605060">Massachusetts Model Railway Club</a> credited with the early fostering of a hacker sub-culture from the 1960s onwards. </p>
<p>From here it slowly <a href="http://www.econinfosec.org/archive/weis2012/papers/Anderson_WEIS2012.pdf">developed into a global market</a> in the sale of exploits and exploit kits. This included hacking tools such as Blackhole, Zeus and Spyeye – sometimes known as “script kiddies” because the programming skills required are basic and the hacks more or less delivered via a menu-driven program. </p>
<p>The Russian carding market, which developed in the 1990s as online forums for the sale of stolen credit cards and identities, morphed into a sophisticated business enterprise. It mimicked online legal markets such as eBay. In short these criminals industrialised.</p>
<p>The <a href="http://www.aic.gov.au/publications/current%20series/tandi/521-540/tandi526.html">Australian Communication Media Authority’s Spam Intelligence Database</a> showed that spam-distributed malware, with the capability of locking data-files on an exposed computer system, begun to appear in 2012 with many cases reported in 2013 onwards.</p>
<h2>The modern malware market</h2>
<p>The industrialisation of the cybercrime market developed rapidly with the advent of virtual private networks (VPNs) and <a href="https://theconversation.com/au/topics/tor-7466">The Onion Router or “Tor” for short</a> in the mid-2000s. The <a href="https://www.unodc.org/documents/organized-crime/UNODC_CCPCJ_EG.4_2013/UNODC_CCPCJ_EG4_2013_2_E.pdf">UNODC’s 2013 Comprehensive Report on Cybercrime</a> flagged the importance of these markets in the spread of monetised hacking tools. </p>
<p><a href="http://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf">The RAND corporation’s report on the Hacker’s Bizarre in 2014</a> notes:</p>
<blockquote>
<p>These black markets are growing in size and complexity. The hacker market — once a varied landscape of discrete, ad hoc networks of individuals initially motivated by little more than ego and notoriety — has emerged as a playground of financially driven, highly organized, and sophisticated groups….Black and gray markets for hacking tools, hacking services, and the fruits of hacking are gaining widespread attention as more attacks and attack mechanisms are linked in one way or another to such markets.</p>
</blockquote>
<p>The <a href="https://www.acsc.gov.au/publications/ACSC_Threat_Report_2015.pdf">Australian Cyber Security Centre’s 2015 Threat report</a>
highlights the emergence of cybercrime as a service, introducing new business models to cybercriminals, and increasing their spread and sophistication. The FBI’s Cybercrime Division prosecutor, Gavin Corn, observed that networking among criminal groups has been greatly enhanced by the emergence of new encrypted applications:</p>
<blockquote>
<p>Cybercrime wasn’t even a part of organized crime before, and now it’s the epitome of it. </p>
</blockquote>
<p>The evolution of the internet has also seen the rapid take up of encrypted and anonymous technology.</p>
<p>The value of this underground market today is guessed to be in the hundreds of millions. Some vulnerabilities have been reportedly <a href="https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/">sold for as much US$900,000 recently</a>. Higher prices are paid for the more secure systems such Apple iOS – iphones and so on, but lower fees for older legacy operating systems like Windows XP. </p>
<p>The market operates in an orderly way with testing and evaluation prior to purchase. It’s similar to the carding business in that it seeks to create a stable reliable service encouraging repeated use. </p>
<h2>Don’t just blame the black market</h2>
<p>When it comes down to the effectiveness of the products - malware, ransomware - where the underground market drops off, businesses with lax security are most at risk.</p>
<p>Legitimate penetration testing by cyber-security companies as well as national security agencies wanting to improve cyber arsenals for offensive purposes also have had a role in boosting the value of exploits. The secret acquisition of exploits leaves many users unaware of the “bug” and thwart legitimate bug bounty projects.</p>
<p>In reality, any enterprise in e-commerce or dependent on the internet should also be a security company. Intrusions that target confidential data or service delivery are now common and can devastate trust in the business. </p>
<p>A stand out problem is the presence of legacy computing systems or applications with old operating systems that are no longer supported by the vendor. The Windows XP operating system is a good example and exploits frequently target these older systems. </p>
<p>It’s estimated that half of all web pages still run on the old unsecure http script, rather than the more secure https, now the industry standard. This legacy of older web page formats, leaves everyone exposed to the risk of being compromised by cybercriminals. These criminals hijack websites and create fake website addresses to redirect victims to such sites in order to unwittingly download a virus such as a Trojan or other malware. </p>
