Leave it up to the government to show why NSA spying is wrong. John and Jazz already looked at this, but this is what happens when the government decides to get its grubby little fingers into something it shouldn’t. This WannaCry/WannaCrypt ransomware attack all across the globe would not have happened if the NSA hadn’t decided it needed a backdoor into various different computers and software.
It prompted Microsoft President Brad Smith to call for Digital Geneva Convention on the issue.
Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.
The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality. This weekend, whether it’s in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we’re putting this principle into action and working with customers around the world.
Smith’s swipe at the NSA in the first paragraph is great, but his call for the convention is rather unbecoming because it puts the power in the hands of the governments of the world. It shouldn’t be the governments trying to come up with the rules on when to report vulnerabilities, because governments with “supreme executive power” shouldn’t be trusted. The cyber community needs to handle this themselves.
This doesn’t mean relying on corporations to come up with the information either. Remember, these are the same corporations and ISPs who want to be able to sell browser data to ad agents. It should be legal for these companies to do so, even if it’s completely unethical. This is where it falls on the media and consumers to report when unethical behavior happens. The outright anger over browser data sales prompted Comcast to swear it wouldn’t sell user data (even if some outlets like Ars Technica aren’t sure they’ll stick to the promises). But Ars Technica is providing a needed service by reporting on this, and raising awareness about what could happen. If they didn’t, then others would get in on the action because of how large the cyber industry has gotten. Corporations also need to stop accepting or giving cash to politicians in exchange for favors (and vice versa). Stop the cronyism and it makes it harder for these types of backdoors to be created.
The individual has to also take responsibility. Computer users need to pay attention to what’s going on, and not just trust the government or whoever created their computer that everything is fine when the house is burning down around them. This doesn’t mean freaking out at every single reported threat out there, but at least be willing to ask questions and take some action to keep their data safe. If it means moving to a company which encrypts email like ProtonMail or using DuckDuckGo, instead of Google, then people should do it. Personal responsibility is key, and those who decide not to are just giving those who love powerful government more and more ammunition to push their nefarious laws.
But this would not have happened if the government hadn’t decided it had to spy on its citizens (without a warrant), and collect and save the metadata. It’s nice the NSA has decided to back off on collecting the emails of people who mention the name of an intelligence target, but this was something which should never have happened. The cyber chickens are coming back to roost and sadly it’s affecting people all over the world.