NPR’s David Greene interviewed former Homeland Security secretary Michael Chertoff on NPR this morning to chat about the WannaCry/WannaCrypt (also WCrypt and WCry) malware that’s exploiting MS17-010. This ransomware has crippled many institutions across the world, with European nations appearing to be hit the hardest. During the interview, Secretary Chertoff was asked about the diplomatic fallout of the malware allegedly having been created by the NSA.
Secretary Chertoff replied in a way that demonstrates a thorough understanding of the problem, and what the NSA is alleged to have done. What he said next I find troubling. He made a comparison between malware weapons and biological weapons, and he further suggested that the issue is that more care needs to be given to make sure these weapons don’t “get out of the lab.” And he specifically poses the question, “How do you protect the things that you’re working on?” as being the underlying issue that we should focus on to prevent this from happening in the future.
I completely disagree with the comparison between malware weapons and biological weapons. The two are very different. I also think that focusing just on limiting access to these weapons as being shortsighted.
International Treaties for Weapons
The use of biological weapons is governed internationally by the Biological Weapons Convention. This is a convention that’s been accepted by a majority of countries in the world. The goal is to protect all the world citizens from inappropriate use of biological weapons, and it creates specific guidelines which limit the stockpiling of such weapons.
There is no such international agreement for digital weapons. However, as a result of this most recent attack, Microsoft has renewed their call for a Digital Geneva Convention.
Logistical differences also exist between biological and software weapons. Biological weapons require specialized equipment and expertise to craft. Creating a weaponized biological weapon and delivery system is very difficult, and it’s very hard to just copy someone else’s design and create your own or modify the existing weapon. That’s part of the nature of biological weapons being physical things.
Digital weapons have completely different properties because they are digital. The weapon can be copied from location to location the same way that a file can be copied from computer to computer. Each copy is an exact match of the other, and computer systems enable this duplication to be applied in seconds. Such an easy duplication is extremely difficult for biological weapons. With copying being so easy, the only boundary to modifying the weapon is knowledge. In fact, the weapon can be modified to the point where the person using it does not need to know anything about the way it works. This makes it very easy for malicious unskilled individuals, sometimes called “script kiddies,” to obtain the weapon and make extensive use of it.
Protection Against Weapons
Another difference between biological and digital weapons is the relative ease with which the global population can be protected against the weapon. Most biological weapons exploit weaknesses in biology, and it is very rare that we as a species have the practical knowledge to protect the biosphere from the weaknesses which are exploited.
The same is very rarely true for digital weapons. Almost every digital weapon can be protected against by distributing an update throughout the world’s digital systems. Some systems are more difficult to patch than others, but many can be patched by writing a malware which spreads such a patch. The most recent example of this is the Hajime worm, which was developed to protect Internet of Things devices that are vulnerable to becoming targets of another malware known as Mirai.
NSA Responsibility Needs to be Challenged
So what’s the NSA’s responsibility in this incident, if the original weapon was developed by them? I argue that instead of keeping the underlying issue a secret, they should have responsibly worked with Microsoft to patch the issue. Failing to do that should be considered a crime. It’s made us all more vulnerable, and I worry about other weapons that they may have developed which could be used against the Unites States’ own citizens and the international world at large.
The US government has a responsibility to build defensive systems to these weapons in case the underlying issue isn’t patched before such a weapon is released. That’s another thing that’s much more difficult with biological weapons, but very plausible with digital ones, as has been demonstrated by the use of Hajime as a defensive worm to limit the growth of the Mirai botnet.
Let’s Fix This
Contact your representatives and encourage them to support Microsoft’s efforts to create a Digital Geneva Convention. We can and must put a stop to these weapons being created, spread, and deployed.
- NPR Interview audio with Secratary Chertoff
- Microsoft Security Bulletin link about the vulnerability which is exploited by the WannaCry ransomware
- Wikipedia entry for the Biological Weapons Convention
- Microsoft’s renewed support for a Digital Geneva Convention
- Wikepedia entry for “Script Kiddie”
- Symantec article about the Hajime worm which is actively fighting the Mirai botnet