<p>The mass distribution of the “WannaCry” ransomware signals the shift of ransomware intrusion techniques from a specialist or individually tailored mode of cybercrime, to one capable of simultaneously targeting many vulnerable computer systems or networks. Coupled with the creation of large scale botnets (a network of computers that can be controlled remotely), often designed to deliver mass-spam emails or social media messages, the scale of these events grows. </p>
<p>At best attacks on this scale have been described as “weapons of mass annoyance” – disruptive but not fatal. The emergence of campaign style attacks is now common place. </p>
<p>They are capable of delivering well designed social engineered messages that trick users into visiting a compromised webpage and inadvertently downloading an executable file that locks up data. In other attacks, hidden programs that log keystrokes or manipulate the computer’s operating system can be implemented via unpatched bugs in many older systems.</p>
<p>The notion of the “digital divide”, where some have access to certain technology and others don’t, has the additional dimension of security as well. Consumers and enterprises constantly reviewing the trustworthiness of their online exchanges becomes more difficult than ever, as cybercriminals can easily duplicate perfect examples of well known trusted enterprises.</p><img src="https://counter.theconversation.com/content/77703/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Roderic Broadhurst does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The underground market for software vulnerabilities has been growing steadily since the 1990s, so the latest WannaCry could be a sign of things to come.Roderic Broadhurst, Chair professor, Australian National UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/776672017-05-15T20:37:53Z2017-05-15T20:37:53ZThe Petya ransomware attack shows how many people still don’t install software updates<figure><img src="https://images.theconversation.com/files/169396/original/file-20170515-7005-1kosyny.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">People don't want to be interrupted to update their software.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-vector/woman-working-on-internet-using-computer-553675984">irin73bal via Shutterstock.com</a></span></figcaption></figure><p>A new global ransomware attack, called “Petya” or “<a href="https://twitter.com/kaspersky/status/879749175570817024">NotPetya</a>,” <a href="https://www.wired.com/story/petya-ransomware-outbreak-eternal-blue/">exploits the same vulnerability</a> as the “WannaCry” attack back in May. As <a href="https://www.nytimes.com/2017/06/27/technology/ransomware-hackers.html">Petya spreads across Europe</a>, it’s becoming clear how few people and companies – <a href="https://www.usatoday.com/story/tech/news/2017/06/27/large-cyberattack-hits-europe-disrupts-power-grid-banks/103226268/">including major corporations</a> – actually update their software, even in the wake of major cyberattacks.</p>
<p>WannaCry <a href="https://www.washingtonpost.com/news/worldviews/wp/2017/05/15/the-era-of-cyber-disaster-may-finally-be-here/">could have been avoided</a>, or at least made much less serious, if people (and companies) kept their computer software up to date. The WannaCry attack demonstrated how <a href="https://www.nytimes.com/2017/05/14/world/europe/cyberattacks-hack-computers-monday.html?_r=0">hundreds of thousands of computers in more than 150 countries</a> are running outdated software that leaves them vulnerable. The victims included <a href="http://pix11.com/2017/05/15/wannacry-virus-spreads-to-asia-experts-warn-of-new-wave/">Britain’s National Health Service, logistics giant FedEx, Spanish telecom powerhouse Telefonica and even the Russian Interior Ministry</a>.</p>
<p>As WannaCry spread, media outlets, technology firms and cybersecurity companies around the world <a href="https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/">recommended people update their computer systems immediately</a> if they hadn’t already. The Petya attack targets computers that weren’t updated, despite those very clear public alerts.</p>
<p>The security flaw that allowed both attacks to occur was <a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx">fixed by Microsoft in March</a>. But only people who keep their computers updated were protected. Details of the flaw were <a href="https://news.vice.com/story/hackers-used-stolen-nsa-tools-to-launch-a-cyberattack-on-more-than-70-countries">revealed to the public in April by the Shadow Brokers</a>, a group of hackers who said they had stolen the information from the U.S. National Security Agency.</p>
<p>Attackers got into computers through that weakness and encrypted users’ data, demanding a ransom from anyone who wanted the data made usable again. But they didn’t win the race to exploit the flaw as much as people and computer companies collectively lost it. Our human tendencies and corporate policies worked against us. Research, including my own, tells us why, and offers some suggestions for how to fix it before the inevitable next attack.</p>
<h2>Updating is a pain</h2>
