Politicians’ ignorant reactions to the latest ransomware attacks make Jon wanna cry
The government bungles its responses, while spy agencies let slip their tools
Dear Prime Minister,
A few weeks ago, many organisations, including the NHS, were hit with a nasty virus outbreak, which took advantage of a hole in the security of Windows. Microsoft had issued a patch for it, but the nature of these things is that many hadn't gotten around to applying the patch. Vast swathes of that huge organisation called the NHS were compromised, from local GPs to hospital departments. Some weren't patched due to sheer incompetence. Some due to scheduled time pressures. Some because you can't just slap a patch onto a MRI machine or piece of expensive technical test equipment that happens to run Windows as its control surface, and presume that it will continue to work just fine afterwards.
I understand why it happened. It doesn't stop me being hugely angry, and if I were in charge, I would be demanding a 12-week period in which every machine had its sysinfo file dumped into a secure cloud storage facility so it could be ascertained exactly what machines are in use, running which OS, with some or no patches.
But what makes me angrier still is this. The NSA, or GCHQ, or some other trusted spook central, built these tools. It appears that they worked very well, and doubtless lots of useful information was gleaned from those machines that were targeted. It only went bad when it leaked to the great unwashed, and a person or persons decided to unleash it on the world.
Now, let's take that scenario and turn it on its head. Companies such as Apple, Google and Microsoft deliver, and want to continue to deliver, heavily encrypted software to the public. The government wants them to build a special private backdoor in there so that they can go snooping around. All of that is just fine, and I am convinced that some companies have been working hand in hand with said government departments in the past.
But what happens when that backdoor becomes public knowledge? Someone, somewhere will exploit it and we will have WannaCry all over again. It doesn't matter if the NSA finds a hole in Windows, or whether Google does a deal with the NSA. When there is a hole, there will be a period when it could be exploited for the benefit of the security services, and then it will leak and all hell breaks loose. Why this is so difficult to understand is frankly beyond me.
Dear Prime Minister, if you think that you can force backdoors into encrypted software, and that will not herald another WannaCry in the future, then I have no words for your gullibility. If you're being briefed and advised that an encryption backdoor would somehow be different, you're being briefed and advised by people who simply do not have a clue.
Without a doubt, the person inside GCHQ who wrote the first briefing paper knows what they're saying. But this will have gone through enough layers and transfers within the process of moving from them to you that, just like Chinese Whispers, the people who are briefing you have no clue.
WannaCry should be making you sit up and think "hold on, how could it be different in the future with some encryption backdoor?" The answer is simple it won't. No ifs, no buts.
We have to confront the reality that encryption is a necessary thing that will not go away. Geeks won't put up with a government-firewalled UK. We will drop down to transmitting email and "fancy a beer?" messages as a wave function in the noise floor of video images, and hand those around, just for the giggles of being able to do it. We will use YouTube as the vehicle of choice, because why not? If you don't know the wave function, you won't find the data. Why not put it out there in public space? It would be invisible.
Today, everyone has access to unlimited storage, unlimited CPU power and effectively unlimited bandwidth. The geeks already have a dozen methods of staying secure without resorting to anything so low-rent and obvious as a VPN tunnel. We can do it for fun because it would be an interesting geeky thing. If we can, the bad guys can, too.
Prime Minister, get yourself better briefed. Be part of the solution, not part of the problem. Give me 30 minutes of your time, and a decent cup of coffee. I dare you.
Main image credit: Reproduced with the permission of parliament
Application security fallacies and realities
Web application attacks are the most common vulnerability, so what is the truth about application security?Download now
Your first step researching Managed File Transfer
Advice and expertise on researching the right MFT solution for your businessDownload now
The KPIs you should be measuring
How MSPs can measure performance and evaluate their relationships with clientsDownload now
Life in the digital workspace
A guide to technology and the changing concept of workspaceDownload now