As businesses wake up to the possibility that the WannaCry ransomware tool will spread beyond the already estimated 200,000 computers already infected across Europe, experts are calling for a stronger public-private partnership on
Just a day before the attack, President
Cipher Brief CEO & Publisher Suzanne Kelly spoke with former Director of the National Security Agency General Keith Alexander about the attack, how businesses should be thinking about it, and the larger cost of not coming up with a public-private partnership on all things cyber.
Suzanne Kelly: Given your experience as both the head of the
General Keith Alexander: Here's what I thought first: this has been largely touted as the year of ransomware, so we shouldn't be surprised to see an increase in these ransomware attacks. I suspect we're going to see more of these attacks throughout the rest of the year – criminals using Wannacrypt or things like that, to encrypt your computers for ransom. What this current attack is doing is using phishing to gain entry into your systems and lateral movement within a network to attack a large number of systems. They are attacking companies throughout the world. It is a huge, global issue.
Kelly: Let's talk big picture for a second. Security experts suspect that Russia was behind, or
Alexander: I think there are two parts to this issue. The first is the perception that Russia might help leak the tools and they threw them out there to embarrass the U.S., especially with our allies in Europe. If that's the case, then an unintended consequence is that by throwing these tools out publicly, their own people are the ones who are picking them up and using them. And it's interesting because when you look on the map, Russia is getting hit the worst from this ransomware attack.
The second part of this issue is I do think Russia has been behind a lot of the related leaks, and I think from their national perspective, it's been to push their agenda to create a bigger divide between Europe and the U.S. As our government gathers the information they need to understand who did this and why, I think that the government—on both a classified and declassified level—needs to reach back out to those that did this and hold them accountable. I suspect the leaks were facilitated in part by the Russian government, but that these attacks are an unintended consequence.
Kelly: What does this tell us about zero day exploits? If this attack was launched out of a stolen NSA trove of leaked tools, as some have reported, then how should we be thinking about that? If the government knew about the vulnerability, should they have widely shared it? How should the government walk the line between identifying and exploiting those vulnerabilities for national security purposes and then the responsibility to share that information if it can be used against the private sector? Is there a 'duty to warn' in cyber?
Alexander: I am not going to comment on any specific tools or leaks, but I can say that we had two seniors at NSA who worked out a relationship where more than 90 percent of everything we saw on zero days was pushed out to industry for patching. It didn't go to industry directly from NSA, it went through the right DHS channels to get to industry. It is important to note that before those tools got out publicly, Microsoft actually pushed out a patch to fix those vulnerabilities in March, so that's a step in the right direction. So the government was ahead in getting that information to the security vendors.
Here's the issue: pushing out a patch doesn't fix the vulnerability. The companies have to apply that patch to their systems. Companies that don't do that or don't have the people to implement those patches - that's the real risk. So, if everyone had patched their systems in March, this wouldn't have spread within companies. Companies would still get hit by the phishing attack if they opened up a phishing email, but they wouldn't get hit by the lateral movement, which is causing the most damage.
Kelly: Are U.S. companies prepared for something like this and will it get worse before it gets better?
Alexander: The companies that I work with have CISOs, solid
Kelly: Do you believe that overall, there is enough of an understanding among C-suites and in board rooms, of the risks and implications of something like this? Are their heads in the right place? How much
Alexander: Up front, most of the boards and C-Suites I talk to understand the risks and are increasingly focusing on this specific issue. Larger companies can afford the IT and cyber expertise they need. But small and midsize companies cannot, and that's a real problem. The solution is to come up with comprehensive
Kelly: It's been so difficult to get comprehensive movement in Washington on a public-private partnership when it comes to cyber though.
Alexander: The Executive Order came out last week from the White House, and that's a critical step forward. We've had hearings in Congress on cybersecurity, and they understand the magnitude of these specific issues. They recognize they've got to take action. I think people are busy addressing other important issues. I think they understand the importance of the issue, it's just everything seems to be a priority and
I do think the people they have in the White House, Tom Bossert and Rob Joyce, are really good. The President has put quality people in these positions and they've already been meeting with both the public and private sectors, and I think that's a step in the right direction. We've got to do a lot more.
Kelly: What advice are you offering in this situation, to U.S. businesses?
Alexander: Two things: I think one they should ensure they have the patch implemented first. They should be working 24/7 to get that done. The second thing is that they should train their people on how to identify phishing emails. It is really important to apply patches, train your people, get good cyber capabilities. We also need to develop the right relationships between government and industry so security experts can see where the attacks are coming from and they can work together to stop them. Both the government and industry have proper roles to play here, and, especially if the attack comes from overseas, that's where the government must come in.