• Français
  • English

Wannacry: The Challenge of Cyber Proliferation (By Guillaume Tissier, Managing Director, CEIS)


In the cyberattack campaign currently in progress, what deserves attention is less the Wannacry ransomware than the ultrafast propagation of the malware via the use of a vulnerability present in many versions of the Windows operating system. Indeed, EternalBlue, the ‘exploit’ that enabled such vulnerability to be used, had been stolen from the NSA by means of a hacking operation or an internal leak, before its publication urbi et orbi on 14 April 2017 by the Shadow Broker group, together with a series of offensive tools. Since this type of internal or external leak is becoming more and more frequent across the Atlantic since Edward Snowden, a legitimate question to ask is whether it is reasonable to develop such type of arsenal when you are unable to keep your little secrets. As the Chinese proverb rightfully puts it: people who live in glass houses shouldn’t throw stones… There is indeed a risk of worsening the proliferation of cyberweapons.

This risk is first and foremost related to the very nature of the digital space: via the web, you cannot download a ready-to-launch cruise missile, but you can easily purchase malware programmes, which are dematerialised in nature. Furthermore, the use of computerised weapons is proliferative in essence, since the ‘payload’ can be reused, modified or misappropriated, as demonstrated by the numerous variants based on the Stuxnet malware used against the Iranian centrifuges. The only constraint: to be fully effective, the weapon must use unpatched vulnerabilities present in the target computers. Contrary to what is often said, such flaws need not be ‘zero-day vulnerabilities’ (i.e. vulnerabilities not yet corrected by the software authors). The only requirement is that the patches have not been applied. With the attacks in progress, the vulnerability in question, which had long been exploited by the NSA (in charge of both securing the networks and gathering intelligence), had finally been patched by Microsoft in April. But the patch had not been massively deployed in the information systems…

Lastly, this risk of proliferation is aggravated by the permanent ‘fog’ that surrounds the digital space. Indeed, the innumerable techniques of obfuscation, deception, anonymisation, and the like, make the certain attribution of cyberattacks practically impossible. As a matter of fact, the recent data leak suffered by the CIA (‘Vault 7’) clearly showed that the Marble framework had enabled the agency to automatically add code strings in Russian, Chinese, Arabic or Farsi into its computer developments to deceive potential chasers. In the absence of a technical solution to attribution, it is tempting to resort to the principle of ‘legal fiction’ that the German lawyer Rudolf von Jhering described as ‘a technical lie dictated by necessity’. In other words, a country is accused for political reasons… This instrumentalisation of legal systems is assuredly very effective, but it’s very unlikely to contribute to pacifying international relationships.

Beyond the mere technical and legal aspects, what is really at stake with our modern, hyperconnected –thus hypervulnerable– societies, is their resilience, i.e. their ability to withstand such attacks and bounce back thereafter. For the time being, attacks like Wannacry only create a shock because of the systemic effect. But this shock will turn into chaos when these operations will severely impact vital systems. Maybe that’s food for thought for the UN’s Group of Government Experts working on the ‘Responsible Behaviour’ of States. Microsoft, whose legal director recently invoked a ‘Digital Geneva Convention’, made no mistake about that.