Last week, malware released by criminals caused global chaos by locking down computers, denying users access to vital—in some cases lifesaving—data and demanding a ransom for returning systems to normal. In the UK, notable victims were many NHS trusts, which were forced to shut down their entire IT systems. Worldwide, the WannaCry ransomware affected more than 150 countries. The perpetrators are unknown, with some experts pointing the finger at North Korean hackers.
But there are deeper lessons here for governments fighting the growing cyber-threat. How did these criminals discover how to infect computers so effectively? The answer is troubling. The attack was possible due to a flaw in Windows, exposed in March when a number of stolen hacking tools—one of which exploited the vulnerability—were leaked by the hacking group The Shadow Brokers. These tools were allegedly developed in the United States by the National Security Agency (NSA) for intelligence gathering.
The Shadow Brokers emerged last summer and have leaked stolen NSA tools before. Its origins are unclear, but Edward Snowden tweeted in August 2016 that "circumstantial evidence and conventional wisdom indicates Russian responsibility.” If so, this is an example of the kind of "weaponised information" operation in which Moscow now specialises. But once the tools have been leaked, anyone can make use of them—and Russian computers have been hard hit by the ransomware.
The fact that hackers were able to penetrate NSA security to steal the toolkit in the first place is deeply troubling and the release of the tools onto the web deeply irresponsible. Last week, President Donald Trump signed an executive order on cybersecurity for federal networks and critical infrastructure. This was timely recognition of the need to improve the security of US government agencies, following a string of disastrous hacks. These include the 2015 breach of the Office of Personnel Management, in which the personal details of federal employees—including those in the intelligence community—were compromised, probably by Chinese hackers.
In this respect, then, the lesson may have been learned. But another question remains: after an intelligence agency discovers a flaw in widely used software, what should it do? Telling the relevant company means a patch can be issued to safeguard the general public. But if the agency keeps the secret, the flaw can be employed to reel in high-value targets—a necessary part of national security.
On Tuesday, Microsoft President Brad Smith criticized the NSA’s actions. “We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits,” he said. But intelligence gathering against those who mean us harm is essential, and close access tools are needed more than ever as end-to-end encryption (coding that makes uninvited access difficult) diminishes the usefulness of traditional interception.
In every case, a careful balance of all interests involved is needed. It is essential that countries know the vulnerabilities of their national infrastructure and assess the many cyber-threats facing them. The UK Cyber Security Strategy 2016-2021 set out the government’s plan to keep the country secure. Where the UK’s strategy already rests on a detailed account of threats and vulnerabilities, President Trump has felt obliged to commission a raft of further studies. This kicking of the can down the road is frustrating to critics such as Senator John McCain, chairman of the armed services committee, who have long complained that government is stuck in a defensive crouch on this issue.
As far as it goes, the US executive order does resemble the UK strategy. Both demand joined up e-government with different departments sharing back office services and making best use of new technology such a Cloud-based services. (For the US, a common standard is mandated to discourage the 190-odd federal agencies all trying to develop their own defences.) Both make the heads of each government agency personally responsible for security. Both identify a deficit in national capacity to deliver cybersecurity. The US directive commissions a report on what should be done. The UK has already set up a National Cyber Security Centre, which is part of GCHQ, which plans to develop capability by developing skills, stimulating growth in the sector and promoting the science and technology which lie behind it.
A welcome emphasis in the Trump executive order is on the need for his administration to work with allies and partners, including to develop offensive capability for deterrence of attacks and defence against them, able if necessary to intrude into opponents’ systems and threaten damage or disruption. Such offensive capability is already explicitly included in the published UK cyber strategy.
The UK now knows that its government must play an active role in keeping the nation safe. It must support the private sector along with public institutions like the NHS, using intelligence that only national government can contribute. It is backed by almost £900m of resources. The US strategy is not yet complete—and nor is its financing—but we should welcome the first step from the Trump administration. This is one executive order that should not receive derision from the commentariat.