For years, information activists and cybersecurity specialists have been warning that the global hacking and spying racket known as the Five Eyes — of which Australian intelligence agencies play an eager, if junior, role — is placing us in danger. And over the weekend, we had a frightening demonstration of just how true that is.
The malware known as WannaCrypt — a combined virus and ransomware program that encrypts information until you pay the attacker to unlock it — spread across Europe and Russia on Friday morning their time. Businesses in our own region, starting the working week today, are expected to face a second wave of encryption as they log on after the weekend.
WannaCrypt uses pieces of code known as “exploits”, which were stolen from the US National Security Agency and which target flaws in Microsoft’s operating systems. Microsoft released a fix for the flaws earlier this year after the NSA warned it about the theft, but anyone who hadn’t updated their system, or who is using a legacy Microsoft product, was left vulnerable. An organisation like Britain’s National Health Service, which uses multiple, older systems and dated IT, was hopelessly exposed.
How do we know about the NSA connection? None of this is speculation: Microsoft confirmed the NSA’s role in a company blog about the incident. The complicity of the NSA in a hacking incident that has placed thousands of lives at risk is now a matter not of speculation but of record.
And if the NSA is complicit, so are we — doubtless the tools have been shared with junior partners like the Australian Signals Directorate, charged with spying on our own neck of the woods by the Americans. And remember the CIA had a similar trove of exploits stolen from it, which turned up at WikiLeaks.
Understand what’s been happening here: the agencies that are specifically charged with defending us from online attack have learned of a major vulnerability in Microsoft’s operating systems, but instead of picking up the phone to Redmond to warn them of it, they built, or bought, software to exploit it. And then they allowed those exploits to be stolen. It’s a startling combination of stupidity, malice and incompetence.
“The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new ‘Digital Geneva Convention’ to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”
This is a little fanciful; few politicians have a basic understanding of the issues involved because failing to have even the most fundamental understanding of what Donald Trump unironically calls “the cyber” is still considered acceptable among politicians. They thus have limited capacity to pressure or scrutinise agencies. It’s even more fanciful in Australia where our agencies are able to operate with little parliamentary scrutiny and they are allowed to retreat behind an insistence that they can’t discuss operational issues.
One more thing: these tools were stolen from the NSA. Next time a government agency like the Australian Bureau of Statistics puts its hand on its heart and says it can protect the vast trove of personal data it is stockpiling on all of us, do you really think it has better security than the United States’ premier signals intelligence outfit and its $10 billion-a-year budget?