Why US agencies resisted WannaCry
- By Sara Friedman
Intelligence officials believe U.S. government systems avoided being compromised by WannaCry ransomware in May -- unlike many of their European counterparts -- because U.S. agencies patch software and retire products at the end of their life cycles.
“The phasing out of earlier provisions within security systems is key,” said Tonya Ugoretz, director of the Cyber Threat Intelligence Center at the Office of the Director of National Intelligence, at the Billington Cybersecurity Summit in September. “We saw overseas victims who were perhaps not using the most up-to-date software.”
CTIC was created through a 2015 presidential directive to coordinate the intelligence community’s response to significant cyber incidents and to develop interagency efforts to degrade or mitigate threat capabilities from adversaries.
The best way to prevent ransomware is “disabling end-of-life products” because such products can have connections that are not trustworthy, said David Hogue, technical director of the Cybersecurity Threat Operations Center at the National Security Agency. NSA works with CTIC, the FBI and the National Security Integration Center at Immigration and Customs Enforcement to keep government agencies' systems up to date.
The U.K. National Cyber Security Center shared information with the U.S. defense and intelligence communities on its response to WannaCry and coordinated methods to contain the spread of the attack.
“We were caught up with the patch in general, and our carriers were blocking the effective port by default,” John Felker, director of operations at the National Cybersecurity and Communications Integration Center at the Department of Homeland Security, said of the U.S. defense against WannaCry. “The patch was optional in Europe.”
Keeping ahead of ransomware attacks also requires collaboration with the private sector. Palo Alto Networks was able to communicate with DHS at the start of the outbreak to share “samples in the wild” of WannaCry, according to Ryan Gillis, vice president of cybersecurity strategy and global policy. The company also publishes technical reports twice weekly on cybersecurity threats that are available to government.
“The partnership with the private sector is going to be important to understand how these attacks are developing at the earliest stages,” Ugoretz said. “Looking at the vulnerability of networks and the ability to see threats [across government and private sector] is going to be a paradigm shift for us.”
Ugoretz encouraged security officials to include context in their reports to make them accessible to agency leadership.
“We need to be able to take the latest threat intelligence and put in it a greater picture of understanding over time to tell a story about the latest bit of the intelligence threat,” she said.