<p>All people had to do to stay safe from Petya and WannaCry was update their software. But people often don’t, for a number of specific reasons. In 2016, researchers from the University of Edinburgh and Indiana University asked 307 people to discuss their <a href="http://dx.doi.org/10.1145/2858036.2858303">experiences of installing software updates</a>.</p>
<p>Nearly half of them said they had been frustrated updating software; just 21 percent had a positive story to tell. Researchers highlighted the response of one participant who noted that Windows updates are available frequently – <a href="https://technet.microsoft.com/en-us/security/bulletins.aspx">always the second Tuesday of every month</a>, and occasionally in between those regular changes. The updates can take a long time. But even short updates can interrupt people’s regular workflow, so that study participant – and doubtless many others – avoids installing updates for “as long as possible.” </p>
<p>Some people may also be concerned that updating software <a href="https://twitter.com/__apf__/status/863961744204472322">could cause problems with programs they rely on regularly</a>. This is a particular concern for <a href="https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/9d6a8704-764f-46df-a41c-8e9d84f7f0f3/mjpg-encoded-media-type-is-not-available-for-usbuvc-webcameras-after-windows-10-version-1607-os?forum=mediafoundationdevelopment">companies with large numbers of computers</a> running specialized software.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"863961744204472322"}"></div></p>
<h2>Is it necessary?</h2>
<p>It can also be very hard to tell whether a new update is truly necessary. The software that fixed the Petya/WannaCry vulnerability came out in a regular second-Tuesday update, which may have made it seem more routine. Research tells us that <a href="http://aisel.aisnet.org/icis2014/proceedings/ISSecurity/28/">people ignore repeated security warning messages</a>. Consequently, these monthly updates may be especially easy to ignore.</p>
<p>The companies putting out the updates don’t always help much, either. Of the 18 updates Microsoft released on March 14, including the Petya/WannaCry fix, half were rated “critical,” and the rest were labeled “important.” That leaves users with little information they could use to prioritize their own updates. If, for example, it was clear that skipping a particular update would leave users vulnerable to a dangerous ransomware attack, people might agree to interrupt their work to protect themselves.</p>
<p>Even security experts struggle to prioritize. The day the fix was released, Microsoft watcher Chris Goettel <a href="https://redmondmag.com/articles/2017/03/14/march-2017-security-updates.aspx">suggested prioritizing four of the 18 updates – but not the one fixing Petya and WannaCry</a>. Security company Qualys also failed to include that specific update in its <a href="https://blog.qualys.com/laws-of-vulnerabilities/2017/03/14/massive-security-update-from-microsoft-for-march">list of the most important March updates</a>. </p>
<h2>Security pros, and everyone else</h2>
<p><iframe id="76Jwt" class="tc-infographic-datawrapper" src="https://datawrapper.dwcdn.net/76Jwt/3/" height="400px" width="100%" style="border: none" frameborder="0"></iframe></p>
<p>The most common recommendation is to update everything immediately. People just don’t do that, though. A 2015 survey by Google found that more than one-third of security professionals don’t keep their systems current. Only <a href="https://www.usenix.org/system/files/conference/soups2015/soups15-paper-ion.pdf">64 percent of security experts update their software automatically</a> or immediately upon being notified a new version is available. Even fewer – just 38 percent – of regular users do the same.</p>
<p>Another research project <a href="http://www.umiacs.umd.edu/%7Etdumitra/papers/OAKLAND-2015.pdf">analyzed software-update records from 8.4 million computers</a> and found that people with some expertise in computer science tend to update more quickly than nonexperts. But it’s still slow: From the time an update is released, it takes an average of 24 days before half of the computers belonging to software engineers are updated. Regular users took nearly twice as long, with 45 days passing before half of them had completed the same update.</p>
<h2>Making updates easier</h2>
<p>Experts might be quicker at updating because they understand better the potential vulnerabilities updates might fix. Therefore, they might be more willing to suffer the annoyances of interrupted work and multiple restarts. </p>
<p>Software companies are working on making updates more seamless and less disruptive. Google’s Chrome web browser, for example, <a href="https://support.google.com/chrome/answer/95414?co=GENIE.Platform%3DDesktop&hl=en">installs updates silently and automatically</a> – downloading new information in the background and making the changes when a user quits and then reopens the program. The goal is for the user not to know an update even happened.</p>
<p>That’s not the right choice for all kinds of updates, though. For example, the Windows update needed to protect against the Petya/WannaCry attack requires the computer to restart. Users won’t tolerate their computers shutting down and restarting with no warning.</p>
