Friday's worldwide security incident caused by WannaCry ransomware crippled 230,000 Windows devices in 150 countries. The attack is unprecedented in its disruption of large institutions such as Spain's Telefónica and the United Kingdom's National Health Service (NHS). Other affected enterprises include LATAM Airlines, Deutsche Bahn and FedEx.
These targets are no small prey. However, they aren't agencies of the U.S. intelligence community. Malice seemed to be at least part of the perpetrators' motive, as did a mocking tone to the "pay to decrypt" decree — sounds like ransomware business as usual. The payload demanded sums of bitcoin as modest as $300 worth from users who were informed that their files had been encrypted and would remain so if the ransom went unpaid. Given bitcoin's price surge in recent weeks, the malware in its execution could be dismissed as a worldwide prank rather than a worldwide threat.
Not so fast.
Regardless of the attack's mostly commercial, non-U.S. targets, it demonstrated the speed with which ransomware attacks can be carried out against a number of large enterprises that overwhelmingly use Windows as their primary operating system. The affected targets were ones that had not updated their systems to patch a Windows exploit made public after the recent Shadow Brokers leaks. In this particular case, we saw the impact of such a simple exploit — where a single user downloading a file sent in a phishing email could infect an entire enterprise.
We've also learned the hard way that, simply through a coordinated phishing attack on unsuspecting users, hackers can disrupt the day-to-day activities of enterprises that provide communications, travel, freight and healthcare administration simply by remotely deploying malware. WannaCry revealed that any large enterprise that is unprepared for an attack, say by not patching known exploits and failing to promote an airtight internal security culture, is ripe for attack. With hackers a step ahead of enterprises, which largely focus on their business objectives and not enough on security, it's safe to predict that the target profiles will elevate in seriousness, from big financial players in the developed world to lower-tier federal Cabinet agencies to higher-tier ones such as Homeland Security or Health and Human Services on up to three-letter agencies and the White House.
The scope and depth of WannaCry alongside a likelihood that more critical entities — public and private, civilian and military — are the next frontier for a WannaCry-like attack are cause for alarm. That's why it's crucial for opinion leaders, newsmakers and stakeholders to heed the advice in President Trump's executive order (EO), "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure," which he signed on Thursday.
Highlighting the cyber soundness of federal networks, critical infrastructure and of the nation is an appropriately broad focus. Starting with an audit of known vulnerabilities and holding agency heads accountable for their patching is also suitable. EO authors couldn't have known the day prior to WannaCry that attention to the exploit and its own weakness could have mitigated the next day's attack. Here we can pit the cliché of "hindsight is 20/20" against "an ounce of prevention is worth a pound of cure." The latter, that of vigilance, is instructive as it reflects the good of the executive branch focus on a self-examination of what threats are known, followed by a mass presentation of solutions that could work across federal agencies and the economy at large.
WannaCry taught us that a coordinated, global attack is even more serious when demands are expressed sophomorically. It also taught us that we might just be getting poked with a stick to test our preparedness. Given the comprehensive failure to act on what was known, it also tells us that future attacks should be met with watchful eyes and an attitude matching the defensive posture vis-a-vis cybersecurity emanating from Washington.
George Avetisov is the CEO of HYPR, an innovator in the industry of biometric authentication.
The views expressed by contributors are their own and are not the views of The Hill.