Interpol thinks that more than 200,000 people in more than 150 countries were affected — and things could get worse. Experts are warning that many office workers could return to work Monday and find their computers compromised.
The attack was a remarkable global event. It appears to have hit first in Britain, where it effectively shut down parts of the National Health Service. But reports soon came in from all over the world. Users in China, Germany, India and the United States were among those affected.
For a few hours Friday, it seemed as if the world was facing a disruption of disaster-movie proportions. Then, just as quickly as it started, the attack was stalled by a 22-year-old British cybersecurity researcher who discovered a “kill switch” that stopped the ransomware from spreading.
The risk isn't over. Whoever is behind the attack could update the ransomware and remove the kill switch. Some reports Sunday suggested that this has already happened.
The evidence suggests that the unknown attackers had only one goal: profit. The ransom demanded of each infected computer was a little more than $300 or so. Authorities recommended that victims not pay, but even a small fraction of successful ransoms would net the attackers a considerable amount of money.
Whatever the motive, the huge scale of the attack shows that cybersecurity can have dangerous geopolitical consequences.
In Britain, some hospitals were forced to turn away patients and delay operations. The BBC quoted one NHS staffer who said it was “absolute carnage” and that “patients will almost certainly suffer and die because of this.” So far, no deaths have been reported, but that may change. “The first death directly attributable to a cyberattack suddenly seems possible,” the Financial Times's Tim Bradshaw wrote Sunday. If an attack were carried out by a country rather than independent hackers, those deaths could be seen acts of war.
Other potential targets could be even more disruptive. On Sunday, Britain's Defense Secretary Michael Fallon would not deny reports that Britain's nuclear submarines used the same version of Windows that made them vulnerable to malware attacks. Concerns have been voiced about the outdated computer systems on these submarines for some time, to little avail.
Americans should hope their nuclear command-and-control systems are safe, but it is possible that may not matter. When General C. Robert Kehler, the head of the U.S. Strategic Command, was quizzed by Sen. Bill Nelson (D-Fla.) in 2013 on whether someone could hack into a Russian or Chinese system and launch a nuclear missile, he was forced to give a vague answer. “Senator, I don’t know . . . I do not know,” Kehler said.
Even if these doomsday scenarios don't ultimately take place, large-scale use of ransomware presents a dangerous route to finances for criminal groups. “We've seen even terror groups finance their organizations by using operations like cybercrime and ransomware,” Ryan Kalember, a cybersecurity strategy expert at Proofpoint, said to CBS last year.
Such attacks can also exacerbate tensions between nation states. In Russia, where the Interior Ministry was hit by WannaCry, some suggested that the attack was a U.S. retaliation for Moscow's alleged interference in the 2016 presidential election. “I respect the honesty of the United States,” Mikhail Delyagin, the director of the Institute of Problems of Globalization in Russia, told the New York Times. “They threaten us with a cyberattack, and a cyberattack follows. It’s logical.”
There's no denying, of course, that Washington does share some of the blame for the spread of the attack. The Windows vulnerability exploited by the ransomware is believed to have been first discovered by the NSA. Microsoft released a patch for the vulnerability after it leaked this year, but many users may not have updated their systems.
Washington Post technology reporter Brian Fung suggested that this was one major lesson politicians should take away from the debacle: The concept of law enforcement agencies having “back doors” to computer programs and systems, even if it is for national security reasons, dramatically increases the risk that criminal groups or other bad actors will also find these vulnerabilities. “It would be like leaving keys under a doormat, which good guys could certainly use, but also bad guys, too,” Fung wrote Saturday.
Microsoft President Brad Smith supported this line of thought in a forceful blog post published Sunday, suggesting that the attack showed “the stockpiling of vulnerabilities by governments is such a problem.” Smith suggested there needs to be something like a “Digital Geneva Convention” to govern these issues.
Academic and writer Zeynep Tufekci went further, suggesting that the world needs a “complete overhaul of how technology companies, governments and institutions operate and handle software.” Companies such as Microsoft and government agencies such as the NSA need to take a proactive approach to dealing with vulnerabilities, Tufekci argued in the New York Times's opinion pages. Careless individuals and cash-strapped institutions such as the NHS simply can't do it on their own.
If governments don't step up, Tufekci wrote, the consequences could be “unthinkable.” And as Friday's attack shows, the unthinkable is already far too real.