MENU

Reason.com

Free Minds & Free Markets

Government Is the Cause of—Not the Solution to—the Latest Hacking Outbreak

A failure of transparency and responsibility by multiple nations.

RansomWareRitchie B. Tongo/EPA/NewscomPrivacy and cybersecurity experts and activists have been warning for ages that governments have their priorities all wrong. National security interests (not just in America but other countries as well) comparatively spend much more time and money attempting to breach the security systems of other countries and potential enemies than they do bolstering their own defenses. Reuters determined, with the information from intelligence officials, that the United States spends $9 on cybersurveillance and government hacking for every $1 it sends on defending its network systems.

The "WannaCry" Malware attack that spooled out over the end of last week and into the weekend, implicates both sides of this problem. The ransomware, first of all, allegedly originated from vulnerabilities and infiltration tools developed by the National Security Agency (NSA) they had been hoarding and keeping secret from technology companies whose defenses they were breaching. All of this secrecy was to facilitate the NSA's ability to engage in cyberespionage and to prevent technology companies from building defenses that would have inhibited government surveillance. The NSA lost control of these infiltration tools and they were publicly exposed by the hacker group known as the "Shadow Brokers" last month.

So this WannaCry attack or something like it (and probably many more) was incoming, and attentive information technology specialists were aware and hopefully prepared. Microsoft had already released a patch to address the vulnerabilities. Except not everybody downloaded it.

The non-downloaders included parts of the United Kingdom's National Health Service (NHS), the socialized, taxpayer-funded healthcare system that covers the entire population there. The NHS had been warned that computers using old Microsoft operating systems were vulnerable, but several hundreds of thousands of computers had not been upgraded, according to the BBC.

So on the one hand, we have a government agency refusing to disclose cybersecurity vulnerabilities it had discovered in order to take advantage of them, potentially leaving everybody's computers open to attacks. And then, on the other hand, we have a government agency refusing to properly prioritize cybersecurity to protect the data and privacy of its citizens (they blamed it on not having enough money, of course).

This poll from Pew from last year shouldn't be a surprise, then. Consumers have less confidence in the federal government to protect their data than cellphone companies, email service providers, and credit card companies:

Cybersecurity pollPew

That the government has been terrible on both ends of this problem makes this op-ed response at The New York Times by Zeynep Tufekci all the more confusing: She blames Microsoft and tech companies for apparently wanting to be paid to continue fixing and updating old, outdated operating systems. While she acknowledges that there are costs involved in such behavior, she seems to think that Microsoft should just suck it up and shell out. This is a rather remarkable hot take (and she's most certainly not alone in it):

[C]ompanies like Microsoft should discard the idea that they can abandon people using older software. The money they made from these customers hasn't expired; neither has their responsibility to fix defects. Besides, Microsoft is sitting on a cash hoard estimated at more than $100 billion (the result of how little tax modern corporations pay and how profitable it is to sell a dominant operating system under monopolistic dynamics with no liability for defects).

Has anybody seen a demand for free goods and services couched in an argument as fundamentally dumb as "The money hasn't expired!" before? Why does The New York Times continue to charge year after year to subscribers? The money readers paid the first time hasn't expired!

Note that she also takes aim at those evil corporations and their money "hoards." Earlier in the column she described the NHS, a massive government juggernaut of a bureaucracy as "cash-strapped." The NHS blows through an equivalent of Microsoft's "hoard" and then some every single year. Its most recent budget is around $122 billion for a year and is predicted to continue growing. It's disingenuous to portray Microsoft as Scrooge McDuck and the NHS as a beggar on a street corner with a sign and a hat.

If nothing else, perhaps NHS's poor financial prioritizations and lack of responsibility will warn Americans against socialized single-payer healthcare systems? No, probably not.

Tufecki's piece isn't all terrible—she, too, recognizes the NSA's culpability in this breach by prioritizing offense over defense. But she nevertheless thinks that the problem is not enough government, despite the fact that this disaster all around is a direct result of poor government behavior:

It is time to consider whether the current regulatory setup, which allows all software vendors to externalize the costs of all defects and problems to their customers with zero liability, needs re-examination.

Whatever new regulations that may be brought to bear against Microsoft will not stop these costs from being "externalized." That's how consumer markets work. If the government mandates that software vendors must continue covering, updating, and protecting its consumers, guess what's going to happen to the price of software? It's going to go up.

Hold the government accountable for all these screw ups, not Microsoft. They're the ones responsible. And Microsoft is not happy about the NSA's behavior either. Brad Smith, Microsoft's president and chief legal officer, called out the feds for its responsibility for these threats to citizens:

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new "Digital Geneva Convention" to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.

