Ensuring security in the international digital order
The WannaCry ransomware which wreaked so much havoc recently is a classic example of a cyber weapon developed by a state (in this case, the US) which has fallen into criminal hands. The only way to ensure security in the emerging digital order is by nation states entering into an international compact to ban all cyber weapons, says Prabir Purkayastha.
THE WannaCry ransomware which infected hundreds of thousands of computers has brought to the fore the two most potent threats in the new digital era. If intelligence agencies with the resources of nation states create powerful cyber weapons, these weapons can also leak into criminal hands, posing enormous risks to every one of us. The other threat is posed by giant corporations which create buggy, insecure software and then walk away, leaving the consumers with no future protection.
Pretty much every infrastructure today runs on computer systems, all of which are at risk. With the Internet of Things (IoT), where every device will have embedded software and Internet connectivity, this nightmare scenario will only get worse. We are looking at billions of devices - from web cameras, television sets and speakers to washing machines and even our cars - that will be vulnerable to hacking. In the future, ransomware may hold to ransom not only your computer but also your refrigerator and your smart TV.
WannaCry and the NSA
The WannaCry ransomware used an exploit called EternalBlue from the US National Security Agency (NSA)'s cache of cyber weapons. Computers in over 150 countries were infected by the ransomware, with the users locked out of their vital files and data. The criminal group behind WannaCry wanted $300 worth in bitcoin as ransom for releasing the files back to their users. The choice was: pay up or risk losing all your files on the machine.
How did an NSA hacking tool end up as part of the world's biggest malware attack? In April, a group called the Shadow Brokers dumped online the NSA's cache of cyber weapons/hacking tools. These were one of the most sophisticated sets of cyber weapons that security experts had ever seen. After the WannaCry outbreak, the Shadow Brokers have now announced that they will auction more such tools, presumably to willing criminal gangs like the one behind the WannaCry malware. WikiLeaks has also reported on the US Central Intelligence Agency (CIA)'s cyber weapons getting hacked. More such threats therefore are in the offing.
Talking about this danger, Brad Smith, President of software giant Microsoft, has written in his blog, 'Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today - nation-state action and organised criminal action.'
What Smith omitted to mention is Microsoft's responsibility in such hacks: its buggy software and walking away from its older products, thereby rendering them susceptible to such risks.
Cyber weapons disarmament
US use of cyber weapons against Iran was the first instance of a cyber weapon being deployed against physical assets. The Stuxnet virus that took down the centrifuges in Iran's Natanz nuclear facility would have taken about $100 million to develop - a big sum for an individual or an organisation but pocket change for a country. This is the threat that Smith is pointing out, that nation states building cyber weapons and their leaking into criminal hands increases the danger to all of us manifold.
If we want to stop the Internet from being weaponised, we have to start talking about what nation states should or should not do. And that means an international compact on a par with what the world did with biological and chemical weapons, and what it failed to do with nuclear weapons. Non-proliferation is not disarmament, as we are finding out to our cost.
As long as cyber weapons are not illegal, there is a perverse incentive to weaken the security of networks and devices. As we now know from whistleblower Edward Snowden's revelations, the US has weakened encryption standards, worked with various vendors to create backdoors in hardware and software, and in the process created gaping security holes in the networks and systems that we all rely on. One of the Snowden documents showed that there were more than 50,000 computer network exploits (CNEs) that were essentially logic bombs that can take down the target network on actuation. According to Wired, even the Internet backbone has been turned from a passive infrastructure as intended, into an active weapon of attack.
Bruce Schneier, one of the world's leading security experts, had written as early as 2012 on the need for a treaty banning cyberwar and cyber weapons: 'We're in the early years of a cyberwar arms race. It's expensive, it's destabilising, and it threatens the very fabric of the Internet we use every day. Cyberwar treaties, as imperfect as they might be, are the only way to contain the threat.'
The US tech companies, which have worked closely with the NSA and the CIA, are now realising the risks to their systems from the leaking of US cyber weapons to criminal groups. That is why Smith and Microsoft are now advocating a Digital Geneva Convention for protecting the world against cyber weapons.
While Smith is asking for a voluntary international ban on development and use of such weapons, Russia and China have been asking for a much stronger treaty, modelled on the lines of a ban on chemical weapons. This is the path the US has refused to take in the past, in the belief that with its huge array of hacking tools and cyber weapons, it was far ahead of others.
The other threat: poor-quality proprietary software with no support
While Microsoft's Smith is correct in identifying the cyber weapons of nation states leaking into the hands of criminal gangs as a huge threat to cyber security, he 'misses' the other big threat - buggy and poorly engineered products from companies such as Microsoft. This is compounded by these companies abandoning older products with no support, leaving their security holes as easy targets for criminals to exploit.
