duquesne
Research Duquesne Advisory delivers in-depth analyses of Information and Communications Technologies, their implementations and their markets. Research is based on critical observation of the market by the analysts and their on-going contacts with the vendor community, together with hands-on, practical experience in consulting engagements.

Wannacry, NotPetya and the NSA



With the possible exception of someone just back from an extended vacation on the planet Mars, everyone knows that cyberattacks are bad and getting worse.

The nature of attacks is also changing, with increasing use of “cyberweapons”, typically dangerous malware based on extremely sophisticated “exploits” that target vulnerabilities in software.

Old fashioned fishing scams and single organization data breaches by hacker teams are, of course, still around, but large scale, exploit based cyberattacks – possibly bordering on cyberwarfare – are what we have to face up to now.

Cyberattacks are becoming more dangerous

Consider the example of the Wannacry ransomware attack that - in the space of a single day, May 12, 2017 - hit organizations in countries worldwide (mostly in Russia and Ukraine, but also the NHS in the UK, Renault in France and FedEx in the US), encrypting the files of tens of thousands of computers.

Without getting into the details of malware architecture, the Wannacry “payload” is a curious animal indeed: a combination of highly sophisticated “exploit” code (that targets an old vulnerability in a previous version of the Windows SMB protocol) together with amateur-level ransomware code. As it turns out, the exploit used in the WannaCry attacks — EternalBlue — was just one of the exploits stolen from the NSA and included in the April 14, 2017 Shadow Brokers leak. As one of our sources put it: “Wannacry is like the motor of a Ferari dropped into a 1970’s Russian Lada”.

While Microsoft did diffuse a patch for the SMB vulnerability on March 14th – one month before the Shadow Brokers leak and two months before the actual attack – patch management in companies is often a lengthy process and many organizations were still unprotected.

Fortunately, Wannacry was stopped after several days (more or less by accident, but we’ll skip the details) when a researcher discovered and activated a “kill switch”. Since actual damage was less than expected, some specialists started saying in June that the whole thing had simply been overblown.

Then on June 26, NotPetya – a more virulent first cousin of Wannacry - hit Europe, attacking major companies such as Saint Gobain, Maersk, WPP and many others. It used not just EternalBlue, but also several other exploits from the NSA leak. While “dressed up” as ransomware, the objective of NotPetya was not to obtain ransoms but simply to wreak destruction. According to the Director of ANSSI, the French cybersecurity agency, NotPetya left some enterprises in a “catastrophic state.”

Unfortunately, over the coming years, cyberattacks will - in all probability - get considerably worse. The inevitable development of the IoT – everything from smart grids and cities to connected consumer products and medical devices, not to mention Industry 4.0 - will require lots of new software, presumably with a goodly number of exploitable vulnerabilities.

Stated bluntly, the IoT will radically enlarge the “cyber attack surface”, with stakes including not just business disruption but loss of human lives. Just as an example, it has been widely reported that former US Vice President Dick Cheney, fearing an assassination attempt, had his pacemaker disconnected from the IoT. That particular story may well be apocryphal, but targeted assassinations (think political dissidents and connected cars) are a distinct possibility in the coming years.

However regrettable the loss of a single life, more “extreme” scenarios should also be considered in any medium term risk assessment, with examples including cyberattacks on smart grids, automated mass transportation networks or even military command and control systems.

Not every scenario will involve exploiting software vulnerabilities, but they are a very big part of the problem.

Brad Smith blames the NSA

In a much remarked blog shortly after the Wannacry attack, the entirely admirable General Counsel and President of Microsoft essentially put the blame on government hoarding of vulnerabilities.

According to Brad Smith:
“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage….

This most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.”


“Vulnerabilities management” in the US

The NSA says that it discloses 9 out of 10 vulnerabilities that it discovers or acquires to the software editor. Since most vulnerabilities are not useful candidates for exploits, this claim may well be true but is essentially meaningless.

The US government does have in place, since the Obama administration, an opaque interagency review and decision process called the Vulnerabilities Equities Process (VEP), which is purely based on Executive Branch authority and lacks any kind of independent oversight.

Following the Wannacry attack, a bipartisan legislative proposal called the PATCH Act was introduced in Congress to bring accountability to how the NSA and other agencies deal with software vulnerabilities. It would require federal agencies to establish clear policies on when to share vulnerabilities and would also legally establish a review board with high-ranking members of the federal government. This is certainly a step forward in principle, but adoption by Congress (and the Trump administration) is far from assured.

In any case, vulnerabilities hoarding is not just a US issue – it’s an international problem.

A Digital Geneva Convention ?

Governments in advanced countries have conflicting duties: keeping people and companies safe via disclosure of vulnerabilities AND developing credible capabilities for the possibility of cyberwarfare.

In February of this year, Microsoft called for a “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell or exploit them.

While Microsoft’s proposal is still a “work in progress”, the initiative has the merit of being both serious and timely. If nothing is done, cyberattacks will only become more frequent and in all likelihood considerably more dangerous.

Pessimists will say that a “Digital Geneva Convention” will never work. Those who are cautiously optimistic will reply: given everything that is at stake, maybe it’s worth giving it a try !




Author's note

This article will also appear shortly - in a somewhat shortened form - in the "Newsletter de l’Observatoire du FIC" and will also be published on the FIC Observatoire site and available for download.

Sunday, July 16th 2017
Duquesne Advisory
Newsletter To subscribe to the Duquesne Advisory Newsletter, please enter your e-mail address.

Duquesne Advisory

Duquesne Advisory Ltd is a European firm, headquartered in the UK, dedicated to researching, understanding and advising clients worldwide on opportunities and trends in Information and Communications technology.

Research

Duquesne Advisory delivers in-depth analyses of Information and Communications Technologies, their implementations and their markets. Research is based on critical observation of the market by the analysts and their on-going contacts with the vendor community, together with hands-on, practical experience in consulting engagements.

Consulting

The analysts of Duquesne Advisory leverage the Firm’s ongoing market and technology research to undertake high added value consulting engagements for both ICT users and ICT providers. Focused on client service, their approach is rigorous and methodical, and at the same time pragmatic and operational.