By Alexander Urbelis
(CNN) - On Friday, the world experienced the wrath of a well-coordinated ransomware attack, known as WannaCrypt. The attack caused Britain's NHS to cancel surgeries, a wide array of Russian and Chinese private and public institutions to be crippled most of the day, and the rest of the world to recoil in shock.
How could a single piece of malware that exploited a vulnerability identified long ago by the NSA, and leaked last month by a group called the Shadow Brokers, wreak so much havoc?
Before the malware could do damage in the United States, a lone British researcher, known as "MalwareTech," serendipitously identified its kill switch -- the registration of a domain name -- while on vacation. The ease with which MalwareTech did this says a great deal about the poor state of the global information security industry, and raises several important questions.
MalwareTech analyzed the malware in a testing environment and immediately noticed the code queried an improbable Internet domain name that did not exist. Domain names often function as malware command and control centers, so MalwareTech simply bought the domain name which triggered the kill switch for WannaCrypt. This was incredibly lucky.
If the domain name were active, the malware would assume it was a false positive from a researcher dissembling its code, and WannaCrypt was designed to frustrate such analyses by shutting itself down. The fact that only a single domain name was coded into the malware meant that registering that domain name had the effect of shutting down WannaCrypt worldwide.
In short, WannaCrypt's creators were lazy, and the world lucked out. If WannaCrypt could be shut down so quickly and easily, why did it take so long for someone in this world to flip the kill switch, and what does this say about the state of global
cyber preparedness?
First, it shows that the information security industry views cyberattacks more as a business development opportunity than as a chance to put their collective heads together to eliminate threats.
Though there are undoubtedly professionals who share data unconditionally -- as MalwareTech himself did -- yesterday's events make it clear that the efforts of the information security community need greater alignment, and that the world cannot rely on a combination of serendipity and lazy coding to prevent the next attack.
Second, we must ask whether WannaCrypt was merely a test of readiness. Perhaps the kill switch existed not out of laziness but as a deliberate act, one designed to test how long it would take to shut down the attack.
On the other hand, perhaps the creators intended to gather intelligence on the extent and type of systems that could be affected by malware targeting aged operating systems like Windows XP, which developers do not regularly update or support.
Alternatively, WannaCrypt could have been intended merely to demonstrate the moral hazard of governments that catalogue software vulnerabilities but do not notify software developers. Thus, WannaCrypt illustrated exactly what could happen if these vulnerabilities fall into the wrong hands.
WannaCrypt has generated much debate about the danger of state-sponsored cyberattacks. As a staunch privacy and security advocate, I believe the inclusion of government-mandated backdoors in applications or operating systems that could allow unfettered access to personal data or activities are not only unwise but entirely misguided. But if the 2016 election has taught us anything, we cannot deny that we live in a time that requires both offensive and defensive cyber capabilities.