How stupid humans let the WannaCry ransomware virus catch the world with its digital pants down

This morning, the world held its breath as people returned to work and booted up their computers to see if a creepy red sign would appear informing them they were a victim of digital black mail.

The WannaCry virus has already become the worst case of ransomware in history, hitting 200,000 computers in 150 countries as of Sunday, according to Europol, Europe’s policy agency. While the virus appears to be slowing, the fear now revolves around reports that new variations have started to appear.

“Several new variants have emerged during Sunday and last night, of which only one appears to have [gotten] some very limited traction,” said Costin Raiu, director of Kaspersky Lab’s Global Research and Analysis team (GReAT). “The other variants appear to have been manually patched by unknown entities and have not been created by the original #Wannacry authors. For the new variant that appeared on Sunday morning, we have seen a very limited number of attacks, which included 3 customers, in Russia and Brazil. We continue to monitor the developments and watch for the emergency of any new variants.”

What is most amazing about all of this is not that it’s happening. It’s that it’s happening almost exactly as security researchers have been warning us it would happen for years now. It look a lot of people ignoring a lot of warnings over a lot of years to reach this point. And this means that on this grim Monday morning, there is ample blame to go around.

Naturally, this starts at the doorstep of Microsoft, which sells the Windows operating system and which has been criticized for years for its security shortcomings. Over the weekend, Brad Smith, Microsoft’s chief legal officer, sought to highlight the progress the company has made in beefing up its security, knowing that it’s likely going to be in for some intense scrutiny.

“We take every single cyberattack on a Windows system seriously, and we’ve been working around the clock since Friday to help all our customers who have been affected by this incident,” Smith wrote in a blog post on Sunday. “This included a decision to take additional steps to assist users with older systems that are no longer supported. Clearly, responding to this attack and helping those affected needs to be our most immediate priority.”

But, as Smith noted, after the company became aware that details of the vulnerability had been made public, it released a security update to patch the hole in March. The problem, however, is that over years and years, organizations and companies have created a patchwork of computer systems that have at times become too complex for them to fully manage or even comprehend. In constructing these systems, security is not always high on the list. The focus too often is on short-term costs and savings.

The shocker in the United Kingdom was that so many machines at the National Health Service were running on Windows XP. XP! A system Microsoft stopped supporting years ago. There apparently had been neither the will nor the skill nor the resources to update to more recent versions. The NHS may be the most visible victim, but it’s far from the only one guilty of this sin.

“The widespread nature of this attack suggests that organizations are still slow to patch significant vulnerabilities like the one currently being associated with this event,” said Travis Farral, director of security strategy at Anomali and a former ExxonMobil security intelligence supervisor. “Considering the potential impact of these infections, ensuring that there are procedures in place for quickly patching urgent vulnerabilities and having a good business continuity plan in place to account for these types of attacks should be paramount priorities in any organization.”

Smith echoed this point when he not-so-subtly pointed the finger at Microsoft’s very own customers:

“This attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers,” he wrote. “The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past. This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support.”

While there appears to have been some success in halting the impact of WannaCry, the vulnerability remains, and if those new variations get traction, we’ll see additional waves of computer attacks. Ultimately, the best and only sure way to halt this is for every single vulnerable machine to be updated and patched. That is a daunting task and it’s not clear governments, businesses, and nonprofits have the resources to make that happen anytime soon.

But, of course, what actually triggered this particular threat was the U.S. National Security Agency deciding to invest resources in uncovering this kind of vulnerability, keeping it secret so it could use it in its own surveillance activities, and then somehow letting hackers get hold of it and release the details to the world.

This is where Smith directed his real fury.

“The governments of the world should treat this attack as a wake-up call,” he wrote. “They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”

Of course, we’ll see if any of this actually changes the behavior of users or the people who write code or government policy makers. More than a few of these organizations could be looking at massive legal liability if they failed to maintain adequate safeguards. Perhaps being sued to the brink of oblivion will be what it takes to change widespread complacency around cybersecurity.

Still, there is always a lot of wailing and gnashing of teeth after a major hack or breach. Less common are actual changes that happen fast enough to make a difference.

We can rant about the perils of technology and the risks of living in a connected world. But in the end, it takes a lot of stupid humans doing many dumb things to allow the worst to happen.