Last week, the little-known WanaCrypt ransomware cyberattack amplified into a worldwide pandemic, affecting everything from government agencies to universities to businesses, in more than 100 countries. While ransomware is nothing new, previous attacks have focused primarily on smaller organizations. This one, however, highlighted the vulnerability of government systems, and it raised new concerns about the role government can and should play in digital policy.

• The virus was created by the United States’ National Security Agency (NSA). It was intended, of course, to be used for national security purposes — but it was stolen and released to the public. So, although it could be argued that the NSA had legitimate national interests in mind, what responsibility do they have to keep such cyber weapons out of the wrong hands? In addition, do ethics require that, when a governmental agency creates such a weapon, they also create an easily deployable cure? Finally, did the NSA fulfill their due diligence, or was the theft linked to sub-par security protocols at the agency? Does everything here point back to the lack of digital policies?
• The UK recently voted to adopt the EU’s data protection laws. And yet one of agencies hardest-hit by the WanaCrypt infection was Britain’s National Health Services, forcing hospitals to turn away non-emergent patients. Other countries, including China, Vietnam, South Korea, Indonesia, Scotland, Russia, and Germany, suffered attacks on networks used by hospitals, schools, universities, power grids, and mass transportation. Should governments be obligated to comply with their own digital policies? As it turns out, Britain’s NHS networks were especially vulnerable because the agency was still using Windows XP, a 16-year-old system that Microsoft no longer supports. Other agencies targeted by the attack were using newer systems but hadn’t yet implemented patches that Microsoft released in back in March. One has to ask whether, under the new law, fines would have been levied on private organizations in similar circumstances. A bigger question, however, is why governments aren’t following the best practices — such as immediate installation of updates — that they themselves recommend or mandate?
• Another consideration is that, while governments are obviously responsible for enforcing digital policies, are they really the best venue for developing those policies? Governments are, by nature, slow to take action. Businesses, on the other hand, depend on such agility for their very survival. So one has to ask whether government should outsource digital policy management to private industry? One example is Google’s BeyondCorp, which grants layers of access based on factors like who the user is and what device they’re using rather than on location. This is a departure from traditional security protocols in which, once somebody makes their way into an internal network, they have easy access to everything there. It’s a good argument for having private businesses take the lead in developing and adapting security protocols for both privacy and public sectors.

The details of this security breach will undoubtedly be analyzed for quite a while. But we should also take this opportunity to re-examine our approach to digital policy as well as the roles of all stakeholders.

I hope that you had little or no impact from WanaCrypt and that you will leverage this incident as a call to prepare yourself for what is certainly coming — more cyberattacks, data breaches, and the need for continual security innovation. No doubt, having the right digital policies will keep you on that path.