Over the past few days the WannaCry ransomware has been spreading round the global affecting thousands of computers in over a hundred countries. It has had major impacts on the NHS here in the UK, even resulting in cancelled operations and many diagnostic tools being forced offline.
The slightly surreal part of this story is that the US Government (and potentially others) knew of this security flaw and appear to have done nothing about it. I suspect they were hoping to be able to use the flaw to access systems for their own purposes, but of courses such flaws never stay hidden for ever. In this case a hacker group released software designed to utilise the flaw in April 2017 and less than a month later chaos reigned.
“The flaw in Windows behind a huge cyber-attack affecting organisations around the world, including some UK hospitals, can be traced back to the US National Security Agency (NSA) – raising questions over the US government’s decision to keep such flaws a secret.” – bbc.co.uk
Had the US National Security Agency informed Microsoft of this issue when they discovered it updates could have been realised much earlier resulting in many more computers having been patched and the scale of the attack would have been much smaller. It seems that the NSA only made Microsoft aware once the software was stollen from their system and it became a threat.
Of course there is plenty of blame to go around. Why are business and government agencies still using software that ceased to be supported in 2014? Windows XP is now 15 years old and is has effectively been replaced 4 times over (Windows Vista, Windows 7, Windows 8 and Windows 10 have all been released since). Despite the software not being supported Microsoft still released a patch to fix the vulnerability at the heart of the recent attack about a month before the attack, so again much of the blame must fall of the IT Departments of these organisations for not keeping these systems up to date.
I know that re-writing software for devices like MRI Scanners so they work on newer operating systems is a big task. But computers have changed a lot in the 15 years since Windows XP and keeping technology up to date is a cost all organisation must bear in the modern world.
However, this is not the only time government actions have tried to make technology less secure. The FBI in February 2016 went head to head with Apple when they refused to unlock an iPhone. In the end the FBI found another way to get the data they wanted, but ultimately every step governments take to enable law enforcement to access devices is also opening the door for criminals and hackers to get access too. Just like a building in the real world, adding a back door (no matter how secure or well hidden) creates an additional opportunity for a would be thief.
This debate will continue for some time. Earlier this year a UK Government official called for access to be granted to encrypted iMessages. Doing so however will inevitably at some point allow hackers to access this data too. I wonder how many people have sent a password in an iMessage believing it to be safe and encrypted, not to mention all the private messages from government officials or famous people that could easily become blackmail or used to embarrass.
Of course keeping private data private helps everyone, including criminals. No longer do you need an Enigma Machine to keep your messages secret. A cheep phone with free messaging software is now more secure than any Enigma Machine could ever have hoped to be. I suspect a compromise will eventually be reached which we can all live with. Perhaps leaving the messages secure while allowing access to meta data (the information about a message like who it is to or from, the time it was sent etc) will help law enforcement track criminal activities sufficiently without completely making the world a less safe place for the rest of us.
The onward march of technology is inevitable. Whether it can be done while still keeping us and the services we rely of secure, well that only time will tell.