Last week tens of thousands of computers worldwide were infected by a software virus called WannaCrypt, a form of “ransomware” that encrypts important user files and effectively holds them hostage unless a payment is made to the program’s anonymous creator.
The malware, which can infect some versions of Windows 7 and older operating systems and is believed to have been based on a security exploit originally found by the National Security Agency, has triggered one of the worst outbreaks in computing history.
Critical medical computers throughout Britain’s National Health Service were affected. So were systems owned by FedEx and the Spanish communications company Telefonica, among many others. The government of North Korea has been pointed to as a possible culprit.
Microsoft has released a critical software patch to fix the vulnerability and is asking everyone running an older version of Windows to install it. The spread of the virus has been greatly slowed after a security researcher discovered a way to block it. Unfortunately, however, a new variant of the program is already in the wild. Luckily, it is not fully functional, but it's surely just a matter of time before a worse version of WannaCrypt emerges.
As the dust settles temporarily, the blame game has already begun. Microsoft and many others are blaming the NSA for secretly hoarding knowledge of vulnerabilities, rather than alerting the public and software companies about them.
In truth, the people most responsible for the spread of WannaCrypt are the companies and private citizens who continue to use outdated software despite repeated warnings that they are putting themselves at risk.
Critics of the NSA do have a point, however. Under the Vulnerabilities Equities Process established during former President Barack Obama’s administration in 2013, the NSA, CIA and other intelligence agencies are supposed to disclose security bugs rather than trying to exploit them.
The idea behind the policy is that while security exploits can be used by American agencies for intelligence gathering, there is no reason that other actors — including foreign governments, terrorist organizations or criminal enterprises — couldn’t devise similar tools to steal information for their own purposes.
In the case of the Windows bug that led to the creation of WannaCrypt, Microsoft was alerted about it several months ago by the NSA, after hacking tools that the agency had developed were stolen and released on the web by another group of hackers. Following the notification, the Seattle-based software giant issued a free critical security update on March 14 to all Windows 7 and Vista users and to customers of its paid security update service for Windows XP.
Unfortunately, many of the millions of computers currently still running the 2001 operating system never received those updates because their owners refused to pay for the enterprise security update service. The virus has also affected computers running Windows Vista and Windows 7 whose owners had blocked the security updates.
In both cases, these computer owners are the digital equivalent of medical vaccine deniers. An average user might not necessarily know better — but given how many corporate and government computers have been taken down by WannaCrypt, it’s obvious that thousands of well-paid system administrators around the world have failed at their jobs.
Software educator Troy Hunt put it well in a widely read essay on his website:
If you had any version of Windows since Vista running the default Windows Update, you would have had the critical Microsoft Security Bulletin known as "MS17-010" pushed down to your PC and automatically installed. Without doing a thing, when WannaCry came along almost 2 months later, the machine was protected because the exploit it targeted had already been patched.
People running older software on their machines will often claim that they’re clinging to it because they can’t afford to buy newer computers or because currently supported operating systems conflict with another piece of software that they’re using. These are valid explanations for using obsolete software, but they are not excuses.
Even then, there are a number of precautions that people who insist on running outdated programs can take to greatly increase their security, such as running them in virtual machines, via emulators or behind firewalls or disconnected from the web entirely. Unfortunately, far too few people even bother.
Government agencies' running of obsolete software is also a huge problem. While department heads and IT administrators deserve some of the blame, ultimately, elected officials who refuse to allocate money for necessary upgrades are culpable.
At the very least, governments should be paying for updates to Windows XP. Expecting any company to keep giving out free updates for software that is several generations old is absurd.
One hopes that WannaCrypt has taught at least a few computer users an important lesson about software security. Unfortunately, a lot more people are going to have to learn the hard way.