Arizona cyber experts warn that WannaCry outbreak just tip of iceberg

The WannaCry ransomware that attacked computer systems around the globe could be just a taste of things to come, say two Arizona cyber experts, who worry Americans are not prepared for such an attack. (Photo by Nathan J. Fish/Cronkite News)

WASHINGTON – Arizona cybersecurity experts called the recent international cyberattacks known as “WannaCry” among the worst attacks they have seen, and they called it a warning about the country’s lack of cybersecurity preparation.

“This is only the beginning of a very, very long list of bad stuff,” said Brett Scott, co-founder of the Arizona Cyber Warfare Range. “It’s about as bad as one can imagine. I suppose one day it will get worse because every time I think we’ve hit the limit, it always gets worse.”

Frank Grimmelmann, president and CEO of Arizona Cyber Threat Response Alliance said, thinks WannaCry “is simply the tip of the iceberg.”

“I simply view this as another chapter, not necessarily the beginning of the end,” Grimmelmann said. “If vulnerabilities are there and you know, it’s not a question of if you will be attacked or will they ultimately be successful, it’s a question of when.”

The WannaCry malware that swept around the world last week infected vulnerable computers and held the data on them hostage by encrypting files and demanding a ransom to get the hackers to unlock the files – hence the classification, ransomware.

The attack made its way through multiple countries including Russia, parts of Europe and the U.S. Published reports said the ransomware is believed to have been developed from digital tools devised by the U.S. National Security Agency, stolen by a group of hackers known at the Shadow Brokers, and leaked online in April, reportedly to protest Donald Trump’s presidency.

The malicious software exploited a Windows computer vulnerability that allowed its spread. A patch was released by Microsoft in March, but computers that had not been updated were at risk of infection.

Among the affected systems were hospitals, government offices, FedEx, individuals and others. It was not the first ransomware attack and experts are certain it will not be the last.

“Frankly, many of us, and my colleagues probably attest to this, see this as almost a trial run,” Tom Kellerman, CEO of Strategic Cyber Ventures said, at a cybersecurity advisory at the Woodrow Wilson Center in Washington, D.C.

“Society as a whole is still vulnerable to worms and society is not just digitally vulnerable but kinetically vulnerable to a cyberattack that could render transportation, health care and things like finance useless when under attack,” he said.

Kellerman said the internet of things – the inter-networking of smart devices – has only increased our vulnerabilities “given all the opportunities that it provides” a hacker.

“It’s recurrently and widely exposed to the capacity of stalkers, pedophiles, criminals, nations states, and people who just detest you, to be able to essentially invade your home virtually at will,” he said.

While WannaCry mostly hit business and government systems, Kellerman warned that, “We will soon see this type of phenomenon at homes.

“That becomes more troubling because it’s one thing in that the recent ransomware attack affected peoples work computers not their home computers. You can walk away from work and call it a day,” he said. “These things now will impact your personal life and safety
at home, should they not be corrected soon.”

Grimmelmann said he believes that businesses and individuals will ultimately adapt to combat these cyberattacks. But the WannaCry attacks demonstrated “the danger of knowing that vulnerabilities exist and not making vendors aware of them, therefore not having patched systems.”

Scott said that because the attack utilized “state-sponsored weaponry” the hackers exploited a “vulnerability that no one was aware of.”

“We are, as a country, very ill-prepared,” he said. “The U.S. government does not know how to deal with the loss of their toys and because they don’t know how to deal with that, we are all suffering and we will all suffer a lot more.”

Scott said that the future of cyberprotection lies in the hands of businesses and individuals and not solely in the hands of the government.

“I think that this is actually the moment when everyone can be called to the table and say, ‘Do you realize now that government is not the answer to these problems?'” he said. “Play time is over, it’s time to get serious.”