<h2>Getting the message out</h2>
<p>So computer companies must try to convince us – and we must convince ourselves – that updates are important. My own research focuses on doing just this, by <a href="https://www.internetsociety.org/doc/can-edutainment-change-software-updating-behavior">producing and evaluating entertaining and informative videos</a> about computer security.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/muvwozXpyx4?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">An entertainment-education video about software updating produced by researchers at the University of Maryland.</span></figcaption>
</figure>
<p>In our first experiment evaluating the video, we conducted a month-long study to compare our video with an article of advice from security firm McAfee. The video was effective for more of our participants than the McAfee article was. Our video was also equally or more effective, overall, at improving people’s updating practices. Trying new approaches to teaching security behaviors such as our edutainment video, or even <a href="http://securitycartoon.com/index.php?comic=20070416&tag=malware">security comics</a>, may be a first step toward helping us stay safer online.</p>
<p><em>Editor’s note: This article was updated on June 27, 2017, to add discussion of the Petya/NotPetya ransomware attack.</em></p><img src="https://counter.theconversation.com/content/77667/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Elissa Redmiles receives funding from the National Science Foundation, Facebook, and the Department of Defense. She is on the editorial board of Data4America a nonpartisan data journalism nonprofit. </span></em></p>People don’t want to endure the interruptions and inconveniences of keeping their computer software up to date. Research tells us why, and how we might fix the problem – and protect ourselves.Elissa M. Redmiles, Ph.D. Student in Computer Science, University of MarylandLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/777172017-05-15T07:16:27Z2017-05-15T07:16:27ZAfter ‘WannaCrypt’, should governments stockpile software vulnerabilities? Experts respond<p><em>The “WannaCrypt” malware has disrupted vital infrastructure in almost <a href="https://www.theguardian.com/technology/2017/may/12/global-cyber-attack-ransomware-nsa-uk-nhs">100 countries</a> so far. Security analysts are concerned it may be part of <a href="https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/">a dump</a> of security flaws a group called the Shadow Brokers claims to have stolen from the United States’ National Security Agency.</em></p>
<p><em><a href="https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#sm.0000tah8jnrokd6ovxx2mwc3nsz3a">In a blog post</a> Sunday, Microsoft’s president and chief legal officer, Brad Smith, decried government stockpiling of software vulnerabilities.</em></p>
<p><em>“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world,” he wrote. “The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.”</em></p>
<p><em>We asked a panel of experts to weigh in: Should governments be allowed to stockpile exploits, or should they be made to disclose them to vendors, including Microsoft?</em></p>
<hr>
<h3>Greg Austin, professor, Australian Centre for Cyber Security, University of New South Wales</h3>
<p>Vulnerabilities in commercially available software provide an easy way in for spy agencies and criminals to access adversary computer systems. I agree with <a href="https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#sm.0000tah8jnrokd6ovxx2mwc3nsz3a">the Microsoft proposition</a> that the refusal of US agencies to publicise vulnerabilities can be compared with the US armed forces losing a Tomahawk Cruise missile. There are circumstances where it could be that serious. </p>
<p>Of course, our cyber intelligence agency, <a href="https://www.asd.gov.au/">Australian Signals Directorate</a>, may also be using vulnerabilities in software that Australian citizens rely on. So we need to ask the government about its policy in this regard. I doubt we will stop that practice in the current climate of global cyber escalation. But, in the medium term, Australia must commit to new “highly secure” systems instead of using inherently vulnerable software and machines. </p>
<p>We must also commit to diplomatic agreement on the disclosure of vulnerabilities in commercially available systems. Countries with <a href="http://globalstudy.bsa.org/2016/index.html">high levels of pirated software</a>, like China and Russia, are vulnerable because patches sent by Microsoft to repair vulnerabilities only go to registered IP addresses with a licensed copy of the software. If a user has installed an unlicensed pirated version, they never get the patches.</p>
<p>The Australian government needs to have a more mature conversation with its citizens about what is really going on in cyber space. So far we have not had it, even though the Turnbull government deserves credit for starting down that path with its <a href="https://cybersecuritystrategy.dpmc.gov.au/">cyber security strategy</a>.</p>
<hr>
