WannaCry Attacks: Should We WannaRegulate Cyber Security?

After the latest worldwide cyberattack, the question remains: What’s going to change?

That depends, says counterterrorism and cybersecurity expert Richard Clarke, on what companies, banks and regulators are willing to learn from the incident.

In early May, approximately 300,000 computer systems in more than 150 countries were compromised by the WannaCry cyberattack. The ransomware attack affected a range of players, including delivery services like FedEx, automakers including Renault and Nissan, transportation operations such as Germany’s Deutsche Bahn and even medical systems such as the U.K.’s National Health Service.

To date, more than $80,000 in bitcoin payments have been made so users could access their files again. However, by some accounts, the losses suffered as a result of the attack could cost affected parties hundreds of millions of dollars in outages, lost revenue and productivity.

But after the worst cyberattack in recent memory, the question remains: What steps are being taken to protect against the next cyber threat?

Making sense of such a massive strike can be daunting, but one of the first steps is to acknowledge mistakes. For Clarke, it’s familiar territory. Over the course of his career, Clarke worked in high-ranking positions in various government departments, from the Reagan administration’s State Department to the most recent Bush administration, where he worked as a counterterrorism czar. In 2004, Clarke testified before the 9/11 Commission on the events and conditions that led up to the Sept. 11, 2001, terrorist attacks. At the hearing, Clarke directed his opening statement to the families who lost loved ones in the attack and apologized for the government’s failure to prevent or stop the attacks.

PYMNTS’ Karen Webster recently spoke with Clarke, who shared his insights on what the recent cyberattack revealed about the financial world’s security apparatus and what steps are necessary to prevent subsequent attacks.

The Digital Threat to Commerce

Hacking and cyber threats like ransomware are hardly new phenomena. To guard against threats and online data breaches, which can have a highly disruptive impact on eCommerce, many cybersecurity experts urge internet users to use two-step authentication to protect their online accounts.

The good news is that roughly half (52 percent) of adults who conduct activities online use two-step authentication to protect their online information and accounts. But the bad news, as Clarke pointed out, is that cybercriminals are savvy enough to exploit vulnerabilities in these safeguards as well.

“Every time we come up with another tricky way of doing authentication, people find a new way to get around it,” he said.

Clarke said he was a fan of SMS authentication. However, this security protocol can be sidestepped with man-in-the-middle (MITM) attacks that convince one or both parties that they are communicating with the other, when, in reality, they are sharing sensitive data with a cyber spy.

Even voice authentication biometrics are not foolproof because, as Clarke pointed out, there are now software tools available that capture and manipulate a sample of a user’s voice for nefarious ends. For example, an unsuspecting person could unwittingly be recorded speaking their name and the word “yes” during a phone call, which could be used to fake authentication systems. This example is particularly worrisome for someone like Clarke, who makes frequent appearances on television and radio, where voice samples can easily be recorded.

“You can get enough of my voice very quickly and put together whole sentences,” he said.

Despite these issues, Clarke said, the authentication is one of the strongest guards against cyber threats. But the vulnerabilities he outlines call attention to the need to improve the system.

“We need better ways of doing authentication and stronger authentication,” he said.

He noted the standards recommended by FIDO Alliance (Fast IDentity Online), a consortium of several major financial institutions and technology companies. The alliance offers a standards-based ecosystem that uses a wide range of authentication technologies that reduce reliance on passwords and rely instead on biometrics, such as fingerprints and iris scanners and a second-step authentication that relies on a device that users have in their possession.

Clarke said that adoption of the standards set forth by the FIDO Alliance have taken off in countries like China and Japan. Here in the U.S., however, adoption has been much slower.

Banks seem particularly unwilling to adopt and require the two-step authentication, despite the losses they face because of cybercrime. For banks, the cost of adding friction to user experience could mean losing business to rival financial institutions, which renders two-step authentication as not a viable choice, Clarke said.

A recent report found financial service companies lose an average of $16.53 million each year because of cybercrimes.

But even with the high costs incurred by cybercrimes, banks are still dragging their feet, he said.

“The pain point doesn’t seem to be high enough [for banks],” he said.

To get more banks into the two-step authentication mix, Clarke recommends regulation, which would compel mandatory compliance.

“A regulatory authority needs to [implement] it,” he said. “If the banks are all so afraid of competition that they don’t have any stickiness with their clients, and if they introduce the slightest bit of friction in authentication that people will jump to another bank, then make all the banks do it.”

Speaking from personal experience, Clarke said he feels reassured after getting an SMS alert from his bank after making a purchase asking for authentication.

A Global Anti-Cyber Crime Effort

The WannaCry ransomware attack reached institutions and agencies across borders. To prepare for the next potential cyberattack, Clarke recommends the formation of an international coalition to fight cybercriminals.

“A lot of this stuff originates overseas … in countries that are, in effect, sanctuaries for these guys,” he said.

Clarke recommends forming an alliance of “like-minded nations” to help put pressure on nations that act as sanctuaries for cybercriminals. He pointed to his previous experience working for the U.S. government, where a similar coalition was formed to crack down on global money laundering. The coalition consisted of more than two dozen nations that would meet twice a year to formulate a strong anti-money laundering law.

Once the law was crafted, Clarke said, the coalition put pressure on countries that were acting as sanctuaries to implement the law, or face financial repercussions.

“We gave it to all the countries that had become money-laundering havens and said, ‘Either you pass a version of this law and enforce it, or 27 big countries will no longer trade in your currency,’” he said.

As such, being able to leverage international pressure on nations where cybercriminals are active will be an important step to thwarting the next big cyberattack, Clarke said.

“We need something like that on the cyber side,” he said.

But to make the international laws and agreements work, Clarke said, a compliance agency needs to be ready to visit individual countries to determine firsthand what efforts are being made to enforce the law — similarly to how the International Atomic Energy Agency regulates the use of nuclear power. If the agency finds a violation, the offending country could be sanctioned by the international coalition.

While the most recent cyberattack was a wake-up call, Clarke fears that nations will wait too long for the next wake-up call before implementing new policies to track perpetrators down.

“It’s such a simple concept,” he said. “Why we’re not doing it, I don’t know.”