Ransomware Attack Seen Unlikely to Spur More European Regulation
The WannaCry ransomware attack hit European businesses hard, but new regulations aren't needed, experts told us. The cyberattack, which affected about 200,000 computers in some 150 countries (see 1705150008), prompted the "first ever case of cyber cooperation at EU level" between the European Network and Information Security Agency and some national governments, ENISA said. Security experts faulted failures to keep computer systems updated, and NSA and U.K. Government Communications Headquarters (GCHQ) for keeping the vulnerability that enabled WannaCry secret and not fixing it. The European Commission said it's reviewing its cybersecurity strategy.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The event hit the European health, energy, transport, finance and telecom sectors, manufacturers and service providers, ENISA said. The attack was unusual in that it affected many organizations across the world in a short period of time, it said. WannaCry leverages a known critical vulnerability affecting Microsoft Windows.
The European Commission "has been following the situation very closely since Friday evening," a spokeswoman said. Cyberattack for criminal purposes is an increasing threat that calls for a coordinated response from the EU and its members, she said. The EC urged national governments to implement the EU network and information systems directive quickly and to raise awareness among internet users. It announced in its recent digital single market mid-term review that it will, by September, review the 2013 EU cybersecurity strategy and ENISA's responsibilities to align them to the new EU-wide cybersecurity framework, the spokeswoman said. The EC will "also work to propose additional measures on cyber security certification and labelling to make connected objects more cyber secure," she said.
Industry and security officials said WannaCry won't be a regulatory game-changer. It won't "result in any major regulatory changes in the UK or Europe beyond what has already been agreed" to, said Talal Rajab, head of industry group techUK's cyber and national security program. The government's recent national cybersecurity strategy dedicates nearly 2 billion pounds (about $2.6 billion) to defending the country from cyberthreats, he said. Coupled with the upcoming general data protection regulation (GDPR), and the EU network and information security directive, the strategy was designed to deal with cyberattacks such as WannaCry, he said.
"The big shift in regulation in Europe right now is the GDPR," which takes effect in May 2018, said John Shaw, vice president-product management at security firm Sophos. It's likely many of the companies and organizations attacked by WannaCry would have been subject to significant fines if the GDPR were in effect, since losing data because it's encrypted and inaccessible is still a data loss, he said. "Ransomware is already devastating enough to a business. Adding fines may act as a further incentive for businesses to protect against future incidents, but I really don't think we need any additional regulation beyond the GDPR."
The outbreak shows the most vulnerable organizations were those that hadn't upgraded computers and servers, or invested in security best practices, said Shaw. "The costs of under-investing in security are already clear" from the ransomware, and they will only get bigger, he said.
The malware that affected some U.K. hospital computers wasn't an attack on the National Health Service "but stupidity by a small subset of people in the NHS who were negligent at system administration and who should be sacked," said security researcher Ross Anderson of the University of Cambridge Computer Laboratory. "You wash your hands after going to the toilet, right? And you patch your computers. If you don't, and a patient comes to harm, that's your fault." It looks increasingly as if most of the NHS infections were Windows 7 machines that hadn't been updated, he said.
The NHS ransom "shows the problems with GCHQ's approach to hacking and vulnerabilities," Open Rights Group (ORG) Executive Director Jim Killock blogged Saturday. The decision by GCHQ and NSA to keep the vulnerability secret "means they have a significant share of the blame," he said.