<h3>Monique Mann, lecturer, School of Justice, Faculty of Law, Crime and Justice Research Centre, Queensland University of Technology</h3>
<p>In an <a href="http://theconversation.com/as-surveillance-gets-smart-hackers-get-smarter-62773">escalating cryptowar</a> with widespread uptake of end-to-end encryption, <a href="https://obamawhitehouse.archives.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities">governments contend</a> that they cannot always disclose cyber security vulnerabilities. This is because they use <a href="http://www.pctools.com/security-news/zero-day-vulnerability/">zero-day vulnerabilities</a> to spy.</p>
<p>But state-sponsored programs of cyber warfare go beyond stockpiling vulnerabilities. Countries are actively developing digital weapons to hack into, infect, monitor and disrupt computer systems. </p>
<p>The <a href="https://wikileaks.org/ciav7p1/">Vault 7 disclosures</a>, published by WikiLeaks in March, revealed both the extent of the Central Intelligence Agency’s hacking capabilities and its inability to keep them secure. An arsenal of malware, viruses, trojans and zero day exploits was taken and leaked. </p>
<p>Now Wikileaks says it wants to <a href="https://www.wired.com/2017/03/assange-wikileaks-will-help-tech-giants-stop-cia-snooping/">work with technology companies</a> to address vulnerabilities and disarm these digital weapons. Yet, these could also <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2706199">have been sold</a> or used for sinister purposes. </p>
<p>Digital weapons can fall into the wrong hands. The consequences, <a href="https://www.itnews.com.au/news/wannacrypt-ransomware-what-you-need-to-know-461717">like “WannaCrypt”</a>, can be disastrous.</p>
<p>Governments should be promoting cyber security rather than undermining it. Failing to disclose and address vulnerabilities weakens cybersecurity. There should also be limits on the development and deployment of digital weapons. </p>
<p>It is time for a <a href="https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/#sm.0000eype9fh58dtoxrh2cd8lji6rc">digital Geneva Convention</a> to protect the internet: the critical infrastructure and the citizens who depend on it. </p>
<hr>
<h3>Robert Merkel, lecturer in software engineering, Monash University</h3>
<p>I’ve <a href="https://theconversation.com/iphone-hack-attack-shows-why-we-need-to-rein-in-the-trade-in-spyware-65348">argued previously</a> that Western governments should be far more careful with their use and distribution of stockpiled vulnerabilities in commercial software. But I wouldn’t hold my breath for it to happen.</p>
<p>For better or worse, intelligence agencies seem to have persuaded governments that the intelligence they gain from exploiting such vulnerabilities outweighs the risks when those exploits leak. Whether they are right is something only historians will be able to answer, given the decades it will take for contemporary intelligence operations to be declassified. </p>
<p>Even if Western intelligence agencies were required to cease stockpiling vulnerabilities and instead report them to vendors, their counterparts in Russian and Chinese intelligence agencies seem unlikely to follow suit. They face little domestic political pressure to behave ethically.</p>
<p>Indeed, while the vulnerability used by the “WannaCrypt” ransomware is thought to have come originally from the National Security Agency, the public disclosure of the vulnerabilities <a href="https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html">is believed by some US officials</a> to have been the work of the Russian intelligence services. </p>
<p>Russian IT systems <a href="https://www.theguardian.com/technology/2017/may/12/nhs-ransomware-cyber-attack-what-is-wanacrypt0r-20">were among</a> the most heavily affected by “WannaCrypt”. If the release was in fact the work of Russian intelligence, the blowback, in terms of inconvenience and expense for Russian companies and other branches of the Russian government, has been substantial. It was also foreseeable – and they did it anyway.</p>
<p>While Microsoft’s call for governments to think harder about the real-world costs of their espionage techniques is admirable, it’s hard to imagine it actually happening any time soon.</p><img src="https://counter.theconversation.com/content/77717/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Monique Mann is a director of the Australian Privacy Foundation. While at the Australian Institute of Criminology, she consulted for the Australian Criminal Intelligence Commission on information systems and cybercrime. The views expressed here are those of the author and do not represent the views of any Commonwealth agency.</span></em></p><p class="fine-print"><em><span>Greg Austin and Robert Merkel do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>“It is time for a digital Geneva Convention to protect the internet.”Greg Austin, Professor, Australian Centre for Cyber Security, UNSW SydneyMonique Mann, Lecturer, School of Justice, Faculty of Law, Crime and Justice Research Centre, Queensland University of TechnologyRobert Merkel, Lecturer in Software Engineering, Monash UniversityLicensed as Creative Commons – attribution, no derivatives.