The path to a global outbreak on Friday of a ransom-demanding computer software (‘ransomware’) that crippled hospitals in Britain – forcing the rerouting of ambulances, delays in surgeries and the shutdown of diagnostic equipment – started, as it often does, with a defect in software, a bug. This is perhaps the first salvo of a global crisis that has been brewing for decades. Fixing this is possible, but it will be expensive and require a complete overhaul of how technology companies, governments and institutions operate and handle software. The alternative should be unthinkable.
Just this March, Microsoft released a patch to fix vulnerabilities in its operating systems, which run on about 80 per cent of desktop computers globally. Shortly after that, a group called ‘Shadow Brokers’ released hacking tools that took advantage of vulnerabilities that had already been fixed in these patches.
It seemed that Shadow Brokers had acquired tools the National Security Agency (NSA) had used to break into computers. Realising these tools were stolen, the NSA had warned affected companies like Microsoft and Cisco so they could fix the vulnerabilities. Users were protected if they had applied the patches that were released, but with a catch: If an institution still used an older Microsoft operating system, it did not receive this patch unless it paid for an expensive “custom” support agreement. The cash-strapped National Health Service in Britain, which provides health care to more than 50 million people, and whose hospitals still use Windows XP widely, was not among those that signed up to purchase the custom support from Microsoft. They were out in the cold.
On May 12, a massive “ransomware” attack using one of those vulnerabilities hit hospitals in Britain, telecommunication companies in Spain, FedEx in the United States, the Russian Interior Ministry and many other institutions around the world. They had either not applied these patches to systems where it was available for free, or had not paid the extra money for older ones. Computer after computer froze, their files inaccessible, with an ominous on-screen message asking for about $300 (Dh1,100) worth of “bitcoin” – a cryptocurrency that allows for hard-to-trace transfers of money. Ambulances headed for children’s hospitals were diverted. Doctors were unable to check on patients’ allergies or see what drugs they were taking. Labs, X-rays and diagnostic machinery and information became inaccessible. Surgeries were postponed. There was economic damage, too. Renault, the European automaker, had to halt production. The attack was halted by a stroke of luck: the ransomware had a kill switch that a British employee in a cybersecurity firm managed to activate. Shortly after, Microsoft finally released for free the patch that they had been withholding from users that had not signed up for expensive custom support agreements.
But the crisis is far from over. This particular vulnerability still lives in unpatched systems, and the next one may not have a convenient kill switch. While it is inevitable that software will have bugs, there are ways to make operating systems much more secure – but that costs real money. While this particular bug affected both new and old versions of Microsoft’s operating systems, the older ones like XP have more critical vulnerabilities. This is partly because our understanding of how to make secure software has advanced over the years, and partly because of the incentives in the software business. Since most software is sold with an “as is” licence, meaning the company is not legally liable for any issues with it even on day one, it has not made much sense to spend the extra money and time required to make software more secure quickly. Indeed, for many years, Facebook’s mantra for its programmers was “move fast and break things.”
This isn’t all Microsoft’s fault though. Its newer operating systems, like Windows 10, are much more secure. There are many more players and dimensions to this ticking bomb. During this latest ransomware crisis, it became clear there were many institutions that could have patched or upgraded their systems, but they had not.
Zeynep Tufekci, an associate professor at the School of Information and Library Science at the University of North Carolina, is the author of the forthcoming Twitter and Tear Gas: The Power and Fragility of Networked Protest and a contributing opinion writer.
Source : Gulf News