[EQYV]

If this attack results in actual loss of life, I firmly believe the US should ensure that there are real-world physical consequences for these criminals. They cannot be described as anything less than the worst humanity has to offer. A failure to respond with meaningful and severe consequences for those responsible (assuming this is attack can be confidently attributed to a particular threat actor) opens the floodgates. Time to find out how seriously the US takes its own cyber doctrine.

https://www.reuters.com/article/us-usa-defense-cybersecurity...

[Mary-Jane]

Good God no! I get where you're coming from but you've clearly not worked in this field. Heath Care IT is a disaster that was CREATED by regulation written in a different era of computing. The whole industry is terrified of making changes because of the multi-year hoops they're forced to jump through to release them; you don't flog a horse for stopping when you pull on the reins.

The correct solution is to change the flawed thinking in our regulations that treats all changes as equally hazardous to patent safety. The government should be encouraging (the right) changes to be released more quickly -- punishing companies for following the rules won't fix anything.

[tremon]

I don't think the OP was advocating for punishing the hospitals, but rather the ransomware authors.

[nojvek]

I think there is fault on both sides. Can’t just punish the ransomware authors.

1) Security in healthcare is a shit show. If there are lots of open exploits, there needs to be a fast way for them to get fixed and the software vendors shamed on.

2) when someone discovers an exploit, they shouldn’t have to fight lawsuits. The response to security flaws should not be suppressing them but fixing them ASAP.

3) people shouldn’t have to lose lives to make a point that security is weak and you better pay up for disregarding it.

[EQYV]

This is correct.

[nodelessness]

That doesn't justify someone abusing flawed systems to threaten people's lives.

"Oh we brought it upon ourselves by making it easy to break in so we should fix that instead of going after the thieves?"

[FractalParadigm]

If the bad actors are halfway around the globe where they have zero jurisdiction, what can you reasonably expect US law enforcement to do? It's a bit like getting mad at police for not investigating your car getting broken into, because you left the windows cracked open.

[nodelessness]

9/11 also happened spectacularly in the middle of new york. Does that mean law enforcement tried to do something about Afghanistan? Was it the fault of airports to not do a thorough cavity search of each and every passenger?

Our life is to this day in many small ways runs on a contract that others are not trying to kill us. Security check or not.

[EQYV]

I didn’t say law enforcement. Maybe the intelligence agencies can do something useful.

[nomercy400]

Maybe the US should also invest some of their military money to solve the situation of insecure hospital IT. You need defense, you won't win it with offense. There'll always be another bad actor out there.

[EQYV]

Absolutely true as well.

[xvector]

If US citizens die due to this, I am 100% down with bringing the full might of our military down on the state/group that did this. No mercy.

[tpolm]

And how are you going to identify the state/group that did this? Believing "experts"? Oh, that worked just fine previously

https://en.wikipedia.org/wiki/United_Nations_Security_Counci...

[mikelyons]

Whatever makes us feel better, right?

Reality is essentially unverifiable at this point, so ... nuke Russia?

It's not that that's what I want, I just can't find a way to know what's real.

[chairmanwow1]

This is honestly the scariest part of living in 2020

[rapnie]

According to the media hackers are either Russian, Chinese, Iranian or North Korean, so that limits the group of possible culprits somewhat. /s

[nobrains]

The problem with this is that other bad players within US can "hack" this attempt to blame a state/group that had nothing to do with this. Has happened in the past.

[meowface]

Of course; it happens all the time. False flags (in the form of routed connections and much more) are extremely common in cyberwar and among cybercriminals, naturally. But can you name a time US law enforcement or military fucked up and fell for a "cyber false flag" [1], and mistakenly took action against the framed party? It may have happened, and I wouldn't be shocked, but I haven't actually seen a publicized case of it.

From having some knowledge of some investigations like these (though not on behalf of any government), the investigators and forensics experts are constantly asking themselves "is this a false flag? is this piece of evidence deliberately planted, or an actual mistake?" Investigators obviously want to get the right people and not get the wrong people. And in the case of nation-states, they also have classified information they can use (like from NSA global spying, etc.).

[1] (I shudder at the term "cyber" as much as anyone else reading this, but that pretty much is the official term the government uses.)

[FireBeyond]

> But can you name a time US law enforcement or military fucked up and fell for a "cyber false flag"

SWATting via VoIP spoofing etc., could arguably fall entirely within the realm of this.

[meowface]

True, that's one key example. I should've clarified that I'm referring to arrests, prosecution, and imprisonment. Also, such hoaxes (and things like bomb threat hoaxes) did still happen before the popularity of the internet; they can be done from a payphone, for example. The internet definitely makes it a lot easier, though.

[tpolm]

> But can you name a time US law enforcement or military fucked up and fell for a "cyber false flag" [1], and mistakenly took action against the framed party?

Absence of evidence is not evidence of absence.

[meowface]

Of course. It absolutely may have happened, and if or when it has, I want those instances known. But if someone were to have been arrested wrongly, or some government blamed wrongly, this would be a huge deal, and I'd expect there to be a lot of public controversy and discussion about it.

Everyone should be subject to due process. If some organized crime ring in Ukraine is blamed for some particular ransomware attack and they get tricked into traveling somewhere that lets them be extradited and tried in a US court, the prosecution still needs to prove beyond a reasonable doubt at trial that they're the responsible party. Things get more complicated when an entire nation-state government is accused of launching ransomware attacks, but so far I think only North Korea has faced that (someone please correct me if I'm wrong), and they're kind of an outlier among all the other countries.

