On June 15, 2017, the U.S. House Committee on Science, Space, and Technology (the “Committee”) held a hearing on the recent WannaCry ransomware attack. The hearing was convened jointly by the Subcommittee on Oversight and the Subcommittee on Research and Technology. The goal of the hearing was to examine what lessons could be learned from the WannaCry attack and to determine ways to strengthen the government’s cybersecurity defenses as a result.
The WannaCry attack was a worldwide ransomware attack that targeted vulnerability in multiple versions of Microsoft Windows and self-propagated to other vulnerable systems. Ransomware is a type of malicious software that encrypts or otherwise blocks access to user data on an infected computer, then demands payment of a ransom to allow the user to regain access (although in the case of WannaCry, payment of ransom reportedly did not yield any results). According to testimony at the hearing, the attack began on May 12, 2017, infected 7,000 computers in the first hour, and eventually affected over 1 million unique systems in almost 100 countries, including the British National Health Service and Telefonica, a Spanish telecom provider. Representative Lamar Smith (R-Tex.), Chairman of the Committee, noted that “[w]hile WannaCry failed to compromise federal government systems, it is almost certain that outcome was due in part to a measure of chance.”
The Committee heard from four witnesses: Salim Neino (CEO of cybersecurity firm Kryptos Logic), Dr. Charles Romine (Director of the Information Technology Laboratory at the National Institute of Standards and Technology (“NIST”)), Brig. Gen. (ret.) Gregory Touhill (Adjunct Professor of Cybersecurity and Risk Management at Carnegie Mellon University and former director of the National Cybersecurity and Communications Integration Center (“NCICC”)), and Dr. Hugh Thompson (CTO of cybersecurity firm Symantec). The witnesses testified extensively about the source of, impact of, and response to the WannaCry attack. Looking forward, the witnesses focused on the importance of public-private partnerships in preventing and responding to future cyberattacks.
The witnesses noted that public-private coordination between private security firms and the FBI, the NCICC, and the UK’s National Cyber Security Centre, among other organizations, was a large factor in disseminating information about WannaCry and stemming its spread. The NCICC, located within the Department of Homeland Security, is a cybersecurity monitoring and incident response center whose goal is to disseminate information and coordinate response among federal and state authorities and the private sector. The witnesses agreed that the response to WannaCry was among the most successful public-private incident response efforts to date. As cyberattacks increase in complexity and effectiveness, the witnesses noted a need for even better coordination between public and private entities, including greater formalization of these partnerships to allow for faster responses to attacks. Gen. Touhill also noted that the federal government is prone to over-classifying information, which “stifles the timely sharing of information in an environment that already moves at light speed.” Mr. Neino also advocated the creation of a formal classification scale (similar to the Richter scale for earthquakes) for cyberattacks and threats that would allow all parties to properly triage and prioritize responses to such threats.
In addition, Dr. Romine and Gen. Touhill noted and praised President Trump’s May 11, 2017, Executive Order on Cybersecurity, previously reported on by King & Spalding.