Ransomware attacks could disable Canadian infrastructure, too

Canada escaped the recent wave of massive online extortion cyberattacks mostly by fluke and must be ready to protect itself against another wave of such assaults, which most likely have already been launched.

The malicious software, also known as ransomware, threatens to destroy the files held inside the device it infects (or the reputation of its user) unless the owner pays a ransom fee. The tactic is essentially cyber-blackmail.

The wave of ransomware attacks consisting of a virus known as WannaCry hit 99 countries around the world this past May, including the U.K., which suffered a crippling of its National Health Service.

Another global wave hit just last month and ended up infecting even more countries, including a long list of around 100,000 major global entities likeRussia's biggest oil producer, Rosneft, Germany's railway system, and Ukraine's state power company, just to name a few victims.

Next wave has likely already launched

Experts such as Ori Eisen of the Trusona cybersecurity firm say the next wave has likely already been launched and will seek to exploit weaknesses that have been exposed by the most recent ransomware attacks. These weaknesses concern only Microsoft devices and can mostly be avoided if users make sure to update their systems, but even a single infection can automatically lead to a larger plague. The malware is designed to self-replicate like a virus and can thus spread quickly throughout different networks.

It exploits a vulnerability in Microsoft operating systems that was first noticed by the U.S.'s National Security Agency. Hackers then stole the NSA's exploitation tools and dumped them online for all to download and use.

Microsoft eventually issued updates to address the vulnerability, but not all users took the threat seriously and many didn't install the necessary updates. Users with older Windows operating systems lacked the ability to receive these updates at all and were particularly vulnerable.

That Canada has so far avoided the epidemic is due to the simple fluke that certain devices that would've spread the malware into the country simply weren't infected. It's highly unlikely that Canada will sustain this level of good luck next time, since the coming wave of attacks is likely to be stronger and even more exploitative than the previous waves.

Eisen said so far, most of the crimes associated with the cyberattacks have been relatively "low level" (judging by the amount of ransom money the criminals asked for), though the same malware techniques can, as some attacks have already demonstrated, also be used to attack larger infrastructural entities such as nuclear power plants, railways or even dams. Any one of these structures, if systemically destabilized, would result in serious disruptions to civilian life.

Most government systems vulnerable

But it doesn't take rocket science to avoid something so drastic. Canadian state infrastructures should learn from what happened in the U.K. or in Ukraine.

Microsoft devices that receive automatic updates to their systems via Windows Update would've avoided these infections in the first place because such updates include "patches" that protect devices by addressing existing vulnerabilities. Older systems that simply don't have this updating function include Windows XP (which the NHS mainly uses), Windows 8 and Windows Server 2003.

The obvious step that should be taken by all infrastructural entities to avoid infection would be to update their systems by acquiring the latest Microsoft operation models. It's unclear whether all Canadian bureaucratic infrastructures have done this.

Ryan Kalember, senior vice-president of leading cyber-security firm Proofpoint, said most governmental infrastructure around the world isn't 100 per cent "patched up" to avoid infection.

Still, Canada's Communications Security Establishment has said the countryis well-placed to deflect and defend against such an attack and there is no indication that any information in Government of Canada systems was compromised in the recent waves of ransomware attacks.

A spokesperson for Public Safety Minister Ralph Goodale also noted recently that the Canadian Cyber Incident Response Centre is focused on and capable of defending vital systems that lie outside of the purview of the federal government, such as hospitals.

Back up and update

Meanwhile, the least anyone should do whether personally or on behalf of a broader network is to back up files and information into an external drive in case a device is rendered useless by a malware attack. This is what's allowed many of the entities affected by the recent attacks to recover relatively quickly.

These cyberattacks are a warning that networks still using older operating systems are at risk of suffering more than mere user inconvenience. If entire networks use only such systems, then an attack could mean the paralysis of the entire network infrastructure.

It's vital that all systems be in a position to receive updates and then update themselves without the assistance of special technicians.

This means adopting operating systems that are actually within the purview of mainstream support so they get automatic updates. It also means that those using such devices should take the updates seriously and actually install them.

Not doing so these days can result in consequences far greater than the functional well-being of a single device.

This column is part of CBC's Opinion section. For more information about this section, please read this editor's blog and our FAQ.