5 ways to stop future global malware attacks

Governments, vendors and user companies all can do more.

The global WannaCry ransomware attack, which crippled hospitals, government organizations, companies and individuals around the world, didn’t have to happen. It was no grand technological feat perpetrated by genius hacker masterminds. Instead, it took advantage of the lazy, patchwork way organizations handle security and the seamy roles that the National Security Agency (NSA) and big tech companies play in undermining security in the internet age.

And that, in fact, is a piece of good news. Because it means that stopping the next global malware attack needn’t be impossible. Here are five steps that can do it.

1. Ban the NSA from stockpiling vulnerabilities

The ransomware attack was built on top of a hacking tool built by the NSA and stolen and released publicly by a group called the “Shadow Brokers.” As The New York Times notes, the attack, “appeared to be the first time a cyberweapon developed by the N.S.A., funded by American taxpayers and stolen by an adversary had been unleashed by cybercriminals against patients, hospitals, businesses, governments and ordinary citizens.”

The NSA tool and ransomware exploit software vulnerabilities in various versions of Windows, including Windows XP, Windows 7, Windows 8 and Windows Server 2003. This is how the NSA does much of its work: finding security holes in operating systems and then devising software to take advantage of them.

When it finds these holes, though, it often doesn’t tell software makers such as Microsoft about them. Instead, it stockpiles many vulnerabilities. That way the NSA’s hacking tools will be more effective, because companies won’t have patched the vulnerabilities. The Obama administration made a deal with the NSA forcing the spy agency to disclose some, but not all of, the vulnerabilities to companies. The WannaCry ransomware attack was based on one of those stockpiled vulnerabilities.

Microsoft President and Chief Legal Officer Brad Smith criticized the NSA for this in a blistering blog post. He wrote: "The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits." He followed that by asking that a Digital Geneva Convention be convened, “including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”

He’s absolutely right. Government agencies need to be banned from stockpiling vulnerabilities. The moment they find any, they should alert tech companies, which could then write a patch to close the hole.

