June 2, 2017
On May 12, 2017, the world was shaken by a ransomware cyberattack called Wanna Crypt (also known as WannaCry) that spread like a network worm. The attack impacted over 45 National Health System (NHS) organizations across England and Scotland, forcing hospitals to cancel appointments and loose critical patient records, as well as the German S-Bahn.

The impacts did not stop there. In less than ten days, WannaCry affected approximately 200,000 systems in 150 countries, swiftly becoming one of the most impactful malware outbreaks in recent history, and dominating the news cycle for the next several days.

Ransomware is commonly spread through various infection vectors, including browser exploit kits, drive-by downloads, malicious email attachments, default passwords, and known network vulnerabilities . It locks the data and a ransom is to be paid in bitcoins in order to get the key to unlock files.

While the world was unprepared for WannaCry, an attack like this had been long-time coming. Three weeks before the ransomware infected hundreds of thousands of computers around the world, the Geneva Centre for Security Policy, together with the Atlantic Council, had formulated solutions in policy recommendations for a cyberattack scenario almost exactly like that of WannaCry.

The recommendations resulted from the Cyber 9/12 Student Challenge at the Maison De La Paix in Geneva, a student competition in which participant teams were judged on their policy responses to a proposed scenario featuring massive ransomware cyberattacks on numerous public infrastructure facilities, including hospitals and metro lines. Team STUXNET of the Geneva School of Diplomacy, the winners of the competition, put forward the following recommendations:

  • The best defense against the malware is basic cyber hygiene, such as patching, hardening, and backing up all files on a computer – practices that are often not possible in critical infrastructure systems like medical devices, industrial controls systems (ICS) due to software supply chain dependencies and extensive software validation processes. WannaCry was accidentally and temporarily halted by an unknown British cybersecurity expert but after the weekend, on May 15, the worm resumed spreading.
  • The only resilient way to approach the crisis is to have targeted measures from public and private sector. Public authorities with no hesitation are requested to help affected facilities run coordinated system checks and upgrade software accordingly (especially the NHS). This drill extends albeit technical forensics to identify and secure potential vulnerabilities.
  • In the short term, affected countries should merge their respective security operations (easier said than done) and attempt to enhance mobility between both privately and publicly funded hospitals, as well as other affected entities (especially operators and telecom companies). Throughout the response plan the public domain should be as flexible and transparent as possible; a public-private coordination hotline is advised.
  • On the medium to medium-long term, team STUXNET recommends fostering efforts to promote and mainstream a culture of cyber hygiene. The promoted culture, at its core, has to be spread across the cyber ecosystem, essentially to enhance public awareness of potential exploits and avoid similar ‘spread slips’.
  • Regional security institutions had an integral role in combating attacks within the Cyber 9/12 exercise. The same applies to the Wanna Cry incident; the matter cannot be overlooked nor downplayed. To that extent EUROPOL and ENISA are working on the WannaCry case, calling “first ever case of cyber cooperation on the EU level”. Even if there should be no resort to force, the hunting mechanism and tracking down of the criminals behind the attack should be as effective as possible.
  • Finally, team STUXNET argues that attacks like WannaCry can lead to closer cooperation and capacity building among EU member states. The EU is a solid platform to start with, however, given the scale of the attack, the goal should be the creation of a holistic, multifaceted legal framework, which stimulates and encourages public-private partnerships. The framework should be at least regional and at best universal.

WannaCry was not the first of its kind, and it is certainly not the last. The predictive quality of this year’s Cyber 9/12 Student Challenge in Geneva demonstrates the importance of these cyber safety exercises in anticipating and responding to cyber catastrophes.

Learn more about the Cyber 9/12 Student Challenge here.