Victim blaming?

DSC00249 a CC ND image by Johannes Nest -
Do companies that were affected by WannaCry only have to blame themselves, or is that “victim blaming”? Let’s do some soul searching.
Was WannaCry special? Yes, because it was based on tools allegedly stolen from the NSA and it caused significant trouble in the real world. Yes, because it got a lot of media attention. On the other hand, no, WannaCry was, for us at Schuberg Philis and many others, pretty much a non-event. It was a worm that spread via port 445 (the SMB protocol) and it used a vulnerability that was patched by Microsoft two months prior to the attack. Strict network filtering, along with rigorous patching has saved us a lot of grief. And, if we had been hit, we are confident that we would have had a sound backup strategy to prevent serious damage/data loss.
Shortly after the WannaCry outbrake I watched in interesting debate on social media. It dealt with  the guilt question. One group argued that the victims of this attack only had to blame themselves. They should have patched earlier, not dragged their feet and limited the attack vector. Another group was accusing the first group of “victim blaming”[1].
Let me state first and foremost that encrypting people’s files to extort their money is wrong. Plain and simple it is a crime and that makes the criminals responsible for the damage.
However, that statement feels to simple, too black and white. Electrocuting people is a crime too, yet if I go fly a kite during a thunderstorm and get electrocuted people will, rightfully, blame my carelessness instead of the malicious nature of the thunderstorm.

Delta Kite a CC image by J. Triepke
There are two aspects of this comparison that seem to make the difference between who is to blame. The first one is the intent of the perpetrator. While it is, to date, unclear who was behind the WannaCry attack, it is clear that the purpose of the attack was to hurt people by encrypting their data (and most likely to extort their money). No one would argue that a thunderstorm purposefully electrocutes people.
The second aspect is the knowledge and ability of the victim. Was the victim in a position where he knowingly put himself at risk and was he capable to avoid harm? If you start flying a kite in a thunderstorm you hardly claim ignorance or unavoidability. If you get attacked with a 0-day attack by a nation-state actor just because you are not a citizen of their country, you can. If you fall victim to a non-targeted attack for which adequate defences have been available for two months already, you fall somewhere in the middle.
A third aspect is one that is external to the case. It is the “public opinion” of the group. My peer group mainly consists of people who have a professional career in information security. We work for companies that can afford to (or have to afford to) have information security professionals work for them. In those minds, you should be capable to defend yourself, in those minds it is unacceptable to delay Windows patches for two months. In those minds, if you connect to the internet with an unpatched machine, bad things will happen™. Thus, in those minds, this makes WannaCry victims at least partly responsible themselves.
Without doubt, WannaCry has changed a few things. It has made a scenario that was previously hypothetical (if you delay patches, you will get hacked) a reality. In that sense, it has robbed organisations of their innocence. Organisations that previously delayed patches, often did so for reasons. Every change to an IT system comes with a certain risk, this also applies to patching. I know for a fact that many people worked the WannaCry weekend to apply delayed patches, because all of a sudden, the risks associated with not-patching became higher than the risks associated with patching. And, it turned out that patching actually caused very few (none that I heard) outages.
So, are we Victim Blaming WannaCry victims? Yes, we are, people shouldn’t commit crimes. However, denying that the victims behaviour has an influence is adhering to the “myth of pure evil”. We will have to face the reality that what was once dubbed “The Global Village” has become a “Global Ghetto”. If you live in a bad neighbourhood, you make sure you have the right locks your door and use your head when you go out at night.


Not Published

0/1000 characters
Go Top