A MAJOR cyber attack named WannaCry recently wreaked havoc around the world. FedEx in the United States, NHS (National Health Service) hospitals in the UK, PetroChina and various other organisations were among the victims.
Due to these attacks, vital services were interrupted, resulting also in a loss of income.
Most of the affected computers were running an older version of the Windows operating system, developed by Microsoft, called XP. The fact that this older version of Windows had security vulnerabilities, and that Microsoft had ended its support of the system in 2014, although nearly seven per cent of computers in the world are still using Windows XP, exacerbated the issue.
It is strange that although Microsoft has long had a monopoly (in the desktop market), it charges its users very large sums for the support of the older versions of its operating systems, possibly to leave users with no choice but to switch to newer versions.
How secure is government data?
However, to Microsoft’s credit, they did make a patch available to protect against WannaCry once the scale of the attack became clear.
Insecure outdated systems proved to be an easy target for attackers.
There are repercussions involved when you connect to the internet in an insecure way — especially when your job and the data at hand are critical — and you affect others around you in a big way.
This attack fell in the category of attacks known as ransomware, in which important data on a user’s computer is encrypted by the hacker and a ransom is then demanded, through an anonymous online currency called Bitcoin, to decrypt those files. The global security firm Symantec has reported an aggressive increase in ransomware attacks in recent years.
The damage inflicted by cyber attacks is bad enough in countries where strong cyber regulations are in place to protect privacy and critical data. It could be much worse here in Pakistan, where user data isn’t really protected and strong regulations are not in place, so the WannaCry attack is definitely a wake-up call for us.
The choice of machines and software should be based on a coherent policy that serves and protects data pertinent to the state, its business and its citizens. Let me give three examples to illustrate how casually important data is handled in this country and how feeble our policymaking around this is.
First, the way personal information is handled in most of our businesses leaves us susceptible to attack. For instance, the use of software and data in our healthcare sector can easily be exploited. Patient data contains very private information, which, if acquired by people with malicious intent, can cause grave harm. Some countries, such as the US, have strong regulation in the healthcare IT sector (ie the Health Insurance Portability and Accountability Act).
The situation here is totally different, particularly in the private sector. I personally know doctors in major private hospitals in Lahore who do not worry about the way they handle their patients’ data. I have known and observed doctors, who work at a very expensive local hospital, keeping critical patient data on the outdated Windows XP system connected to the internet and not losing sleep over it.
Second, the way we treat information (digital or otherwise) around our public and private offices also leaves us exposed. In one major state-owned organisation, some of the senior management still take a printout of an email and pass it around. Passing an email around on paper defeats the purpose of privacy and sensitive information can easily be leaked. A number of years ago, the press obtained an embarrassing set of printed emails believed to have come from the British prime minister’s office. It was later revealed that the information may have been taken out of the trash by a Mr Pell (who interestingly fished for information on the lives of celebrities and politicians in dustbins to sell).
Third, it is interesting to look at how software is set up and maintained by our government institutions. Going by publicly available data from an internet services company BuiltWith, many of our local websites appear to be based on outdated software programming frameworks and tools.
Keeping in view the above, one can also probably take the liberty of assuming that computer systems in our government offices might be using outmoded versions of software, leaving them similarly susceptible to attacks (if we can learn one thing from WannaCry, it is to use updated versions of software).
It makes one wonder why our government websites and backend systems are not hosted on open-source software instead of expensive Microsoft-based technologies, which are also expensive to maintain. At the least, all of our government websites, computers and data should be governed by a uniform, yet strong, IT policy to help guard information that is critical.
The writer works in the technology sector.
Published in Dawn, July 18th, 2017