Analysis & Opinions - Lawfare

The Real Lesson from the WannaCry Ransomware

| May 12, 2017


"Lawfare and others have spent an enormous amount of time discussing the intricacies of the Vulnerabilities Equities Process (VEP). Many policy conferences have been dedicated to the matter, and an even greater number of Twitter debates. The topic, in its own way, serves as a proxy for what one thinks of broader issues in information security and signals intelligence.

Today’s so-called WannaCry ransomware attack reveals the stakes, but more importantly the limits, of that debate.

Our bottom line up front is that, VEP or no VEP, today’s ransomware attack highlights the risks of relying on software that is no longer supported by its developer (like Windows XP) and of not applying patches that the developer makes available (like MS17-010).  Even a perfectly functioning VEP would not make much difference unless the developer addressed the vulnerability, and businesses and institutions applied the relevant patch.  These are the two issues—more than a government process that feeds them—that make or break organizations in the wake of today’s attack..."

For more information on this publication: Please contact Cyber Security Project
For Academic Citation: Buchanan, Ben and Michael Sulmeyer.“The Real Lesson from the WannaCry Ransomware.” Lawfare, May 12, 2017.

The Authors