We Can’t Stop Cyberattacks, but We Can Limit the Damage
Last week’s ransomware attack, which has afflicted 200,000 computers in more than 150 countries and disabled many hospital systems and other critical facilities, has shown yet another dark side of our digital dependence. Between this and the hundreds of other headlined hacks in recent years, everyone now knows we have a problem. But few are doing much to solve it.
There are countless advice columns on the half-dozen things that you can do to help keep hackers away from your computer—change your password, click on all security updates, install two-step authentication, etc. But these steps, though vital for you, will not help protect the wider society—and, besides, most people don’t follow advice columns.
Cybersecurity is a national problem and a global problem. What’s needed now are corporate guidelines, national laws, and worldwide practices—including steps to force people to take the obvious precautions, or at least give them incentives, or make it easier, to do so.
It is noteworthy that Microsoft, whose operating systems were infected with the ransomware, emailed users about the security flaw—along with a patch to fix it—in mid-March, two months before the damage spread. All users had to do, in order to patch the problem, was to push a button and wait a few minutes. A lot of users didn’t do that. A lot of users, when they get these notices, never do that.
Software companies could take steps to get users to push the button. And if the companies don’t take these steps, the government should require them to do so. For instance, companies could design software so that most functions are frozen—and therefore users can’t do anything on their computers, except maybe log in—until they install the update. If this seems a bit draconian, software could be designed so that, when users open an email containing a security notice, a red light flashes over and over and over on the screen—or an alarm goes off—until they install the update. This is similar to the ding that sounds inside a car until the driver fastens the seat belt. After a while, the flash or the noise would get so annoying that the user would install the update.
This sort of requirement or inducement would keep a lot of serious hacks from getting started. Harder to prevent are simple phishing expeditions: A hacker sends an email with a malware-filled attachment; someone inside a large network clicks on the attachment; the malware drenches the network. That was how the recent ransomware hack may have begun. It is impossible to prevent this from happening. Almost everyone has fallen for a phish at least once, and once is all it takes to let a bad guy in.
There may be ways to contain the problem. For instance, Richard George, former head of the National Security Agency’s information assurance directorate, suggests designing an operating system that spawns a “virtual machine” whenever you go into email. If you clicked on a corrupt attachment, the malware would affect the virtual machine but not the real machine—that is, not the rest of your computer. George isn’t sure the idea would work; he’s mentioned it to friends in the industry, and they’re looking into it. The point is it’s time to explore some creative solutions.
But there’s only so much individuals can do. In major attacks, hackers go after corporations or public infrastructure, either to extort lots of money or to inflict high-profile harm. Companies that regard cybersecurity as a core mission—notably banks and financial institutions—are paying close attention, and lots of money, to keep their assets safe. Companies that don’t regard it as a core mission aren’t. They figure, “Why should we?” One lesson from the past few years of cyberattacks is that more companies—almost all large companies—should start regarding cybersecurity as a core mission. Yes, it costs lots of money, but it should be considered a cost of doing business, along with paying insurance premiums and maintenance fees. Maybe the government could help by making such expenses tax-deductible.
Jerry Dixon, chief information security officer at CrowdStrike, says more companies need to isolate the crucial segments of their business. If they can’t take these sections entirely off the internet, they can at least keep them far apart from the segments that are vulnerable or that might be running on older operating systems.
Some problems are beyond corporations’ control. Chris Wysopal, chief technology officer at Veracode, a cybersecurity firm, has spoken often about insecurities in the supply chain of digital hardware and software. Many components are made by shady entities, some of them affiliated with foreign intelligence agencies, and are embedded with malware from the get-go, often without the purchaser’s knowledge. Wysopal suggests passing laws that hold the vendors of these supplies accountable for any damage down the chain. That might prod the vendors to inspect and test the parts more rigorously.
One certainty in the digital age is that hackers are going to break in. You can, and should, install better locks. But if you have something that clever, resourceful hackers want, they will find a way to get it. As Willis Ware, one of the late great pioneers of cybersecurity, once put it, the only computer that’s completely secure is a computer that no one can use.
The trick is to make it harder for hackers to get in, to detect them once they’ve intruded, then to kick them out and repair the damage as quickly as possible. Laws, regulations, tax incentives, and international treaty negotiations should be geared toward those objectives. Right now they’re not geared toward any specific goal.