An obscure title perhaps, but a line in the song goes something like ‘Now it’s your turn to cry’.

Yeah, here we go. Another two-penny opinion about WannaCry.

The story so far:

The bad guys released a self replicating program which infected certain types of computer throughout the world. Once established on a computer the program then claimed to have encrypted files it had found and offered to decrypt them only on payment of a ransom.

This became news in the UK because a number of machines in the National Health Service got infected and had to be closed down which disrupted the day-to-day working of some of the organisation’s trusts.

So far so scummy.

  • The author of the program is a bad guy, right? He does not care which computers got hit. Why would you trust him to deal honestly with you if you did decide to pay the ransom?

  • Most victims will shrug (or cry and then shrug) and then wipe/reset their computers and start again. If I were a bad guy and had encrypted files on many thousands of computers, I would be particularly interested in those files for which the victim was prepared to pay the ransom. I’d want to steal a copy of those files before handing over the decryption key.

  • The affected computers were poorly maintained… that is to say, security related software updates had not been applied - and yes, I do mean that a Windows XP machine for which security updates are no longer available is by definition a poorly maintained machine. There will be all sorts of excuses from the IT folk responsible for those machines: ‘we update our systems on a regular schedule - it was scheduled for next week’, ‘we like to delay a little before applying software patches in case there are reported problems’, ‘we were too busy’, ‘we didn’t have enough money for software support’.

    In the UK if you run a poorly maintained vehicle on the public road you get found out at the annual MoT inspection. If you carry on running the vehicle without fixing its problems (ie without an MoT certificate) you get caught by the traffic police and the vehicle can be taken away from you. The police get involved because running a poorly maintained vehicle is dangerous for the driver and everyone else.

    We need a similar scheme for computer systems.

  • Some people will view these attacks as a form vigilantism - forcing vulnerable systems out of use. My opinion is that the motivation is greed and bragging rights. However, historically, vigilante action eventually evolves into policing.

For the avoidance of any doubt I am suggesting that we the people should empower our governments to set up agencies to define standards and test publicly reachable computers and force them off the Internet (by direct action if necessary - think stingers set up across roads to stop vehicles that are being used to break the law) if they fail to meet the required standards.

Yes, I’m talking about governments blocking access to the Internet for irresponsible people/organisations.

Yes, there will be jurisdiction disputes. They can be resolved. It’s what governments do.

Update 17-May-2017: I’ve just seen an article on The Register in which they ask their readers if a vendor should be required by law to continue supporting their product if essential public services rely on it.

I would put the boot on the other foot. Those who run essential public services should be required by law to make sure that they are supported.