Global cyberattack came from shared failure to acknowledge threat
There is a real temptation to point fingers in the wake of the global "WCRY" (or "wanna cry") ransomware attack that over the last few days has crippled organizations from the UK's National Health Service to FedEx.
If only it were true that there were one party responsible for letting us get to this state; then we might have a chance to fix it.
Instead, who you think had the tools, and the responsibility, to avoid WCRY before it happened depends on where you're sitting. In reality, there are many organizations on which you can pin the blame, and they have collectively created an ecosystem where this failure was allowed to occur.
The easiest place to start pointing fingers is at Microsoft. After all, Microsoft had a fix for the vulnerability used by WCRY around two months ago, but it was only distributed to users of Windows XP that paid specifically for continuing service past the 2014 "end of life" date for the operating system.
最容易受指责的地方是微软。 毕竟，微软在大约两个月之前已经修复了WCRY使用的漏洞，但是它只分发给那些在2014年“终止日期”之后继续使用Windows XP的付费用户。
Windows XP was particularly susceptible because it remains widely installed all over the world, yet no longer receives security updates as the more recent versions of Windows do. Surely, Microsoft could have foreseen an event like this and pushed such a crucial update for every user of XP in this instance? That can't be so hard for a multi-billion dollar company.
Windows XP特别容易受到影响，因为它在世界各地广泛安装，尽管不再像其他更新Windows版本那样获得安全更新。 当然，微软本来可以预见到这样的事件，却不能在这种情况下为XP用户推出这样一个重要更新? 对于一个数十亿美元的公司来说，这并不难。
On the other hand, Windows XP was released in 2001. Microsoft stopped developing new features for it in 2009, and stopped shipping security updates in 2014. It's not like these dates were secret either. Everyone who's responsible for maintaining equipment securely in 2017 should know that Windows XP is off limits.
另一方面，Windows XP于2001年发布。微软在2009年停止开发新功能，并在2014年停止了安全更新。这些已不再是秘密。2017年负责维护设备安全的每个人都应该知道Windows XP是被停用了的。
One of the reasons Microsoft didn't issue an update to XP is that there are dozens of serious vulnerabilities in XP that will never be fixed. This one just got exploited this time. This is the nature of 16-year-old software.
It can be tempting to place blame, then, on the victims. They should have updated their software. They should have paid up for Windows 10, or they should have used Linux instead.
那么对受害者的指责，可能很诱人。 他们本该更新软件。 他们本该购买Windows 10，或者他们就该用Linux。
While this argument holds some water when it comes to your average workstation, there are likely millions of pieces of equipment — everything from MRIs to the server's station at your local diner — that run Windows XP, and simply can't be upgraded.
Maybe the manufacturer went out of business, maybe the software that runs the complex hardware hasn't been updated, or maybe you're just a small hospital that needs to spend money on saving actual lives rather than on messing around with software upgrades.
There are a ton of reasons why saying "they should have just updated" fails to capture the full situation.
A number of other targets present themselves for the blame: the manufacturers of equipment that foolishly relied on a single operating system existing forever; governments turning a blind eye to information security problems for many years; or people's ability to ignore privacy and security violations until they happen to them.
许多其他目标将其置于受指责之地：设备制造商愚蠢地依赖单一操作系统永远存在; 政府多年来对信息安全问题视而不见; 或者个人总是无视隐私和安全侵害，直到事情发生在其身上。
In reality, all of these things, operating together in a complex ecosystem, collectively failed to address this problem. Hindsight is 20/20 of course, but every day there are new software vulnerabilities to worry about and no way of knowing that this particular one would take down entire medical systems.
The fact that this is a failure not of one organization, but of an ecosystem as a whole, is what makes Friday's attack that much more concerning.
WCRY and other large-scale cyber attacks before it, like the Mirai botnet are just the tip of an iceberg of future chaos.
If this sort of attack takes a whole ecosystem to defend against, we can expect this to repeat itself over and over until the all the players come together.
We cannot leave people behind in old versions and must encourage consumer-oriented best practices for support lifetimes.
That should include promoting software end-of-life plans that favor open sourcing software when its support ends — either because of age or bankruptcy.
Then people have at least a fighting chance of protecting themselves.
Ross Schulman is a co-director of the Cybersecurity Initiative and senior policy counsel at New America's Open Technology Institute, where he focuses on cybersecurity, encryption, surveillance, and internet governance.
邮 箱: email@example.com