Photo Credit: Ritchie B. Tongo/EPA/Newscom

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  • Citizen X - #6||

    [C]ompanies like Microsoft should discard the idea that they can abandon people using older software. The money they made from these customers hasn't expired; neither has their responsibility to fix defects. Besides, Microsoft is sitting on a cash hoard estimated at more than $100 billion (the result of how little tax modern corporations pay and how profitable it is to sell a dominant operating system under monopolistic dynamics with no liability for defects).

    That is some authentic frontier gibberish right there. That is a Mikey-arguing-with-shreek level of illogic and bad ideas.

  • Hugh Akston||

    She does make a good point about all those mattresses stuffed with dollar bills at Microsoft HQ though.

  • Citizen X - #6||

    She calls it a "hoard," which leads me to picture Bill Gates lounging around on piles of gold until his soft belly is crusted and armored with treasure.

  • Hugh Akston||

    Don't be stupid dude. He obviously keeps it in a giant money bin and swims around in it, until it expires anyway. It's like you know nothing about corporate finance.

  • Citizen X - #6||

    I guess this is why i'm not in the 1%.

  • CatoTheChipper||

    Microsoft has a bunch of cash, but it's important to keep it in perspective.

    MS has about $60 billion of current liabilities and another $60 billion in long-term debt and other liabilities. Its creditors have a claim on a large share of that cash.

    But I suppose that's too technical for a NYT columnist.

  • pan fried wylie||

    Shut up and let me spend Microsoft's -$20bil already!

  • BYODB||

    It's like she never even stopped to ask herself why it is these Governments use Windows instead of developing their own operating system. After all, no one else has ever shown that they can build an OS right?

    So not only does this person not understand finance or capitalism, they also don't have basic computer literacy. Say, do I need a degree from Columbia to get a job at the NYT or can I just wander in off the street?

  • Curt2004||

    Why would they need to build their own operating system when they could just adopt and tweak a version of Linux?

  • Unicorn Abattoir||

    This is the equivalent of demanding that General Motors continue to provide parts support to a '68 Impala.

  • Fuck you, Shikha (Nunya)||

    Exactly my point. Interestingly, Microsoft supports their OS for exactly as long as GM is required by law. Microsoft performs the same without government interference, but somehow this will be lost because "they don't have to actually produce something". Intellectually dismissive of reality.

    What also bothers me is that no one talks about similar companies. How does Apple stack up in comparison? They don't. The few years you get from them are not well disclosed, and they often drop support the moment the new generation is released, in n-2 fashion. Linux is similar to Microsoft, but why aren't they ever mentioned in these hatchet pieces.

    Bottom line, Microsoft isn't the darling Apple is and they have a lot of money that people want to steal from them.

  • dantheserene||

    I'm confused by your Apple example. As a software to software comparison, iOS updates come out regularly (the most recent was yesterday, 10.3.2), they are available to all eligible devices at the same time, and they are currently supporting hardware up to five years old.
    What am I missing?

  • MarkLastname||

    Worse even: since Microsoft would have to increase prices to make up for the costs of updating customers' metaphorical '68 Impalas, this would basically be a redistribution of wealth away from those of us who keep our hardware up to date to those who don't. Which is retarded. Ya know what's great for cybersecurity? Incentivizing people to keep using outdated hardware and penalize people who don't.

  • Curt2004||

    Are 68 impalas locked down so you can't even change the oil without permission from GM? Oh, well then...apples and oranges I guess.

  • Fist of Etiquette||

    Consumers have less confidence in the federal government to protect their data than cellphone companies, email service providers, and credit card companies...

    Consumers need to run with that lack of confidence.

  • damikesc||

    The sad part is that they have ANY confidence in it right now.

  • Aloysious||

    I, to be sure, did not know that munny had an expiration date. I'm looking at the assortment of bills I have in my wallet, and I'm not seeing either an expiration date, or a best if used by date.

    Clearly the fault lies with me. I must not understand munny.

  • HeteroPatriarch||

    Well, you do only have a certain amount of time before the government, with the enthusiastic support of the New York Times, figures out how to take it from you.

  • HeteroPatriarch||

    Well, you do only have a certain amount of time before the government, with the enthusiastic support of the New York Times, figures out how to take it from you.

  • KerryW||

    Or inflate it away.

  • HeteroPatriarch||

    FedGov has a massive, destructive and very public fuck-up stemming from activities in which it shouldn't have been involved. NY Times is right there to blame a private company! And insinuate that some of their "hoarded" wealth should be redistributed, to boot.

