WannaDoSomething after WannaCry? 4 ways to fight back

We knew ransomware was a problem, and that its handlers preyed upon important service sector organizations. A year ago, American health care group MedStar fell victim to a similar kind of attack.

This month, a worm called “WannaCry” hit more than 200,000 computers, stopping hospitals in the UK from caring for patients and disrupting the business major companies around the world. It was preventable.

Just what its name suggests, ransomware holds data hostage by encrypting it so that a user can’t gain access until paying a small fee to unlock it. For more than a decade, this kind of malware has grown in popularity as a tool of bad actors online because the business model works.

The premise is simple: look for vulnerabilities in the computer networks that run critical systems people's lives depend on. These organizations aren't typically the kind who have invested in cybersecurity and thus haven't protect their networks adequately. By targeting a large number of these poorly secured systems around the world, the money adds up quickly.

Until organizations make security a priority and we break the business model (it’s cheaper and faster just to pay the ransom rather than seek law enforcement help), we aren’t going to be able to stem the tide of ransomware. It’s too lucrative and too easy. The only positive outcome of WannaCry is that the global scale of this incident is shining light on important policy questions we need to discuss as a country and an international community.

First, digital hygiene remains atrocious. If distributing malware remains as easy as it is today, the problem will only persist.

Special counsel Robert Mueller is bad news for Donald Trump — and Russia

How the White House Russia secrets endanger Donald Trump

We need a public education program about how to stay safe online: from passphrases to 2-factor authentication to updated software. This information should be available in one easy-to-access place, in a simple format and regularly updated. It would be an easy win for the Trump administration to take this on.

Second, we need a much better system for credentialing IT professionals. Too many continue to think in terms of service (i.e. Is our email functioning?) rather than security (i.e. Is our email encrypted?).

In the WannaCry case, a flaw in the Microsoft Windows XP operating system was used to develop malware that accessed computers that weren’t protected against it. Even though it was patched by the company in mid-March, two months later, many organizations remained exposed to this flaw because they hadn’t updated their software.

Third, and perhaps most important, the exact process for how nations — especially this one — decide which software vulnerabilities our intelligence community and military can exploit and which to tell software developers about so they can be fixed, is very much a mystery.

Humans write code. Lots of it. And it’s riddled with mistakes. Sometimes those mistakes are discovered by software companies. Sometimes those vulnerabilities are found by bad actors who use them for nefarious purposes. When the mistake in code is so widespread — say in a program used by millions and millions of people, companies, and organizations — the impact is significant.

And sometimes, governments search for them or even buy them to use themselves. This is important in the WannaCry case because the vulnerability exploited was identified in the recent leak of NSA cybertools and made public.

There is a process run by the White House, started under President Obama, to review the vulnerabilities posing a threat to the security of users in this country and by default, around the world. Called the Vulnerabilities Equities Process, or VEP, there isn’t much transparency into how it works or when it works.

POLICING THE USA: A look at race, justice, media

Russia intelligence leaks aim at Donald Trump, but wound America

What if the U.S. government discovers a way to exploit the software in the control system of an electric company? Should America keep it in case we need to attack another nation’s electric grid in a later conflict or should we tell the public it exists so it can be fixed and our electricity remains safe?

Congress can play a key role in overseeing this process, ensuring the complicated balance between newly discovered vulnerabilities and protecting citizens is as transparent as possible and adheres to our values.

Fourth, this may be an area where we can actually collaborate with Russia and show progress. More Russians were affected than anyone else by this attack. Cyber operations by nation states are a touchy subject these days, but perhaps working together to target and punish criminal networks largely responsible for carrying out ransomware attacks could be a place to start.

At this stage, it remains unclear who is responsible for launching this worm. There is ongoing speculation about similarities in the WannaCry code and code used by a hacking group affiliated with North Korea. As the investigation continues, we hope to learn whether the code was just borrowed or whether North Korea sanctioned or carried out this attack. In the event that we discover North Korea’s involvement, a response will be necessary.

Either way, we have to pay attention. The methods of our cyber adversaries are constantly evolving and we can’t keep fighting the last battle.

Jane Harman is the president of the Woodrow Wilson International Center for Scholars and a former nine-term member of Congress. Meg King is the director of the Digital Futures Project at the Wilson Center.

You can read diverse opinions from our Board of Contributors and other writers on the Opinion front page, on Twitter @USATOpinion and in our daily Opinion newsletter. To submit a letter, comment or column, check our submission guidelines.