Last week, a crippling wave of ransomware spread across over 200 countries, locking up data until victims paid several hundred dollars in bitcoin. Hardest hit in terms of number of infections was Russia, but the damage also hit much closer to home: our friends in the United Kingdom saw their National Health Service ground to a halt as hospitals pulled the plug on their computers to prevent the malware from spreading.
While this ransomware affected some systems at FederalExpress, as a nation we appear to have gotten off quite lucky. Why? For one, we do not know much about the targeting of this attack. It is possible that, for whatever reason, the perpetrators chose not to target many U.S. systems. Another reason is that the prevalence of using pirated versions of previous editions of Windows (thereby disqualifying oneself from Microsoft’s free security upgrades) is much less in the United States than it is in China, Russia, and so many other countries.
Looking at this low infection rate at home, some in Washington might view this as a victory lap for the federal government’s cybersecurity efforts. After all, no critical services failed on Friday in the United States. But this would be the absolute wrong conclusion. To the contrary, the government needs to view this as a warning: we are still in the early stages of this kind of worldwide contagion of malicious cyber activity. Before this activity escalates from crime to destruction, Congress can help to keep us safe.
First, keep the politics out of cybersecurity. What has happened over the last few days has nothing to do with the interference in the 2016 election, no matter where you come on that issue. Legislators have little to lose but everything to gain, in terms of improving public safety and accountability, by promoting better cybersecurity.
Second, take a good look at the recently reintroduced legislation to modernize federal IT. When it comes to cybersecurity, everyone should be skeptical of calls merely to throw more money at the problem. But agencies need more agility as to when and how to upgrade their information technology. Agencies also need help, which is why there is a growing chorus around a concept known as “shared services” that will help smaller agencies take advantage of the cybersecurity resources and practices of the broader federal government.
Third, don’t get distracted by calls to authorize “hacking back.” If authorized, “hacking back” empowers victims to make their own determinations as to who hacked them, and then to retaliate as they see fit. How would such authority have helped hospitals whose data was held hostage on Friday? Victims were not able to “hack” their data back. As a nation, we should have offensive cyber capabilities that are second to none, but those capabilities need to remain in the hands of our law enforcement and national security organizations.
Fourth, think critically about upcoming legislation that seeks to codify an obscure executive-branch process called the Vulnerabilities Equities Process. After the Snowden disclosures, many advocates called for the government to turn over its most deadly offensive cyber capabilities. But a more robust disclosure policy would have done little to blunt Friday’s ransomware attack because Microsoft had already issued a fix two months ago. If this legislation goes forward, an amendment is needed to focus attention on what happens AFTER the government discloses a critical vulnerability. Ensuring federal and critical infrastructure systems implement security fixes is essential, or government disclosure of sensitive vulnerabilities will be for naught.
Finally, legislators themselves would be wise to spend a few hours every now and again learning about threats in cyberspace. Keeping constituents and the country safe in cyberspace need not be rocket science, despite the information security community’s tendency to speak in cyber riddles. Instead, nominate a staffer you trust as your part-time cyber guru. Make them develop contacts, insights, and instincts on cybersecurity to help you stay ahead of the curve. And if nothing else, have them make sure you’re not using Windows XP at home and in your office!
Michael Sulmeyer (@SultanOfCyber) is the Belfer Center's Cyber Security Project director at the Harvard Kennedy School. He spent several years in the Office of the Secretary of Defense, serving most recently as the director for Plans and Operations for Cyber Policy. He was also senior policy advisor to the deputy assistant secretary of Defense for Cyber Policy.
The views expressed by contributors are their own and are not the views of The Hill.