Why WannaCry won’t change anything

Despite the damage and uproar over the massive ransomware attack, it’ll take a lot more before the world take security seriously

The WannaCry ransomware attack won't change anything
Thinkstock

The tally of damage from the WannaCry ransomware attack keeps growing, but it’s still not even close to bad enough to force real changes in cybersecurity. According to The New York Times, more than 200,000 machines in more than 150 countries around the world have been infected, but the responses being discussed still center around patches and passwords, updates and antivirus, backups and contingency plans. 

Please.

Sure, these kinds of tactics can reduce your individual risk, and most likely would have helped you avoid this particular attack. But WannaCry—which apparently was based on stolen code from the National Security Administration and seems to bear signs of state-sponsored action by North Korea—is just the latest in an unending parade of new security attacks, vulnerabilities and crises. 

+ Also on Network World: What to do about WannaCry if you’re infected or if you’re not +

This one is big and high profile, earning headlines around the globe, but these issues rage on every single day, even if you don’t read about it because people don’t want to talk about it.

How high a price?

And even when the costs are sky high, as in the Yahoo hack that lopped a cool $350 million off the company’s acquisition price, nothing really changes. The experts trot out the same old bromides and the same stale precautions. Then the next attack comes, and the cycle starts all over again—proving that today’s solutions simply don’t work. 

The real issue is that despite its inherent insecurity, the system works just fine for many big-time stakeholders:

  • Criminals have a lucrative source of cash in a complex world that makes it difficult to catch them.
  • The states that sponsor the biggest cyberattacks love the idea of asymmetrical digital warfare against bigger, richer countries.
  • Those rich, powerful nations are busy creating their own cyber weapons—and love them so much they’re willing to bear the risks of having them turned on their own countries!
  • Security companies and consultants have a never ending source of business.
  • Hardware and software vendors get to sell their products for lower prices because they don’t have to make the difficult, costly decisions to harden their products. Those costs end up being paid elsewhere in the ecosystem, helping to create perhaps the fastest growing industry on the planet.
  • And most important, businesses and individuals believe it will never happen to them and so they chase the lowest possible initial cost and the easiest, most frictionless experience, no matter what the risk. (According to the Times, China got hit hard due to its penchant for saving a few Yuan by using pirated copies of Windows.) 

Bottom line? Despite the hue and cry (pun intended), the global technology sees cybersecurity disasters as nothing more than an unpleasant but ultimately acceptable cost of doing business. I hate to say it, but it’s going to take a whole lot worse than WannaCry to change the handwringing into real action.

Here’s the scary part, though. Unless something dramatic changes, sooner or later we’re likely to see such a truly catastrophic attack—the kind that causes significant loss of life and brings down governments. We can only hope that whatever happens isn’t as bad as we can all too easily imagine—and that it finally spurs real change so the suffering it causes doesn’t turn out to be in vain.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT