Opinion

WannaCry or WannaFixIt? Time for Action on Data Security

As we’ve seen from the latest round of WannaCry ransomware attacks, no one is safe from these viruses that have locked up the data of more than 200,000 users in at least 150 countries. When desperate consumers and businesses are hit, they often end up paying to get access to their data, which puts a tangible price on their hassle and inconvenience and makes it clear that safeguards that block attacks are essential.

But we should never waste a good crisis. This attack presents a chance to redouble efforts to stomp out botnets, which take over people’s computers and spread viruses.

There is no legislative silver bullet for cybersecurity. The U.S. Senate can take concrete action by swiftly passing the Modernizing Government Technology Act, which the House passed in May. Federal agencies can begin implementing the president’s executive order on cybersecurity. And, we should codify the Vulnerabilities Equities Process. Yet if government officials pour time and money into “solutions” targeting outdated issues, the public may remain as ill-prepared for the next botnet or malware attack as the last. Clearer thinking by policymakers about cybercrime is critical for improving how consumers and businesses prepare for the next hit.

First, it’s necessary to broaden the scope of concern about the damage these attacks cause. For the last 20 years, online security discussions have focused solely on data breaches and identity theft. But, any introductory textbook on information security will tell you that it’s essential to focus on integrity and availability of the data as well. Before WannaCry, the Mirai botnet attack unleashed billions of phony requests to a few websites, shutting them, and the services that rely on them, down. These attacks show that hackers can use brute force to shut down government services, cripple businesses and hurt consumers. But making users’ data unavailable can do almost as much damage as stealing it. Future attacks that merely alter data — thus undermining faith in the accuracy of things like bank or personal health records — can have similarly devastating effects and cost billions in losses.

It’s a mistake to believe that we can protect the public if the culprits are tracked down and arrested. Cybercrime is lucrative, and the tools of the trade are increasingly sophisticated and readily available. Fewer than 1 percent of all cybercriminals are arrested because it is so hard for law enforcement agencies to find them. Most cybercriminals attack from countries that lack the laws and tools needed to convict them. New technological interventions will be necessary.

Now consider how cybercrime can change and evolve. Spam, for example, is a much smaller problem now than it was 10 years ago. That’s partially because a few of the worst spammers were arrested. It’s also because tech companies competed to come up with technologies to keep their customers’ inboxes free from offers from Nigerian princes or bogus online pharmacies. When companies compete over security, the public wins and crime decreases. Government policies that encourage this kind of innovation and competition would benefit consumers.

WannaCry also showed that more user education does not dramatically reduce the incidence of ransomware, data theft and other cyberattacks. Most people know that patching is important. But it’s still not being implemented at scale, partially because everyone has their own devices, and those devices are increasingly connected to the internet. Instead of relying on users to upgrade their security, the tech industry should automate patching to keep our computers, phones and Internet of Things devices protected.

Fixating on establishing industry standards for proper consumer and corporate “cyberhygiene” is a distraction that may slow down cybersecurity innovation. Standards — when agreement can be reached, which is rare — typically take many years to develop, and this results in internet users relying on outdated software and hardware. Flexible approaches like the National Institute of Standards and Technology cybersecurity framework that raise questions but don’t dictate specific solutions are better.

Fortunately, there are more and more powerful technologies that can help defeat problems like ransomware and botnet attacks — but we’ll have to adopt new thinking on cyberattacks if we are to put them to use. The most important technology is cloud-based services, which can be used for storing and encrypting data, for blocking cyberattacks and for providing applications ranging from social media to specialized business services. Too many people are still reluctant to move their data off their premises, and in some cases they are even prohibited by law from doing so. But, a two-person dental office cannot do a better job of protecting its data and networks than a cloud company with leading-edge technology and best-in-class engineers dedicated to ensuring their systems are secure.

Finally, tech companies can become a first line of defense, particularly if the U.S. government shares any software vulnerabilities it discovers. The president and Congress should work together to codify the Vulnerabilities Equities Process so that national security and law enforcement agencies can provide tech companies with the sort of insights that can help them close gaps before malicious actors exploit them. Our national economic security depends on this. We should enact legislation that favors disclosure of vulnerabilities to U.S. tech companies, and the recently introduced Protecting our Ability to Counter Hacking Act has helped start that conversation.

Artificial intelligence, machine learning and big data are other effective tools for preventing or responding to attacks. But these new solutions will not be adopted if governments and businesses don’t understand that much of the old thinking about cyberthreats and cybercrime has to be reconsidered in light of emerging threats.

 

Tim Sparapani is a data privacy law and policy expert serving as senior policy fellow with CALinnovates and principal at SPQR Strategies.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.