It sounds like a Hollywood disaster film.
A group of hackers use a stolen cyber-weapon to try to extort money from people worldwide.
The attack cripples hospitals, causing ambulances to be diverted and operations to be cancelled.
Then a lone security researcher stumbles across a way to halt the bug in its tracks.
Yet that is exactly what happened last week when a piece of ransomware called WannaCry,
which infects computing system, hit out just Britain's National Health Service (NHS)
but Russia's interior ministry, Chinese universities,
Germany's state railways and plenty more besides.
It could have been much worse.
WannaCry does not seem to have been a deliberate attack on hospitals,
but a criminal money-making scheme in which the NHS was collateral damage (see page 75).
Indeed, as malicious programs go, WannaCry is not even in the premier league:
although it has a nasty payload, it had compromised only about 300,000 computers
and raised an estimated $80,000 as The Economist went to press.
Earlier nasties, such as Conficker and SoBig, infected millions of machines.
Even so, the incident rammed home two unpleasant truths about the computerized world.
The first is that the speed, scalability and
efficiency of computers are a curse as well as a blessing. Digital data are weightless,
easy to replicate, and can be sent around the world in milliseconds.
That is welcome if those data are useful, but not if they are malicious.
Modern software can contain millions of lines of code.
Ensuring that no bugs slip through is almost impossible.
A single vulnerability can affect thousands or millions of machines,
and the internet gives a single individual the power to compromise them all at once.
By comparison, paper files are heavy, cumbersome and awkward to work with.
But at least a couple of crooks thousands of miles away cannot cause them all to
vanish simultaneously. If WannaCry can cause so much random damage,
imagine what might be done if hospitals were targeted deliberately.
The second unpleasant truth is that opportunities for mischief will only grow.
More things will become vulnerable as computers find their way into everything from cars
and pacemakers to fridges and electricity grids. The ransomware of tomorrow might
lock you out of your car rather than your files. Cyber-attacks
like WannaCry may seem like low-probability, high-impact risks.
But the parlous state of computer security and the computerization of the world risk
turning such attacks into high-probability, high-impact events.
Fortunately, there are ways to minimize the danger.
Product regulation can force the makers of internet-connected gizmos to include
simple security features, such as the ability to update their programs with patches
if a vulnerability turns up. Software-makers routinely disclaim liability for defects
in their products. Changing that would not eliminate bugs entirely,
but it would encourage software firms to try harder. It would also encourage them to
provide better support for their customers (although there will come a point
at which it is unreasonable to expect Microsoft and others to keep maintaining old programs).
The insurance industry can also put pressure on computer users:
just as home-insurance policies will not pay out if a burglar gets in through an open door,
so individuals should be held liable if they do not follow basic digital hygiene,
such as keeping their software up to date.
Governments face tough questions, too. The methods WannaCry uses to spread was discovered years ago
by the National Security Agency (NSA), America’s electronic-spying outfit.
Along with several other cyber-weapons, the technique was stolen, then leaked onto
the internet in March. Only after the theft did the NSA inform Microsoft of the flaw,
leading the firm to rush out a fix. Microsoft has accused the NSA of
losing control of the digital equivalent of a cruise missile, and demanded that,
in future, spies disclose any bugs as they find them, so that software firms
can fix them and keep everybody safe.
This is another example of the double-edged nature of computing.
Given the rising costs of insecure computers, there is a strong case for spooks to
share vulnerabilities with software firms when they find them. Some argue that fixing flaws
in programs will make it harder for the intelligence services to spy on organized
criminals and terrorists. But they have other means to infiltrate hostile networks
and monitor devices besides exploiting flaws in widely used software.
When computers are ubiquitous, security is too important not to fix.