Last month, the city of Baltimore became the latest target of a
ransomware attack. The city's Microsoft
operating systems were held hostage by a group that demanded 13 bitcoins, which
at the present rate of exchange is about $100,000. Despite their inability to repair all the damage
after nearly a month, Baltimore administrators refuse to pay the ransom, and
instead have asked the federal government for help. According to some sources, the malware used
for the attack was developed at the U. S. government's National Security Agency
(NSA), and somehow it leaked and was posted by a group of hackers in 2017.
Irony is usually found more in literature than in engineering, but this
incident is particularly rich in them.
The first irony is that a cyberweapon presumably developed to be used by
the United States against its enemies was stolen, published worldwide, and used
instead to attack the infrastructure of a major U. S. city.
The second irony is that an idea traceable back to 1991, a chain of
blocks developed originally just to prevent software timestamps from being
tampered with, has turned into a means by which ransoms can be paid with no realistic
hope of tracing where the money goes.
And the third irony is that some eyebrows are being raised by the fact
that the city of Baltimore is asking for help from the federal government.
Let's do a little thought experiment and set the essential ingredients
of this incident in an alternate universe which is just like ours, except
there's no computer networks and so on. Suppose
a gang of paratroopers landed in Baltimore and made their way to the city
offices, holding employees at gunpoint while they absconded with tons of files
and records in a heavily armored vehicle.
Then the mayor received a ransom note demanding $100,000 for the return
of the records. Not only would a
nationwide manhunt be mounted for these criminals, but the FBI and other
federal agencies would get involved as a matter of course.
But simply because the records and functions involved are on computers
and not physical documents, attitudes and actions are vastly different
here. Now, admittedly some blame can be
attached to those responsible for running Baltimore's IT systems. Microsoft evidently does a fairly good job of
sending out patches and updates in response to new viruses and malware, but
these patches have to be implemented in a systematic and organized way. And in the case of Baltimore's systems, this
was not done. In the world of our
thought experiment, this amounts to not having enough armed guards surrounding
your municipal buildings to fight off the attackers.
While a certain amount of security is to be expected, nobody wants to
have to do the equivalent of breaking into Ft. Knox in order to pay your city
water bill.
While I am not usually in favor of greater centralization of power and
resources, in this case I think it is only fair for the federal government to
help out Baltimore in their hour of need.
For one thing, the NSA never should have let its malware escape in the
first place. It would seem to be a
fairly straightforward investigation to discover who was responsible. But the NSA's workings are deliberately
opaque and poorly supervised even by Congress, who pays the bills, and that
sort of setup is an open invitation to laxity and inefficiency. Perhaps this leak represents only 0.001% of
everything that NSA has developed, most of which is still secret. But in situations like this, even one leak
can be too many.
As for bitcoins being used for ransomware payment, it makes a certain
amount of perverse sense that a form of currency inspired by
hyper-libertarianism is used mainly for two things nowadays: speculation and illegal transactions. It is an ill wind that blows nobody good, and
bitcoins have benefited some people. I
may have mentioned a student of mine who managed to buy some bitcoins only a
few years after they came out in 2009. I
don't know exactly what she paid, but by the time she graduated I think she had
been able to pay for her entire college education with her profit in
bitcoins.
But is this advantage worth the social cost of having a virtually
foolproof way of laundering money? I
leave that for the reader to decide. It
doesn't matter now, because bitcoins and their offspring are a permanent part
of the cyberlandscape now.
Perhaps the most troubling aspect of the Baltimore situation is the
complete anonymity of the attackers, who could be, and probably are, anywhere
in the world outside of the United States.
Prior to the Internet, the most significant threat the U. S. endured
from outside its borders was the threat of intercontinental ballistic missiles
carrying nuclear warheads, and billions of dollars were spent in an arms race
that is in some ways still with us. But
now that anyone with sufficient skills can mount attacks on specific geographic
entities in the heartland of the U. S. from halfway around the world, we still
act as though it's just some sort of defect in a strictly local pile of
computer networks, and treat the attackers much like an act of God—something
that's always going to happen sooner or later, so you might as well just buy
insurance and be ready when it happens.
Maybe that's the best approach.
Baltimore, as it turns out, did not have cyberinsurance, but the bond
underwriters will soon see to that So in
the future we will go armed not with guards, but with insurance policies to buy
experts who come in and fix our computer systems, just like roofers replaced my
roof after a recent hailstorm this spring.
Complexity begets complexity, and if Baltimore and other cities consistently
refuse to pay ransomware demands, perhaps the criminals will devise some other
way to make ill-gotten gains. I can
hardly wait to see what they'll do next.
(That's irony, by the way.)
Sources: I referred to
articles at https://phys.org/news/2019-05-baltimore-ransom-cyberattack.html
and the website Governing.com at https://www.governing.com/topics/public-justice-safety/gov-cyber-attack-security-ransomware-baltimore-bitcoin.html,
as well as the Wikipedia articles "blockchain" and
"bitcoin."
No comments:
Post a Comment