Long Before 'WannaCry' Ransomware, Decades Of Cyber 'Wake-Up Calls'
By latest counts, more than 200,000 computers in some 150 countries have been hit by a cyberattack using ransomware called WannaCry or WannaCrypt, which locked the data and demanded payment in bitcoin. The malware was stopped by a young U.K. researcher's lucky discovery of a kill switch, but not before it caused hospitals to divert patients and factories to shut operations.
The origins of the malicious software — which feeds on a Microsoft vulnerability — trace back to the National Security Agency: cybertools stolen from the government and posted publicly in April. Microsoft had issued a patch in March. (And here are good tips to generally secure yourself.)
"The governments of the world should treat this attack as a wake-up call. ... We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits," Microsoft President Brad Smith wrote in a follow-up blog post. "We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks. ... In this sense, the WannaCrypt attack is a wake-up call for all of us."
This one, it's a wake-up call. Haven't we heard that somewhere before? In fact, archival searches show the use of the cliché stretching back decades — as far back as the early viruses and worms of the 1980s.
"I think people use 'wake-up call' in different ways, but it's generally used to mean to treat cybersecurity like a bona fide national security problem, which we still for the most part don't do," says Philip Reitinger, head of the nonprofit Global Cyber Alliance. "In general, it's 'Gosh, now people will understand, governments and private sector will understand how serious it is — and do something. When the history has shown, no, they won't."
Reitinger and numerous others veterans in the field have been making many of the same calls through the years: Commit proper funding, like to any other national security threat; write new laws that would tangibly incentivize and enforce good behavior by companies large and small; put proper priority on creating a system that can defend itself.
"I'm tired of people writing reports and recommendations," Reitinger says. "We're not treating this like the moonshot; we just get the words."
Well, in the spirit of the focus on words, let's follow it through history. Below is a select taste of some of the major hacks and attacks that were declared to be a "wake-up call" by government officials and security experts.
1998: The Pentagon
The AP reported on Feb. 26: "The Pentagon's unclassified computer networks were hit this month by the 'most organized and systematic' attack yet." It was later attributed to two California teenagers, guided by an Israeli teen.
The AP cited Deputy Defense Secretary John Hamre saying that the government and the private sector had not done enough to protect sensitive networks from attacks. In a story on NPR's All Things Considered, Hamre said: "It was certainly a wake-up call. It certainly is indicative of a future we could be facing that's much more serious. And we need to learn the lessons from this experience and take advantage of it."
2000: Popular websites
In a highly publicized denial-of-service attack, a 15-year-old known online as Mafiaboy, brought down Amazon, CNN, Dell, E*Trade, eBay and Yahoo!, which was then the largest search engine. On Feb. 15, then-White House Chief of Staff John Podesta appeared on CNN, saying:
"I think these latest attacks have been a wake-up call for Americans that more needs to be done, that we need to get together and do what we did to deal with the Y2K crisis, which is to come together to share ideas, to do more research and development on security measures that can be taken to enhance the network security, and to build a really strong foundation of security and privacy for the information infrastructure as we create this great promise of the digital economy."
In March, the tech panel of the Senate Judiciary Committee held a hearing on cyberterrorism, where subcommittee chairman Sen. Jon Kyl said the attacks "raised public awareness and hopefully will serve as a wake-up call about the need to protect our critical computer networks."
2003: Computers worldwide
SQL Slammer became known as "the worm that crashed the Internet in 15 minutes." In prepared testimony at the House of Representatives, Vincent Gullotto of Anti-Virus Emergency Response Team at Network Associates said:
"During the Slammer virus outbreak, major U.S. banks experienced widespread ATM outages, a major airline canceled or delayed flights, and a large U.S. metropolitan area lost its 911 emergency services. ... Attacks such as those that occurred over the last several weeks provide an important wake-up call to governments, industries, and consumers. We must not be complacent; we must act."
Google disclosed "a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property." It was later dubbed "Operation Aurora," said to have targeted dozens of companies.
After Director of National Intelligence Dennis Blair appeared before the Senate intelligence committee, NPR's Mary Louise Kelly reported on All Things Considered on Feb. 2:
Blair "used much stronger language than I've heard him use before, talked about malicious cyberactivity, and I'll quote him, 'is occurring on an unprecedented scale with extraordinary sophistication.' He talked about things like the recent hacking attack on Google, said that should be a wake-up call, said that the U.S. information infrastructure overall [is] severely threatened."
2010: Iran's nuclear program
Stuxnet is a massive computer worm that attacked Iran's industrial equipment, including at a uranium-enrichment facility. On Nov. 17, Symantec executive Dean Turner testified before the Senate Homeland Security Committee:
"Stuxnet demonstrates the vulnerability of critical national infrastructure industrial control systems to attack through widely used computer programs and technology. Stuxnet is a wake-up call to critical infrastructure systems around the world. This is the first publicly known threat to target industrial control systems and grants hackers vital control of critical infrastructures such as power plants, dams and chemical facilities."
2012: Saudi Aramco
In August, a virus called Shamoon wiped out files from 30,000 corporate computers of the world's largest oil exporter.
In a Dec. 7 speech, then-Defense Secretary Chuck Hagel called the attacks on Saudi Aramco and a subsequent attack targeting the Qatari natural gas company RasGas, "a serious wake-up call to everyone." Hagel added: "The United States will continue to help build the capacity of partners and allies to defend their critical infrastructure from cyberattack, especially major energy, infrastructure, and telecommunications facilities."
2015: Office of Personnel Management
In the massive OPM data breach, hackers stole personal information of more than 20 million current and former federal employees, contractors, family members and others who had undergone federal background checks.
In a Time op-ed titled "U.S. Cybersecurity Is Too Weak," Sens. Chris Coons and Cory Gardner of the Senate Foreign Relations Committee wrote:
"The OPM hack remains the largest data breach ever suffered by the federal government and should have served as a wake-up call to Congress. ... The United States must develop a robust prevention and recovery policy response that can adapt to current and future technological advancements."
In his own op-ed for Federal News Radio, House Oversight Chairman Jason Chaffetz wrote: "This should serve as a wake-up call to all in government on how to best secure federal IT and data. A shift toward zero trust is one way to improve federal IT security."
Hackers attacked a major Internet infrastructure company called Dyn, disrupting websites and services such as Twitter, Amazon, Spotify and Airbnb. The disruptions lasted most of the day, a result of a massive distributed denial-of-service attack delivered through millions of hijacked Internet-connected things such as baby monitors, DVRs and CCTV cameras, infected with Mirai malware.
"It's important for [Internet of Things] vendors who haven't prioritized security to take this escalating series of attacks as a wake-up call," The Washington Post quoted Casey Ellis of cybersecurity firm Bugcrowd as saying. "We're entering a period where this is very real, calculable, and painful impact to having insecure products."
A House Energy and Commerce panel convened to discuss the security of Internet-connected devices. Rep. Bob Latta, R-Ohio, weighed in: "The recent DDoS attack should serve as a wake-up call that our systems are susceptible to attempts to use IoT devices to wreak havoc."