The worldwide WannaCry ransomware attack has corporations and governments pointing fingers. Microsoft stopped free support of popular and widely used operating systems. America has allowed a powerful cyberweapon to fall into the hands of gangs and terrorists. Thousands of IT professionals shirked their responsibility to apply necessary security patches. Many of the organizations affected have been hospitals.

Early Warnings

Twenty years ago in the spring of 1997, an American thinktank called the Project for a New American Century was founded. In 2000, they drafted a document titled Rebuilding America’s Defenses: Strategy, Forces and Resources For a New Century. The ideas produced by this organization were heavily favoured by Donald Rumsfeld and most of the George W. Bush administration. Most of the document focuses on traditional warfare but a small portion is dedicated to “Net-War” (p. 57)

Cyberpace, or ‘Net-War’

If outer space represents an emerging medium of warfare, then “cyberspace,” and in particular the Internet hold similar promise and threat. And as with space, access to and use of cyberspace and the Internet are emerging elements in global commerce, politics and power. Any nation wishing to assert itself globally must take account of this other new “global commons.”

The Internet is also playing an increasingly important role in warfare and human political conflict. From the early use of the Internet by Zapatista insurgents in Mexico to the war in Kosovo, communication by computer has added a new dimension to warfare. Moreover, the use of the Internet to spread computer viruses reveals how easy it can be to disrupt the normal functioning of commercial and even military computer networks. Any nation which cannot assure the free and secure access of its citizens to these systems will sacrifice an element of its sovereignty and its power.

Although many concepts of “cyber-war” have elements of science fiction about them, and the role of the Defense Department in establishing “control,” or even what “security” on the Internet means, requires a consideration of a host of legal, moral and political issues, there nonetheless will remain an imperative to be able to deny America and its allies’ enemies the ability to disrupt or paralyze either the military’s or the commercial sector’s computer networks. Conversely, an offensive capability could offer America’s military and political leaders an invaluable tool in disabling an adversary in a decisive manner.

Although brief and absent of technical details, the thinktank urged the Department of Defense to take a matter that sounded like science fiction very seriously. It appears as though they rushed ahead with developing offensive capabilities while neglecting to consider the “host of legal, moral and political issues”.

Wired Magazine was at the cutting edge of many discussions in the 1990s. Writer John Carlin wrote about the transformation of warfare in 1997. That was a busy year.

The aim of information warfare will be gradually changed from ‘preserving oneself and wiping out the enemy’ to ‘preserving oneself and controlling the opponent.’ Information warfare includes electronic warfare, tactical deception, strategic deterrence, propaganda warfare, psychological warfare, network warfare, and structural sabotage.

Micosoft’s Most Popular Operating System

Edit: May 19, 2017: Apparently, many of the computers were running Windows 7. This is also very odd because the upgrade path from Windows 7 to 10 was pretty simple.

In 2014, Microsoft ended support for Windows XP. Microsoft released a patch for many issues including the vulnerabilities exploited by WannaCry on March 14th, about eight weeks ago. The Intercept reported on April 14th that the NSA’s custom Windows-oriented malware was allegedly leaked, about four weeks ago. Microsoft reported the following day that their patch addressed any known issues. A serious threat was identified and the solution provided. To perform system updates properly takes a fair amount of work but most of that is the redundancy in performing various backups along the way to ensure you can roll back if things go wrong. The information and tools were provided but somehow that wasn’t enough to be taken seriously.

Intel provides a real time map of cyberattacks, there is a snapshot in the tweet below. The extent of the attacks over time is quite astounding. The most devastating seem to have been hospitals in the UK. Reported back in December, 90% of their NHS trusts rely on Windows XP. They had a one-year service agreement with Microsoft that they did not continue. NHS Digital had alerted them to the vulnerability a month ago and provided the patch. In an act of defiant ignorance, the trusts chose to keep essential systems vulnerable rather than follow the advice of their own IT experts. As of today, they have been ordered to upgrade these systems within ten months and the Prime Minister Theresa May tore into them for their negligence.

Canada has succumbed to a number of attacks although our government isn’t being completely transparent with us. Public Safety Minister Ralph Goodale spoke vaguely about the threats, stating “the government doesn’t comment on specific threats”. By comparison, China was more specific stating “29,372 institutions there had been infected along with hundreds of thousands of devices”. As Tim Stevens from Kings College in London UK stated in the same article:

“This thing cannot be brushed under the carpet,” he said. “It is so visible and so global. There is going to have to be change at levels where change can be made.”

A hospital in Ottawa was among those infected but they were able to correct the problem by rolling back those systems and apply the patches. That doesn’t seem to be the case in many other locations.

Digital Geneva Convention

Microsoft recently proposed a Digital Geneva Convention. This is an old idea that has been kicking around for awhile in various forms. The BBC wrote about it in 2011. Forbes wrote about it in 2014. We’ve seen various hacks over time. China was accused of spying on the US in 2008. NATO partners have been experiencing cyberattacks for over a decade. They have become so frequent that they often go unnoticed. Governments and corporations definitely have a responsibility beyond their citizens and customers.

If a Digital Geneva Convention were somehow agreed upon and ratified, it would still do nothing to prevent tools from being developed and exploited by organized crime, terrorists and anarchists. It would also do little to address the paranoia and ignorance that prevented many from patching their systems, even after being alerted to the seriousness of the vulnerability. Digital illiteracy has contributed greatly to the spread of this malicious code. Greater awareness, vigilance and cooperation is necessary to reduce the harm of future attacks.