The world got a taste over the weekend (13-14 May 2017) of a potential ‘cyber Pearl Harbour’–the kind of attack that the U.S. Defense Secretary Leon Panetta had warned about in 2012. In what has been termed as the ‘biggest ransomware attack’ in living memory, more than 2,00,000 computers in over 100 countries were infected by the ‘WannaCry’ ransomware—malicious software which asks for payment in return for allowing access to the system and data, beginning with the UK National Health Service. A few attacks were also reported from India with disruptions in the service sector. The attack was not coordinated, but it spread quickly due to security vulnerability in the Microsoft Windows Operating System. Despite the global chaos that it caused, it appears that the ransomware yielded limited success–only $26,000 in ransom, or the approximate equivalent of 15 Bitcoins at the current exchange rate. However, data stolen from the infected computers can be sold in the black market for millions of dollars.
An attack such as this has long been feared: its specific target was the critical information infrastructure where deployment of legacy network systems has long been a bane of cyber security and one that constitutes the backbone of the internet age today. Critical infrastructure, like healthcare or the financial services industry, makes for ransomware’s favorite prey since the urgency to get back to normal functioning is the highest here and any delay can potentially endanger human life or cause financial damage.
Critical infrastructure’s vulnerability first became apparent when the Stuxnet virus infected computers worldwide in 2009-10. However, unlike the ‘WannaCry’ bug, Stuxnet was not ransomware and its target was specific: computer systems at the Iranian nuclear reactors. The rest of the infections along the way that the virus caused was basically ‘collateral damage’.
Much of the discussion in the aftermath of the attack is focusing on what preventive steps internet users and corporations can take. The government of India promptly hosted a webinar on the ransomware attack on May 15. More important, however, are the ransomware attack’s implications for the management of global cyber space, which has become the new arena for geopolitical rivalries in recent years and lacks a regulatory framework.
The attack revives the debate on the ‘problem of attribution’ i.e. who should be held responsible for the bug’s outbreak, and therefore, the attack?
Cyber security firms and the Iranians unofficially blamed the United States’ National Security Agency (NSA) for Stuxnet. Attributions for cyber attacks are rare due to the problems associated with identification and evidence. In the current attack, available media reports suggest that a group called ‘Shadow Brokers’ developed the bug out of the intelligence gathering and hacking tools used by the NSA. Other reports suggest that it was cobbled together from various sources. Irrespective of the origins, the point remains that it is difficult to pinpoint with certainty the perpetrator of any cyber attack.
This then complicates the response. Also, unlike the other arms control treaties which have norms for regulating the conduct of non-state actors, in cyber space, there is hardly any distinction between state and non-state actors, especially when attacks are crowd-sourced–groups working together or separately to target a particular company or country at the behest of a state.
State and non-state actors alike have therefore developed sophisticated capabilities to exploit the vulnerabilities in other countries’ computer networks–much like actual weapons that can be misused if they fall into the wrong hands.
So how then should countries respond to cyber attacks that can cripple critical infrastructure, as in this instance? A document, called the Tallinn Manual, has attempted to provide a legal position on the issue after Russia was accused of disabling Estonia’s national websites in 2007. Its latest version, Tallinn Manual 2.0, on the International Law Applicable to Cyber Operations, describes how existing international law applies to operations in cyberspace, including hacking of a nuclear power plant by another country. But this remains a collection of legal opinions merely rather than a guideline for countries that have been hit.
Thus, when it comes to the domain of critical infrastructure protection, nation-states are on their own, which, in turn, spawns a war by proxies. The response to the Stuxnet attack, for instance, came from Iranian hackers who breached the Saudi Aramco oil company’s computers and wiped out data from three-fourths of its computers.
As the ‘WannaCry’ ransomware attack pans out further in the coming days, there will be more calls for introspection by cyberspace’s stakeholders, seeking that a global framework evolve. Microsoft seems to have fired the first salvo by pointing out the dangers of governments’ “stockpiling of vulnerabilities” which can cause widespread damage. But until states get their act together, anarchy will be the order of the day.
Sameer Patil is Director, Centre for International Security & Fellow, National Security Studies, at Gateway House.
This blog was exclusively written for Gateway House: Indian Council on Global Relations. You can read more exclusive features here.
For interview requests with the author, or for permission to republish, please contact outreach@gatewayhouse.in or 022 22023371.
© Copyright 2017 Gateway House: Indian Council on Global Relations. All rights reserved. Any unauthorized copying or reproduction is strictly prohibited.