  • sarcasmic||

    "To alcohol! The cause of, and solution to, all of life's problems!"

    -Homer J

  • Rhywun||

    It feels like I've been quoting that - and living by it - most of my life.

  • sarcasmic||

    I actually quit drinking. And smoking.

  • Rhywun||

    What do you do?

  • sarcasmic||

    When I'm not working I'm busy being a newly divorced single dad.

  • Uncle Jay||

    RE Government Is the Cause of—Not the Solution to—the Latest Hacking Outbreak
    A failure of transparency and responsibility by multiple nations.

    What?
    Transparency and responsibility for our enlightened ruling elites?
    Start packing!
    Its off to the gulag for you and your family for even mentioning such counter-revolutionary thoughts!

  • Tionico||

    In that case, don't bother packing. Nothing will be provided, and they don't allow you to bring your own nothing.

  • esteve7||

    Yes, like every other problem --- government either causes it or makes it worse, then the left blames this on greed, capitalism, wall street, etc. They then call for more government to do something, and the cycle repeats

  • damikesc||

    [C]ompanies like Microsoft should discard the idea that they can abandon people using older software. The money they made from these customers hasn't expired; neither has their responsibility to fix defects. Besides, Microsoft is sitting on a cash hoard estimated at more than $100 billion (the result of how little tax modern corporations pay and how profitable it is to sell a dominant operating system under monopolistic dynamics with no liability for defects).

    "WHAT DO YOU MEAN FORD DOESN'T MAKE REPLACEMENT PARTS FOR MY MODEL T?!? They were paid for the service, those motherfuckers!!! They were almost monopolistic in the auto industry when I bought that care in 1927. And they have a shit ton of money!"

  • Sigivald||

    "Hey, just keep maintaining every rickety codebase forever, because reasons."

  • Curt2004||

    Trouble is it was rickety from the start. By now it's all patches and no original code...

  • Jerryskids||

    As I understand it, the hacking was aimed at older systems. The sorts of systems run by hide-bound bureaucracies too stupid to grasp that running proprietary programs on somebody else's system leaves you vulnerable to either constant demands for expensive upgrades or obsolescence. I have a nephew who works in IT, a data-handling contractor for the state and upgrading the systems is a major, and majorly expensive, pain in the ass but they do it anyways because if there's a fuck-up, their asses are on the hook. How many IT guys at NHS do you suppose are right now getting fired or having charges drawn up for incompetence and reckless disregard?

  • Red Rocks Baiting n Inciting||

    As you allude to, the biggest reason that such a malware file can be distributed in the first place is due to the sheer scale of internet operations. Larger operations equals greater capability, but also greater vulnerabilities and multiple points of failure.

    The fact that this malware was stopped due to the sheer dumb luck of someone noticing the kill switch in the code is the biggest worry--you can bet this kind of mistake won't be included in the next round.

  • Rhywun||

    How many IT guys at NHS do you suppose are right now getting fired or having charges drawn up for incompetence and reckless disregard?

    It's "zero", right?

  • MarkLastname||

    Actually, depending on how you count incompetent IT guys getting promotions and secretaries ('it only happened because they were understaffed and underfunded!'), the number is actually negative.

  • Sigivald||

    Even non-proprietary programs on an open-source system leaves you vulnerable to exactly those two things.

    (Because free software also has bugs, and also does not guarantee either eternal updates with or without upgrades, or run tolerably on legacy hardware forever.

    I mean, would you trust people who can't upgrade Windows to handle a *BSD or Linux upgrade across kernel major versions...?)

  • Rhywun||

    Wasn't this another phishing expedition? Don't open attachments from strange randos, people.

  • brokencycle||

    But they're the only people who send me email!

  • 8K71PS||

    Nah. This was a worm. It self replicated across the network.

  • Stosh||

    Phishing...then for sure Podesta and the Dems are all infected to the max right now....

  • Rhywun||

    Its most recent budget is around $122 billion for a year and is predicted to continue growing.

    That's actually less than I would have expected. How does that compare to what the US blows on Medic*?

  • BYODB||

    You would want the per capita comparison since there's a massive population difference, don't forget that.

  • Rhywun||

    Of course.

    Just for S'n'G I looked up my city's budget: $84 billion for 2017, population 8 million. Then consider that probably 60% of the adults don't pay for any of it.

  • Fist of Etiquette||

    ...guess what's going to happen to the price of software? It's going to go up.

    So then you subsidize it. Do I have to think of everything?

  • Lol22||

    https://tinyurl.com/mn9namz no, it's the criminals, the shadow brokers are to blame, not the gov't.

