For years, information activists and cybersecurity specialists have been warning that the global hacking and spying racket known as the Five Eyes — of which Australian intelligence agencies play an eager, if junior, role — is placing us in danger. And over the weekend, we had a frightening demonstration of just how true that is.
The malware known as WannaCrypt — a combined virus and ransomware program that encrypts information until you pay the attacker to unlock it — spread across Europe and Russia on Friday morning their time. Businesses in our own region, starting the working week today, are expected to face a second wave of encryption as they log on after the weekend.
WannaCrypt uses pieces of code known as “exploits”, which were stolen from the US National Security Agency and which target flaws in Microsoft’s operating systems. Microsoft released a fix for the flaws earlier this year after the NSA warned it about the theft, but anyone who hadn’t updated their system, or who is using a legacy Microsoft product, was left vulnerable. An organisation like Britain’s National Health Service, which uses multiple, older systems and dated IT, was hopelessly exposed.
How do we know about the NSA connection? None of this is speculation: Microsoft confirmed the NSA’s role in a company blog about the incident. The complicity of the NSA in a hacking incident that has placed thousands of lives at risk is now a matter not of speculation but of record.
And if the NSA is complicit, so are we — doubtless the tools have been shared with junior partners like the Australian Signals Directorate, charged with spying on our own neck of the woods by the Americans. And remember the CIA had a similar trove of exploits stolen from it, which turned up at WikiLeaks.
[Pollies and their staff need cyber security lessons too]
Understand what’s been happening here: the agencies that are specifically charged with defending us from online attack have learned of a major vulnerability in Microsoft’s operating systems, but instead of picking up the phone to Redmond to warn them of it, they built, or bought, software to exploit it. And then they allowed those exploits to be stolen. It’s a startling combination of stupidity, malice and incompetence.
Microsoft said:
“The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new ‘Digital Geneva Convention’ to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”
This is a little fanciful; few politicians have a basic understanding of the issues involved because failing to have even the most fundamental understanding of what Donald Trump unironically calls “the cyber” is still considered acceptable among politicians. They thus have limited capacity to pressure or scrutinise agencies. It’s even more fanciful in Australia where our agencies are able to operate with little parliamentary scrutiny and they are allowed to retreat behind an insistence that they can’t discuss operational issues.
One more thing: these tools were stolen from the NSA. Next time a government agency like the Australian Bureau of Statistics puts its hand on its heart and says it can protect the vast trove of personal data it is stockpiling on all of us, do you really think it has better security than the United States’ premier signals intelligence outfit and its $10 billion-a-year budget?
in the Australian context, the proposal for a ‘secure’ single point of contact for all health records remains fanciful.
NSA – Too busy hacking and spying on everyone else to pay attention to their own security.
The surveillance bills passed in the USA from 2013 onwards re Snowden and others has not done one thing to curtail the activities of the NSA and other spy industries. They continue on unabated compiling personal dossiers and data-bases on every individual born to the planet whether of interest or not. Their interest in we the “sheeple” is a mystery that will only be solved at the appointed time. Great article.
The ABS? No, don’t you worry about them BK, they’re top of the line, real thinkers, know which end of the computer to hold these guys, ridgy-didge top drawer operators, the sharp end of the sword, the brightest of lights …………………………………
It gives me some ironic relief that Big Brother is a bit incompetent. It also reinforces that institutions & companies must invest in up to date computer infrastructure if they want to survive & mums & dads need to keep their devices patched.
Yes, one would go mad if they believed otherwise. I’ll take the depressing thought that the world is run by idiots over the idea that there is no escape from the omnipresent, omniscient, omnipotent state.