Did Microsoft stop supporting its Windows XP operating system because it was offering a better product to its customers? No - it offered Windows Vista, which was slower, buggy and beset with huge issues of compatibility with other software and hardware products. The users refused to move to Vista. Microsoft then released Windows 7, again with the idea of moving people away from XP. All this was simply to get people to pay once again for their operating system. Microsoft even predicted security threats to the older XP systems in order to shift customers to its next version of Windows. For Microsoft, the biggest competition to its current operating system comes not from other vendors but from its own previous systems, hence the threat of withdrawal of support to older systems.
In 2014, when Microsoft stopped supporting XP, an estimated 95% of the world's automated teller machines were running on XP. Microsoft's cost of upgrading an ATM ranged from a few hundred dollars to several thousand depending on the maintenance required. Even now, it is estimated that 70% of ATMs in India are still running on old, unsupported XP, and thus vulnerable to various security threats, including WannaCry.
After the WannaCry attack, Microsoft released a patch for XP, even though it no longer supports XP. But the issue of risks to systems running older, unsupported systems such as XP persists. How many other security holes still remain in XP for which Microsoft has released patches for its supported versions of Windows?
Why should companies whose products are still widely used be allowed to walk away from their products? Should the company's monopoly over a certain product allow it to force its users to pay again and again for new software licences that quite often add very little or even - as in the case of Vista - degrade their performance? The time has come to insist that if a company 'abandons' its products, it must open-source its software and allow others to provide the support.
Of course, free and open source software (FOSS) does not have such issues. Users need to switch to FOSS products, such as the GnuLinux operating system, as these are far more resistant to hacking than the equivalent Microsoft or other proprietary software.
One reason why FOSS is safer is that its codes are open, and therefore bugs and holes are fixed far more effectively. The other reason is that the creators of such software do not leave secret backdoors in their systems the way Microsoft does. Microsoft has a history of cooperating with US intelligence agencies in providing access or leaving a backdoor for itself in order to spy on users' machines for commercial reasons. How many offices have been visited by Microsoft through remote 'audit' and claims that they are running 'illegal' software?
Microsoft's Smith has also brought up the 'shared responsibility' of suppliers and users regarding security. Before asking users to take responsibility for their machines, however, Smith needs to ask why Microsoft products are far more prone to such attacks as WannaCry.
If you are using Microsoft products, it is not easy to keep your machines protected all the time. Users need to be technically savvy and put up with Microsoft's frequent upgrades of its software, which often make some features or software unworkable. Even tech-savvy users do not upgrade their software regularly, as Microsoft updates are often poor and buggy and have security holes.
Cyber weapons, cyber treaties and regulating security
If intelligence agencies with the resources of a nation state create cyber weapons, it poses enormous risks to all of us. We agree with Brad Smith and Microsoft that we need a new Geneva Convention on keeping cyberspace free from weaponised software and hacking by nation states. However, it should not be through a voluntary ban as Smith is proposing, but an enforceable international treaty. Cyber weapons - either in the hands of nation states or in the hands of criminals - threaten computer systems that are a part of the world's vital infrastructure. That is why we need to ban cyber weapons and to treat the Internet as a non-weaponised space, the same way we treat outer space.
As long as cyber weapons are not illegal, there will be an incentive to develop them and weaken the security of networks and devices. Offensive capabilities are also much easier to build than defensive ones. For an attack to succeed, you only need to be successful once; for defence, you need to succeed every time. In defence, unlike in the case of offence, there are no individual winners or losers; you win only when everyone wins. Hence the need for global collaboration, developing security standards and a lot more of open protocols and software.
The other issue is how we can make corporations responsible for providing better software, and not allow them to walk away from their responsibility of maintaining the software. They should either provide continuous support or, if they can't, make the source code open so that others can support such software. This also requires a global compact that mandates a set of rules for software products, rules that governments can then enforce through their regulatory systems. A handful of digital monopolies rule the software world. It is impossible to regulate them without such a global regime.
Both these problems require state intervention and global agreements. Markets have no mechanism or incentive to solve such problems. We need international agreements and a global regulatory regime that will address such security threats. And if we are not to see the proliferation of more malware in our interconnected world, we need them now. Tomorrow is already too late.
Prabir Purkayastha is President of the Free Software Movement of India and Founder Editor of Newsclick.in, a news and views website.
*Third World Resurgence No. 319/320, Mar/Apr 2017, pp 35-37