‘Ransomware’ attack shows the time has come for a digital Geneva Convention

The cybersecurity wake-up call the world has long needed has occurred. Hundreds of thousands of computers in more than 150 countries have been hit by anonymous hackers, affecting systems run by governments, companies and individuals. Searching questions are being asked of institutions that failed to protect their networks and of the organisations that were best-placed to stop the attacks. The time has come for governments to work together to deal with a threat that will worsen the more connected we become to the internet.

No particular country or organisation was targeted by the virus known as ransomware; vulnerability was based on whether security software updates on Microsoft Windows computers had been installed. Those caught out on the mainland included universities, police and petrol stations, while in Hong Kong, individuals mostly bore the brunt. But overseas, high-profile organisations were affected, among them Russia’s interior ministry, the US logistics firm FedEx, Nissan and Hitachi in Japan, Britain’s National Health Service and the Spanish telecommunications operator Telefonica. A temporary fix slowed the spread, but new versions of the virus have been unleashed.

Microsoft blames US spy agencies for stockpiling cyberweapons, as world braces for ransomware attack to worsen

The attacks exploited a flaw in Windows. Although Microsoft released a security fix in March, not all systems were updated and the virus spread by detecting those that were vulnerable. Windows XP computers, which have not been supported by the firm for more than three years, were especially at risk. Computers affected had data files encrypted and users were asked to pay a “ransom” to a bitcoin account or permanently lose data.

The obvious lesson is that computer operating systems need to be kept updated with the latest security software and data regularly backed up. That is less easy for large companies than individuals; the complexity of networks requires a strategy being put in place. But with increasing numbers of online devices being used, knowing what to update and when will become ever-more challenging. What is certain, though, is that the spread of cybercrime and the cunning of those behind it means that security updates cannot be ignored.

But there is a wider issue, highlighted by the vulnerability having first been discovered by America’s National Security Agency, which kept its finding secret only until the hacking tool it had allegedly developed was itself stolen and leaked online. That tool was the basis for the attacks. Microsoft has been calling for governments to draft and implement a digital Geneva Convention to ensure that governments do not keep vulnerabilities to themselves for exploitation. In light of the attacks, it would seem that time has come.