Why the Patching Problem Makes us WannaCry
Over the weekend a cyber attack known as "WannaCry" infected hundreds of computers all over the world with ransomware (malware which encrypts your data until you pay a ransom, usually in Bitcoin). The attack takes advantage of an exploit for Windows known as "EternalBlue" which was in the possession of NSA and, in mid April, was made public by a group known as "The Shadow Brokers." Microsoft issued a patch for the vulnerability on March 14 for all supported versions of Windows (Vista and later). Unfortunately at the time the attack started many systems were still unpatched and legacy Windows systems such as Windows XP and Windows Server 2003 were left without a patch for the vulnerability. Since the attack began Microsoft has issued a patch for Windows XP and Windows Server 2003 as well.
Certainly, some of the blame falls on the NSA, which developed EternalBlue and then lost control of it. But these attacks are a complex failure for which there is plenty of blame to go around. The WannaCry ransomware attacks demonstrate that patching large, legacy systems is hard. For many kinds of systems, the existence of patches for a vulnerability is no guarantee that they will make their way to the affected devices in a timely manner. For example, many Internet of Things devices are unpatchable, a fact that was exploited by the Mirai Botnet. Additionally, the majority of Android devices are no longer supported by Google or the device manufacturers, leaving them open to exploitation by a "toxic hellstew" of known vulnerabilities.
Even for systems that can be patched, applying patches to large enterprise or government systems in a timely manner is notoriously difficult. Enterprise and government systems can rarely afford the potential downtime that goes along with a software patch or upgrade. As one researcher put it, "enterprises often face a stark choice with security patches: take the risk of being knocked of the air by hackers, or take the risk of knocking yourself off the air."
This attack raises two extremely important areas of research: writing software that is less prone to the most common security vulnerabilities (such as by using memory safe languages, formal verification techniques, etc.), and solving the patching problem.
Reportedly about 90 percent of all spending on cyber programs is dedicated to offensive efforts, leaving a mere 10 percent for defense. During his candidacy, President Trump expressed tremendous concern about national cybersecurity weaknesses, stating "the scope of our cybersecurity problem is enormous. Our government, our businesses, our trade secrets and our citizens’ most sensitive information are all facing constant cyberattacks…."
If the Trump administration is serious about improving cybersecurity, it should place a greater emphasis on funding defensive security research. Research into defensive methods and better strategies for patching systems is less sexy than over-hyped zero-day vulnerabilities or imaginary "cyber-missiles," but it is the surest path to a more secure internet for everyone.