Last week, 300,000 computers worldwide were hit by the WannaCry ransomware virus, in what is being dubbed one of the broadest cyberattacks in history. At the moment, policymakers and security experts are looking for strategies to mitigate future risks and what lessons can be learned from this attack. Most worrying are rumblings that this attack could have originated from North Korea, not a criminal organization as most originally assumed. If so, this incident represents a possible dangerous shift in the norms within cyberspace.
Research shows that, even though the internet enables instantaneous global interaction, state-sponsored cyberattacks have become a predominant tool used between regional rivals over territorial disputes or by leading world powers, including feuds between Israel and Lebanon, Pakistan and India, Russia and Georgia, and the United States and China. But countries that launch these attacks often take a great deal of time to consider the possible collateral damage, a consideration that the perpetrator of the WannaCry exploit blatantly disregarded. In fact, countries have shown relative restraint in deploying cyberattacks, a category of activities distinct from cyberespionage because of the intent to cause damage, disruption or fear.
The main mechanism compelling nations to demonstrate such restraint is the fear of blowback. Once an exploit is used or stolen, it is put out into the public eye where it can be copied and used in retaliation. Because of this fear, the U.S. government actually invented a process — the Vulnerabilities Equities Process — to consider the costs of not disclosing a new exploit to a tech company, such as Microsoft, so that it may be fixed. The process weighs the interests of defensively concerned agencies such as the Treasury, Energy and Homeland Security departments versus offensive agencies such as the Department of Defense, law enforcement agencies and the intelligence community. No matter, in this specific instance, it’s popularly believed that blowback of a state-created cyberweapon is exactly what we’re seeing — that the NSA invented this exploit, which was subsequently stolen, and now the international community is feeling the consequences.
Exacerbating the situation gravely is the abundance of old and unpatched software still in use across the globe. In many instances, victims were using computers running Windows XP, an operating system so old it came out two months before the first iPod was released. Clearly, there is a need for organizations to responsibly coordinate updates and patches, yet this has been the case for over 20 years. So the million-dollar question is: What can governments do? It seems the most reasonable solution is to find more effective ways for governments to engage the private sector on the topic of cybersecurity and promote best practices. For starters, we can expect that governments will be looking to mobilize communities in the know-how, offering additional resources and provide stronger practical guidance.
On the one hand, this incident can serve as a wake-up call for governments around the world to more effectively tackle the issue of cybersecurity. On the other hand, if North Korea is behind this attack, as some cybersecurity experts believe, it will pose a challenging policy question that might shatter the existing norms around cyberattacks, prompting governments to trend toward more aggressive attacks in cyberspace and be narrow minded to the considerations of collateral damage on civilian infrastructure, such as hospitals and power grids. Fearing this, Microsoft’s president Brad Smith has called for countries to stop stockpiling cyberweapons, calling on governments to more amply apply regulatory standards from the physical world in the cyberdomain.
Smith is right; current frameworks for humanitarian and conflict laws in cyberspace are near nonexistent. The NATO Cooperative Cyber Center of Excellence in Estonia is the nearest toward pushing any form of law with the 300-page Tallinn Manual they created dictating possible laws, yet this hasn’t been officially adopted by anyone, including NATO. Hopefully, we can expect to see stronger cooperation between governments in the future, as it’s becoming increasingly clear that it’s strongly needed.
Lucas Ashbaugh is graduate student in the School of Policy and International Affairs at the University of Maine in Orono, where he is obtaining a master’s degree in international security.