Federal Government Dodged 'WannaCry' Attack, But Still Has Vulnerabilities Experts say federal agencies have taken steps to secure networks, but they remain vulnerable.
NPR logo

Federal Computers Dodge Global Malware Attack ... This Time

  • Download
  • <iframe src="https://www.npr.org/player/embed/529518708/529550343" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
Federal Computers Dodge Global Malware Attack ... This Time

Federal Computers Dodge Global Malware Attack ... This Time

Federal Computers Dodge Global Malware Attack ... This Time

  • Download
  • <iframe src="https://www.npr.org/player/embed/529518708/529550343" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

While the government dodged a bullet this time by avoiding the latest malware attack, experts say its systems are still vulnerable. Intrepid00/Flickr hide caption

toggle caption
Intrepid00/Flickr

While the government dodged a bullet this time by avoiding the latest malware attack, experts say its systems are still vulnerable.

Intrepid00/Flickr

The ransomware attack on worldwide computer networks earlier this month largely spared those of the federal government. While the government dodged a bullet this time, experts say, its systems are still vulnerable — although perhaps less so than in the past.

When the global malware attack — dubbed "WannaCry" — was first detected, a government cybersecurity response group moved quickly.

It determined that this time, government networks were largely protected from the intrusion. Agencies had downloaded a patch Microsoft sent out in March that closed the vulnerability in its most recent operating systems.

That precaution was a response to a hard-earned lesson, according to Bruce McConnell, who was a top cybersecurity official in the Obama administration.

McConnell says previous hacks, including the one at the Office of Personnel Management two years ago in which the data of some 21 million people was stolen, convinced the feds something had to be done.

"I think the federal government had several wake-up calls in the last few years, so the Obama administration put quite a bit of emphasis on getting things patched, getting things up to date and cleaning up unsupported operating systems," McConnell says.

But McConnell says the WannaCry attack was relatively unsophisticated, and that more sophisticated attacks will be harder to stop.

In an executive order signed earlier this month, President Trump called for more robust deterrence against attackers. Frank Cilluffo, who directs the Center for Cyber and Homeland Security at The George Washington University, says, "In essence we've been blaming the victim in terms of cybersecurity, and we need to put a little more pain on the perpetrators and the adversaries."

He says that means not shaming users, but going after and prosecuting individual hackers, and continuing to impose stiff economic sanctions on nations behind state-sponsored attacks. And not relying only on cybersecurity measures.

"If you think about it, in the physical world, it would sort of be like every time you get robbed you call the locksmith," Cilluffo says. "We're never going to build high-enough walls, protected by deep-enough moats, protected by bigger and bigger locks."

In Congress, lawmakers are also moving to increase security for government networks. In a rare bipartisan vote, the House last week approved a measure that aims to nudge federal agencies to modernize their technology, including more use of cloud computing, which is generally more secure.

The bill, known as the Modernizing Government Technology Act, would provide $500 million for IT modernization over the next two years. And agencies that save money through system upgrades could use those savings for other IT projects.

Republican Congressman Will Hurd of Texas was the bill's lead sponsor. "This is not a technology problem," he says. "This is a leadership problem. [We pay] cybersecurity the right amount of attention then we're going to be able to defend our infrastructure."

And cybersecurity expert McConnell, now global vice president of the EastWest Institute, says there are other potential vulnerabilities,
including so-called zero-day bugs, weaknesses unknown to the software developer and discovered by hackers before they can be patched.

"It's like taking care of your body or taking care of your car," he says. "You have to keep at it. It's not buy and forget."

McConnell says users, including the government, can't afford to let down their guard.

NPR's Geoff Bennett contributed to this report.