  • Citizen X - #6||

    The criminals have malicious intent, yes. But the government agencies in these cases are being horribly negligent. If you lived in a bad neighborhood, you'd invest in some good, strong locks for your doors. Even though breaking and entering is against the law, you would take steps of your own, because you'd be stupid not to. Now. In this metaphor, the NSA has created some super high-tech lock-picks designed specifically to get through the best locks currently available on the market and then fucking lost them. On the other side of the pond, the NHS went on vacation without even shutting the windows, and left the personal information of millions of people sitting around the house.

    In short:
    Criminals are bad.
    Government is goddamn stupid.
    ¯\_(ツ)_/¯

  • Fairbanks||

    The NSA lost control of these tools, but law enforcement thinks it's a dereliction of patriotic duty for Apple to refuse to develop a de-encryption tool because it wouldn't be safe in the hands of law enforcement (or even Apple).

  • BYODB||

    Yes, it goes without saying that if the United States concentrated on Cyber-defense instead of Cyber-Warfare that it would make the NSA's job a lot harder and that's just not something they're interested in. They are more than willing to let data thefts happen all the time, as long as they have their back doors (or perhaps front doors, in this case). After all, they're trying to catch those guys right? What better way than to allow the NSA an all-seeing eye even if it allows all the 'bad guys' free reign.

    I suppose the theory goes that yeah it'll make crime way, way easier but it would also theoretically make it easier to catch them too. Of course, with how competent the government actually is everyone should rightfully doubt this.

  • Tionico||

    sort of reminds me A LOT of another government debacle founded upon the principle you advocate. That programme was called Fast and Furious. they never tracked OR caught any of the law breaking gun runners. they just let the guns, and their new owners/middlers disappear into the sunset.

  • Unicorn Abattoir||

    From the alt-text

    In order to unblock your files, submit a 1,500 word essay explaining why critics were wrong and 'Suicide Squad' was awesome.

    Keep my data.

  • Scott S.||

    I try to assume my readers are not idiots and don't need to be told obvious things.

  • Citizen X - #6||

    Gross, Shackleton just spattered troll juice everywhere.

  • MarkLastname||

    STOP BLAMING THE VICTIM SHACK!

    You may not have said it, but DanO knows you were thinking it: "OMG did you see how short her password was? She was asking for it!"

  • Fist of Etiquette||

    The value of that money is decreasing, so so should the level of support you get on that which you used it to purchase!

  • Sigivald||

    "Microsoft had already released a patch to address the vulnerabilities. Except not everybody downloaded it."

    We're why we can't have nice things.

    (If you want the internet to have any chance of not being all-botnet all-the-time, update your stuff. Turn on automatic updates. Let them run.

    This applies no matter what OS you run, and would still apply in the glorious forever-next-year Year-Of-Linux-on-the-Desktop.)

  • J. S. Greenfield||

    It's a pretty odd argument to say that a vendor should not be liable for a defect they created.

    Whatever you think NSA should or shouldn't be doing (and that's not a simple matter here), NSA didn't *create* the vulnerability, Microsoft did.

    Since when do libertarians believe that private parties should be immune from liability for the ill effects of defects in products they sell?

  • MarkLastname||

    What constitutes a 'defect'? Is MS responsible for preventing any and all possible hacks on my computer? Can I sue Ford if a car I bought from them isn't bulletproof and I get shot while I'm in it?

  • Citizen X - #6||

    So if you lock your door, and a burglar breaks through your window, you should sue the homebuilder?

  • AlbedoAtoned||

    There are problems though with your arguments.

    1. Microsoft didn't purposely create it either. And when they found out about it they released a patch for it. And they even went so far as to release the patch for older versions of windows as well.

    2. When you buy software, there's a set of terms that you agree to. One of the things in the TOS is usually about how long service will be provided, because you can't just expect them to keep patching older and older OSes. The date when support ends is public knowledge. And as mentioned above, they did release a patch for even OSes that were no longer supported otherwise. In the end though, the malware still spread because people chose not to apply the patches.

    3a. Nobody is perfect, and the result is the more complex a piece of software is, the more likely it has bugs in it. Ironically, patching out these bugs can often lead to even more bugs. That's how people can hack their devices such as phones and video game consoles. Because these devs try to plug these holes and may inadvertently open up even more holes. Certainly there is a line to be drawn somewhere, where if a company purposely sells software that has more known holes than swiss cheese and sells it as if it is not vulnerable, just as a company could be held liable for selling vehicles with fatal flaws that they knew about. The thing is though, the flaw was not known about when it was released. It took years to be found.

