May 15, 2017

To Patch, Or Not To Patch?



The world is reeling from tens of thousands of ransomware attacks across almost 100 countries. The attack infected computers at hospitals, companies, and even government ministries in Russia, forcibly encrypting users’ files and demanding ransom be paid in order to access the contents.

According to reports, the ransomware source code seems to be a modified variant of the WannaCry toolkit—an NSA hacking tool publicly leaked by the Shadow Brokers last month. That revelation has caused an uproar over the intelligence community’s use of zero-day exploits, and is renewing calls for the government to reform its vulnerabilities equities process (VEP). The VEP is a procedure by which zero-day exploits are made known to software firms in order to give them an opportunity to patch previously undetected bugs in their products.

While I agree with the need to codify the VEP, the cause of this ransomware isn’t really a failure of the VEP. It’s a failure to patch. A recent Lawfare article got this point exactly right:

VEP or no VEP, today’s ransomware attack highlights the risks of relying on software that is no longer supported by its developer (like Windows XP) and of not applying patches that the developer makes available (like MS17-010).  Even a perfectly functioning VEP would not make much difference unless the developer addressed the vulnerability, and businesses and institutions applied the relevant patch.  These are the two issues—more than a government process that feeds them—that make or break organizations in the wake of today’s attack.

This problem isn’t the result of poor government cybersecurity policies or some prodigal hacker consortium that discovered an end run around strong security systems. The failure rests on users still running outdated and unsupported operating systems like Windows XP or improper cybersecurity management. Case in point: Microsoft released a critical security patch two months ago that would have prevented the ransomware from infecting users running post-XP operating systems.

In short, users are more to blame than the VEP or current cybersecurity policy. If your operating system is up to date, no need to worry. If not, well, you’re probably out of luck.

Yes, we need to have a broader conversation about how to improve the VEP. It may be true that the incentives over zero-day exploit hoarding are misaligned. Congress should most certainly take the lead in establishing a more formal VEP codified in legislation.

And yes, the government’s cybersecurity track record is a shambles. Maybe the recent Executive Order mandating a review of government cybersecurity practices will help better align priorities. Then again, maybe it won’t. Either way, nothing contained in the President’s dictate would have remedied this particular problem.

All this ransomware attack shows us is that the weak link in cybersecurity best practices remains the individual user. Cybersecurity complacency is endemic in the digital age. And it will continue to be a problem so long as individuals fail to take appropriate action to safeguard their online security.

So what is the solution to future ransomware attacks? Make sure your auto-update for security patching is turned on—especially if you can’t be bothered to click “yes” when critical security updates pop up on your desktop.