The path to a global outbreak last Friday of a ransom-demanding computer software, or ransomware, that crippled hospitals in Britain - forcing the rerouting of ambulances, delays in surgery and the shutdown of diagnostic equipment - started, as it often does, with a defect in software, a bug.
This is, perhaps, the first salvo of a global crisis that has been brewing for decades. Fixing this is possible, but it will be expensive and require a complete overhaul of how technology companies, governments and institutions operate and handle software. The alternative would be unthinkable.
Just this March, Microsoft released a patch to fix vulnerabilities in its operating systems, which run on about 80 per cent of desktop computers globally. Shortly after that, a group called Shadow Brokers released hacking tools that took advantage of vulnerabilities which had already been fixed in these patches.
It seemed that Shadow Brokers had acquired tools the National Security Agency (NSA) had used to break into computers. Realising these tools have been stolen, the NSA warned affected companies like Microsoft and Cisco so they could fix the vulnerabilities. Users were protected if they had applied the patches that were released, but with a catch: If an institution still used an older Microsoft operating system, it did not receive this patch unless it paid for an expensive "custom" support agreement.
The cash-strapped National Health Service in Britain, which provides healthcare to more than 50 million people and whose hospitals still use Windows XP widely, was not among those that signed up to purchase the custom support from Microsoft.
It was out in the cold. On May 12, a massive ransomware attack using one of those vulnerabilities hit hospitals in Britain, telcos in Spain, FedEx in the United States, the Russian Interior Ministry, and many other institutions around the world. They had either not applied the patches to systems where these were available for free, or had not paid the extra money for older ones.
Computer after computer froze, their files inaccessible, with an ominous on-screen message asking for about US$300 (S$420) worth of bitcoin - a cryptocurrency that allows for hard-to-trace transfers of money. Ambulances headed for children's hospitals were diverted. Doctors were unable to check on patients' allergies or see what drugs they were taking. Laboratories, X-rays and diagnostic machinery and information became inaccessible. Operations were postponed. There was economic damage too. Renault, the European automaker, had to halt production.
The attack was halted by a stroke of luck: The ransomware had a kill switch that a British employee in a cyber-security firm managed to activate. Shortly after, Microsoft finally released, at no charge, the patch that it had been withholding from users that had not signed up for expensive custom support agreements.
But the crisis is far from over. This particular vulnerability still lives in unpatched systems, and the next ransomware may not have a convenient kill switch.
NO LIABILITY
While it is inevitable that software will have bugs, there are ways to make operating systems much more secure - but that costs real money. While this particular bug affected both new and old versions of Microsoft's operating systems, the older ones like XP have more critical vulnerabilities. This is partly because our understanding of how to make secure software has advanced over the years, and partly because of the incentives in the software business. Since most software is sold with an "as is" licence, meaning the company is not legally liable for any issues with it even on day one, it has not made much sense to spend the extra money and time required to make software more secure quickly.
During this latest ransomware crisis, it became clear there were many institutions that could have patched or upgraded their systems, but they had not.
This is not just because their information technology departments are incompetent (although there are surely cases of that too). Upgrades come with many downsides that make people reluctant to install them.
For example, the more secure Windows 10 comes with so many privacy concerns that the Electronic Frontier Foundation issued numerous alerts about it, and the European Union is still investigating it. My current Windows 10 machine is more secure but it advertises to me in the login screen. Further, upgrades almost always bring unwanted features. But many are often unaware that these unwanted features come bundled with a security update.
As an added complication, the ways companies communicate about upgrades and unilaterally change the user interface make people vulnerable to phishing, since one is never sure what is a real login or upgrade message and what is a bogus one linking to a fake website trying to steal a password.
The problem is even worse for institutions like hospitals which run a lot of software provided by a variety of different vendors, often embedded in expensive medical equipment. For them, upgrading the operating system (a cost itself) may also mean purchasing millions of dollars' worth of new software.
Much of this software also comes with problems, and the no-liability policy means that vendors can just sell the product, take the money and run. Sometimes, medical equipment is certified as it is, and an upgrade brings along recertification questions. The machines can (as they should) last for decades; that the software should just expire and junk everything every 10 years is not a workable solution.
Upgrades can also introduce new bugs. How does a hospital test new software when the upgrade can potentially freeze its MRI?
Last year, a software update "bricked" Tesla cars: They could not be driven any more until another update fixed the problem. Many large institutions are, thus, wary of upgrades.
The next crisis facing us is the so-called Internet of Things - devices like baby monitors, refrigerators and lights now come with networked software. Many such devices are terribly insecure and, worse, do not even have a mechanism for receiving updates. In the current regulatory environment, the people who write the insecure software and the companies which sell such devices bear no liability.
If I have painted a bleak picture, it is because things are bleak.
Our software evolves by layering new systems on old, and that means we have constructed entire cities upon crumbling swamps. And we live on the fault lines where more earthquakes are inevitable. All the key actors have to work together, and fast.
HIGHER STANDARDS
First, companies like Microsoft should discard the idea that they can abandon people using older software. The money they made from these customers has not expired, neither has their responsibility to fix defects. Besides, Microsoft is sitting on a cash hoard estimated at more than US$100 billion.
At the minimum, Microsoft clearly should have provided the critical update in March to all its users, not just those paying extra. Indeed, its stance - pay extra money to us or we will withhold critical security updates - can be seen as a form of ransomware. In its defence, Microsoft probably could point out that its operating systems have come a long way in security since Windows XP, and it has spent a lot of money updating old software, even above industry norms. However, industry norms range from lousy to horrible, and it is reasonable to expect a company with a dominant market position, that made so much money selling software that runs critical infrastructure, to do more.
Microsoft should spend more of that US$100 billion to help institutions and users upgrade to newer software, especially those that run essential services on it. This has to be through a system that incentivises institutions and people to upgrade to more secure systems and does not force choosing between privacy and security. Security updates should only update security, and everything else should be optional and unbundled.
The US government has resources and institutions to help fix this. The NSA's charter gives it a dual role: both offensive and defensive. That the agency discloses software vulnerabilities it finds to companies more quickly may be a good idea, but doing so does not solve this problem, since finding bugs is not limited to the NSA - criminals and other nations can keep finding them. Nor are bugs in limited supply, so we cannot get to the bottom of the problem by fixing them one by one.
There are, however, many technical measures that can be taken to build operating systems that are structurally less vulnerable to bugs. In other words, we cannot eliminate bugs but, with careful design, we can make it so that they cannot easily wreak havoc like this. For example, Google's Chrome OS and Apple's iOS are structurally much more secure because they were designed from the ground up with security in mind, unlike Microsoft's operating systems.
It is high time that the NSA shifts to a defensive posture and the US government focuses on protecting its citizens and companies from malware, hacking and ransomware - rather than focusing so much on spying.
It means helping develop standards for higher security - something an agency devoted to finding weaknesses is very well suited to do - as well as identifying systemic cyber-security risks and then helping to fix them, rather than using them offensively to spy on others.
NYTIMES
- The writer is an associate professor at the School of Information and Library Science at the University of North Carolina.
