About WannaCry and strong crypto

We have been offered by the Mobile Ecosystem Forum to write a little something about the hot topic of the days, the WannaCry ransomware, who is causing damage to many individuals and organizations. The article has been published: ransomware attacks and lessons to be learnt, but we only had room for 200 words and what we wanted to say is too complex for the room they had for me. So here is a longer version of what we wanted to share with the Cozy community.

MEF’s question was: “What what should we do as an industry to better prepare for such attacks and protect consumers?”. Here is our response:

As an industry we need to remember the famous Spiderman quote[1]: “With great power comes great responsibility”. Our power is increasing as software eats the world. We need to do a better job at making safer products, products that are easier to update in order to stay secure. We need to do a better job at educating users too.

great_power_great_responsibility.jpg

But there is something more important or at least as important but less obvious. It’s two-fold.

First, we need to remember that the WannaCry ransomware was made possible because the US NSA (National Security Agency) had created a cyber attack tool called EternalBlue based on a bug in Microsoft software. The NSA could have chosen to communicate the bug so that Microsoft would fix it in their Windows products. Users would have been in a more secure place. But the NSA decided not to. They decided to keep the information for themselves, putting users at risk.

The second issue is that the NSA has got the EternalBlue tool stolen from them. Hackers leveraged the EternalBlue tool to create the WannaCry ransomware. This proves that even the most funded US agencies can’t keep a secret secret. Microsoft’s Chief Legal Officer puts it squarely:

An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.

At the same time, the same government officials are advocating that strong encryption should have “golden keys” that would be handed to government agencies. Those in possession of such golden keys could decrypt data easily. But we’ve seen over and over, and the WannaCry scandal is yet another proof, that the government cannot be trusted to keep such keys secret. Eventually the golden keys will become compromised, which means that so-called “strong encryption” will be weak. Computer security will be gone for ever. No more secure banking, no more trust in anything that relies on computers. In other words, the world’s economy will grind down to a halt.

Overall, the WannaCry cyber attacks proves one thing: we, as an industry, must stay strong and refuse compromises with regards to encryption strength. As an industry, we have to stand with strong encryption, because with great power comes great responsibilities.

Note

[1] Note that the quote is from Spiderman’s uncle Ben, not Spiderman himself.