Following Sir David Omand’s letter to The Times, in which he claims that the tech giant knew when it withdrew technical support for the system in 2014 that public and private sector bodies around the world were still heavily reliant on it, security experts respond:

Misha Govshteyn, founder and SVP at Alert Logic:

“This is a classic game of news spin from all parties involved, but the GCHQ position is especially rich in alternative facts. 

Governments provide a mandate to our intelligence agencies to find and exploit security flaws. There is no reasonable argument that these flaws should be made public, as that would defeat the purpose of funding their discovery. The Intelligence Community is naturally motivated to keep these flaws secret as long as possible (though they failed in this regard). 

It’s equally unreasonable to criticise Microsoft for not supporting older versions of Windows longer. Doing so would not have altered this outcome, and WannaCry would be spreading as quickly as it is now. Fact is, supported or not, Microsoft issued a patch relatively quickly. Microsoft correctly determined that in this circumstance they need to support resolving this problem. 

There are really only two guilty parties here:

1. NSA for failing to safeguard their code. These tools should have never been stolen and made public. 

2. Companies who negligently operate on old, unsupported versions of software and refuse to deploy patches when they are made available. This is a specially true of healthcare organisations. 

If the NSA really wanted to be responsible, they would have contacted technology vendors shortly after they realised their toolkits were stolen. Doing so would have given technology companies more time to respond and consumers more time to patch. 

Instead, NSA chose to play the game of chicken with Shadow Brokers and allowed, of all people, Julian Assange to be the disclosing party. This is the least defensible decision in this whole saga.”

Gavin Millard, EMEA Technical Director at Tenable Network Security:

“Microsoft have made huge strides in the last few years to improve the security of their ubiquitous operating systems, but code is rarely perfect and flaws will always find a way into the millions of line of instructions required in a complex operating system. 

Instead of trying to attribute blame, it would be far more productive to consider what could have been done to reduce the spread of an aggressive piece of ransomware like Wannacry. Organisations have to improve visibility into their complex environments to discover where weaknesses reside and have robust and rapid approaches to addressing these flaws before they are weaponised by the next ransomware author, eager to turn tardy patching into profit.”

Malcolm Harkins, chief security and trust officer at Cylance:

“I wouldn’t criticise NSA or GCHQ … I do think, however, that this brings up the question of cyber vulnerabilities equities processes, and what “calculus” is used, and how, by a nation state to determine when the public is best served in working with the industry to close a found vulnerability or keep it for nations state purposes … more transparency/illumination there from all nation states would be good (since they all are involved in both cyber offensive  as well as defensive efforts).

In terms of end of life support (hardware and SW), both have EOL for support.  From an economics perspective, it is cost prohibitive to support something forever, so every organisation needs to stop support at some point in time to manage operating expenses. This is true for every organisation including Microsoft and anyone else.  For example, you can’t drive a model T in to a Ford dealership to get it fixed … you do it yourself or find “speciality” service providers who can work to try to service it.   This is also a point where we can discuss other mitigation, such as isolation/segmentation of those systems in to a different “zone”.

In terms of GCHQ, or any other nation state agency “storing” exploits.  We have seen with the Shadow Brokers, or even Snowden, one of my irrefutable laws – #1 of which is information wants to be free – because people will post, share, talk.  Though many nation states “store” these exploits in the logical equivalent of CDC biosafety levels, even there we see there are sometimes mistakes that can occur.

We probably need to have some sort of cyber Geneva conventions and cyber Geneva protocols to establish better norms that most nation states could agree to abide by.”

 

Tags: , , , , , , , , , , , ,