For now, thanks to pure luck—a 22-year-old Briton, The Guardian reported, accidentally found a kill-switch embedded in the code—the spread of WannaCry appears to have halted, or slowed. But not before, estimates are, 200,000 computers across 150 countries were infected by ransomware—users found their data encrypted and were asked to pay ransom, in Bitcoins, in order to be able to use them. Among those affected were hospitals and doctors in the UK’s National Health System, Brazil’s social security system and Petrobras, Renault’s plant in Slovenia, and even parts of Russia’s interior ministry.
Apart from the hacking of the Democratic party’s e-mail servers earlier this year, The Economist reported that, last February, hundreds of thousands of point-of-sale printers in restaurants across the world started spewing out bizarre pictures which were signed “with love from the hacker God himself”. Last year saw cyber-thieves steal $81 million from the central bank of Bangladesh … How unsafe the world has become is best brought out by the fact that the protectors are part of the problem, and are not safe themselves.
WannaCry was first developed by the USA’s National Security Agency (NSA) which found a vulnerability in Windows and built a tool, Eternal Blue, to exploit that—once this was, along with other hacking weapons, leaked on the internet by a group of hackers, others took it forward. Given how intelligence agencies like NSA need to constantly devise ways to crack computers/mobiles of criminals, developing malware is no longer restricted to just the bad guys. That the response to WannaCry has to be more security and more security is obvious, including ensuring all security patches and software are constantly updated—Microsoft had, after Eternal Blue was leaked on the internet, released a patch to take care of this but clearly many users didn’t bother to install it.
It also requires governments to mandate, and if possible ensure, cyber-security. Singapore’s Cyber Security Act, for instance, makes it mandatory for all Critical Information Infrastructures (CIIs)—these include banks, healthcare and energy services—to take responsibility for securing their systems and networks; 8% of the government ICT budget is to be dedicated to cyber-security.
Contrast this with India where, while the breach in credit card data was detected in September 2016, it was not made public for a month. And while Symantec released a study last year on cyber-attacks on a large e-commerce firm and one of India’s top-5 IT firms, RBI deputy governor SS Mundra publicly spoke of lax controls in India and talked of how when an e-payment validation website of a large bank was hacked, it was unaware of it. In the current WannaCry case, while CERT put out a warning last Saturday and had details of how to protect against it, RBI never thought it fit to tell potential users of internet banking or ATMs that they needed to be careful or, if the systems had all been secured, that there was no danger.
Much like Singapore, India also needs a Cyber Security Act that puts the onus of security on the CIIs—indeed, losses due to cyber-breaches need to be insured against and fully reimbursed by banks above the `1 lakh that is insured today for bank failure. If digital payments are to take off, users must have complete faith in the system’s vulnerabilities, and insurance is one way to do this.