  • AlbedoAtoned||

    3b. If you buy a car, and the manufacterer notices an issue and offers to fix it for free, and you refuse, then you can't later blame them. In this case, the issue was noticed, and patched asap and the patch was released and well known for quite a while. And when OSes such as Windows XP were leaving the period where they would continue to get patches normally, users were cautioned to upgrade to another version of windows or switch OSes to something else entirely. Many chose not to do either. These people chose not to upgrade to a modern version of windows or another OS, and they chose not to even apply the patch that was provided, and if they got infected, it was largely their own fault.

    4. It's ridiculous to demand that somebody be held liable for every version of something. And ignoring Terms of Service in order to hold somebody liable for something that because they are human they could not have avoided, and especially something they released a patch for. To hold Microsoft accountable for this would have a incredibly chilling effect on the IT market. Because any flaw or vulnerability in any version of a software could potentially cost you. If you want to release a product, you would need to make sure it was perfect and completely free of defect, and because of the impossibility of such a task it would stop that product from ever leaving the conception stage. Considering all of the things people enjoy today would not exist if we applied such strict liability.

  • AlbedoAtoned||

    4b. The irony is that Microsoft pretty much forces it's users to update on newer versions of windows. I personally don't like mandated updates, and prefer updating on my own time, but when I do so, I have to accept the risks associated with such a choice. People still using Windows XP are even more responsible for their own actions.

    And more power to em. To me, being given the responsibility comes with the freedom. I can choose to update when I want to, but they have to accept the responsibilities that come with it, or let Microsoft or somebody else take said responsibility, but lose a bit of the freedom. If a forced update borks the OS, then it's on them, but if not updating at all borks it, then it's on me. If you or anybody else are unable to accept these responsibilities, then you or they need to be on a more closed system. Sure it means less freedom, less freedom to run the things you want or how you want them, and less control of your devices, and it's like being treated like a child, but refusing to update and then trying to hold somebody else accountable for pretty much every revision they make, you don't get to have your cake and eat it too.

  • Tionico||

    I don't know why folks are ragging on Billy the Gates and his minions for "failing" to keep older systems updated, on their nickel, to prevent this sort of calamity. Sure, the money paid to Microsoft for the OS versions long ago has not expired.... but WHY should Ford have to upgrade older non-airbag cars to "make everyone secure", on Ford's nickel?

    I've been happily using Macintosh products now since Windows 98 was first released. Almost twenty years. ALL my hardware and software functions well, and I've yet to have any sort of crash, invasion, malware, attacks..... and I'm on my machine a LOT. Of course, I have learned to be quite leary of "strange" things.... and have adopted some habits that seem to have precluded, so far, any "infections". Yes, I've paid a bit more for computer usage... by some measures. Finally learned to NOT buy the newest greatest fastest whizbang critter. Closeouts of just-discontinued equipment have been a boon. The one on which I am typing right now is four years old..... still incredibly fast and capable. My last laptop got used heavily for ten years running. The ONLY reason I retired it was that too many banking and financial institutions were adopting "new, better" technology, and higher grades of security. The old Motorola chips were simply not capable of functioning to make those sites accessible, so I was forced to "upgrade" in order to access my accounts.

  • Liberty Lover||

    The government is the solution to very little.

    How fortunate for Microsoft this happened. They wanted everyone, enterprise included, to switch to Win 10, which did not have the vulnerability to this ransomeware. Upgrades coming? Lesson learned?

  • Netizen_James||

    How typical of anarchists to blame the government for the decision by CRIMINALS to commit CRIMES.

    No, the government is not to blame for the decisions of criminals to commit crimes. If there weren't greedy assholes who didn't give a fuck about anyone but themselves, there wouldn't be any criminals. But of course, those who worship at the altar of Ayn Rand think that being a greedy selfish asshole is a GOOD thing. Objectivism encourages crime. Whatever the market will bear, right? So long as there's no law against selling people bread made mostly out of sawdust, it's all good, right? Let they buyer beware, right? And if there IS such a law, it's an evil horrible onerous and burdensome law that interferes with the 'free market' and is thus something only supported by 'collectivists' (otherwise known as 'civilized people'). Right?

    This article is the cyber-equivalent of blaming a woman for getting raped because she was wearing a 'revealing' outfit. Or because she went to a frat-party and drank a few beers.

    Yes, a bunch of foreign governments and even some banks got boned because they were using pirated copies of no-longer-supported MS operating systems. And why did they do that? Why didn't they use Linux instead? Whose fault was that? Not the NSA's fault. Not the US government's fault. Criminals getting boned by other criminals - awwww - where's my violin?

    N_J

GET REASON MAGAZINE

Get Reason's print or digital edition before it’s posted online