Microsoft is not letting the WannaCry crisis go to waste

Lesson is everyone needs to do more to protect society starting with updating software

 A ransomware cyberattack on a laptop in Taipei, Taiwan.

A ransomware cyberattack on a laptop in Taipei, Taiwan.

 

The WannaCry cyber attack has dented the reputations of organisations including the UK National Health Service, Telefónica of Spain and the US National Security Agency, which may have invented part of the software. For one company, though, it is working out better.

Microsoft, which owns the targeted operating system, would have had to pay millions for comparably useful publicity. True, 200,000 computers running Windows were affected, with hard drives encrypted and demands for bitcoin ransoms on computer screens. But the world’s biggest software maker has seized on the advantages.

Not only did Brad Smith, Microsoft’s president and chief legal officer, take the opportunity to tell customers to update software, but he took a shot at the NSA and governments with which technology companies have tussled over privacy and security. It was a masterclass in pursuing Microsoft’s interests while invoking a noble mission.

It included a helping of humbug – Windows still sits at the heart of 90 per cent of personal computers, and has proved vulnerable to many kinds of exploits over the years. But there was some truth: the incident shows that governments are keener on attacking enemies than defending their citizens, who are bad at it themselves.

Trustworthy computing

Microsoft’s clear advantage is that it was prepared: it had made a patch for the WannaCry vulnerability in March and rolled it out to millions of computers. Many of those caught unaware were still running Windows XP, an ageing version dating back to 2001.

It endured a dark period at that time, when it kept launching editions of Windows, including 98 and XP, which were filled with new features but lacked basic reliability and security. Bill Gates, its founder, had to write his “trustworthy computing” memo in 2002, promising to perform better.

To a large degree, it worked. Any user of a recent version of the operating system, such as Windows 7 or 8, can shield themselves by keeping updated. The internet makes it simpler for hackers to burrow into computers, but also makes them easier to defend – companies can at least patch their machines against any known loopholes.

The remaining challenge is that Windows has a long tail – old versions stay on computers because it would either be too costly or too difficult to upgrade them. It is often the latter: companies run customised software that is not easy to make work with a newer Windows. There is always the temptation to let things remain as they are.

Microsoft needs incentives for the 7 per cent of users still running XP to upgrade to a new version, and for everyone to remain current. That is what the WannaCry attack, and the likelihood that it will only be the first in a string of similar incursions, offers.

It may be arduous to stick with old versions of software, but it is much more painful when machines stop working. “Information technology basics like keeping computers current and patched are a high responsibility for everyone,” Mr Smith warned. It is everyone’s public duty to carry on refreshing Windows software, in other words.

The second advantage for Microsoft and other technology companies is that it offers a good reason to resist the pressure from governments to loosen security just for officials. The UK government is among those to argue against the unbreakable encryption of data, which keeps messages sent from mobile and desktop devices secret.

Governments often demand that “back doors” should be inserted in software to allow them to read, for example, terrorist communications. But unless they could keep such technology secure and not let it leak, this would also allow others to run amok.

In practice, the NSA is poor at keeping secrets. WannaCry spread fast because it was combined with a worm called EternalBlue that is thought to have been developed by the NSA for its own purposes. This and other tools leaked after an NSA contractor was arrested last year for stealing data.

EternalBlue and other tools apparently developed by an NSA group were sold on the black market by another group called the Shadow Brokers. Gangs can now buy software from government agencies to deploy criminally.

It is a one-sided contest. Fluid groups of determined hackers with accidental support from intelligence agencies take on the technology departments of bureaucratic enterprises, and underfunded public sector bodies.

When hospital operations are cancelled and medical scanners break down, every government has to ask itself questions. Many have assumed that their own agencies can strike others without risk, but citizens are starting to suffer collateral damage.

The chances of the US, Russia, China and others agreeing a deal to limit their own cyber attacks – what Microsoft calls a Digital Geneva Convention – are slim. As James Andrew Lewis of the Center for Strategic and International Studies says drily, that would be “very difficult to negotiate”.

But everyone – governments, companies and individuals - needs to do more to protect society. It suits Microsoft, but it also happens to be true.

Copyright The Financial Times Limited 2017

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
GO BACK
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection

Hello

Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.