We should always be skeptical any time any government accuses any entity of a crime, of course. There should always be a presumption of innocence. But that's what the legal system and due process are for. The onus is on the government to prove their case.

[serial_dev]

I envy your optimistic view on this. When I look back at recent wars (including affairs with countries that are "just bombed", without military personnel on the ground), I'm not sure I can see through the same rose colored glasses.

The government alleges something that sounds terrible that would justify an invasion, both parties play along, media is pushing pro war propaganda, allies abroad go along as well. Twenty years later, still no consequences, no apologies from our politicians, and any time someone seriously considers pulling out the troops, mysteriously some dubious war story comes up that is supposed to distract us or justify the war.

[wheresmycraisin]

And how many innocent civilians will die in the process, assuming they can even identify the group responsible?

[1_player]

Ah the usual American response: for every US citizen that dies, kill 5 foreign soldiers and 15 civilians.

Then you wonder why everyone is burning US flags.

[supertrope]

Attribution for cyberattacks is hard.

[crispyporkbites]

You’ll kill thousands, maybe millions of innocent lives by going down this path. Are their lives worth less than US citizens? Why?

[door99]

Horrifying mindset that led to the disastrous war on terror in the aftermath of 9/11. Our foreign policy should not be based on an animalistic thirst for blood.

[fnord77]

what if the state actor who did this has nuclear weapons?

[ardit33]

treat them as terrorist, and eliminate some of the leaders until they get the message

[irjustin]

I mean that sounds simple and all.. But historically that hasn't worked well for us long term.

[asdfasgasdgasdg]

It's true. Attacking random countries that follow the same religions as a particular bad guy is not a recipe for long term prosperity.

[marvin]

I was about to say that this is practically an act of war. You could make a good case that military intervention is justified.

[conanbatt]

What if the responsible is the government?

[Dahoon]

So war against the US government who is to blame for the 1990's IT infrastructure of the whole health system?

[FpUser]

I would advise taking a deep breath first. How the f..k will you bring "full might of military" on some group located everywhere? Invade few countries? I sincerely hope that by now people in congress have little bit more of that gray matter. And what exactly does that "no mercy" mean?

[Dahoon]

So should Russia do the same? After all the US did officially declare a cyberwar against Russia. If this ends up being attributed to Russia they have a very real defence in pointing the finger at the US and saying "You started it!"

[EQYV]

If the United States pre-emptively attacks a foreign country with a cyber attack resulting in the loss of human life, then yes, Russia or any state would be justified in retaliating. This is equally true for any such use of any weapon of mass destruction.

[benlumen]

And if it’s from China?

This is going to be a controversial suggestion, but I have a feeling that we might already be in an asymmetric world war and our leaders might quietly know it. This year has felt like checkmate.

[EQYV]

Then we should not be so meek as to do nothing. During the Cold War, nations did not sit idly by as their adversaries developed nuclear capabilities which, make no mistake about it, targeted civilians and civilian infrastructure. Of course, we developed our own defensive capabilities but then, as now, we faced a type of threat which hugely favored the attacker. So we kept pace with the offensive capabilities of our adversaries. If China or Russia (the states themselves) is identified beyond doubt as the source of this attack, then our policy must be to retaliate in kind.

Mutually assured destruction for the cyber-age.

If it's organized criminal hackers we're dealing with, then we should treat them how we would treat any legitimate terroristic threat. I would want our intelligence agencies to reach out and touch them.

This may not be a popular point of view on Hacker News. I unfortunately cannot fathom an alternative solution.

[slimed]

That is exactly how it feels.

[ryanmarsh]

Floodgates...

TGD

[haram_masala]

You're talking about the mass murder of easily 20 million people.

[ryanmarsh]

I don't condone it. I'm saying it's been discussed.

[haram_masala]

Oh! I'm really sorry about that, my mistake.

[rudedogg]

What about management? What about the sysadmins/developers that left a security hole somewhere? Are they held responsible in some way?

It's unacceptable that this keeps happening. If you own a safe and it gets broken into every week, do you blame the safe cracker or who built the safe?

[eggsmediumrare]

Do you blame the dev? Do you blame the HR system that hired them? How about the manager that pushed them too much? What about his manager? Is it the VP of IT's fault, even if he didn't know the technical specifics? Nothing is any one person's fault. Blame is a stupid waste of time.

[inetknght]

At some point we will sit down and recognize that calling programmers "engineers" was a mistake. True engineers make guarantees within clearly specified limits and take on liability for those guarantees. Modern technology companies claim many things while owning little, if any, responsibility.

[HeWhoLurksLate]

For starters, the whole 'NOT FIT FOR ANY PARTICULAR PURPOSE EVEN THOUGH YOU PAY FOR IT TO DO THESE SPECIFIC THINGS' contract thing needs to go die.

WRT engineering- if someone walks into a production cell and a robot swings and hits them in the head, guess who generally gets the blame in an investigation? The group that somehow didn't put safety scanners or a cell wall with door interlocks or didn't use safety-rated equipment.

There's a big difference between "guys, please get out of the way before I make the bot move" and "guys, I can't make the bot move until you're out of the way and the door is closed and latched" and worst-case scenario, that difference can be any number of human lives.

Surely things can improve, but it'll take time, dedication, and sucking it up and rewriting legacy code and probably being slower at pushing features out. (Keep in mind this isn't a universal guidebook- and should mostly be for companies that create software and infrastructure that is or can be life-critical.)

[eggsmediumrare]

I agree, although I also think civil engineers who miss things (Elliot Lake mall collapse, for example) are mostly just scapegoats and don't deserve to shoulder so much of the blame.

[rudedogg]

This is what I was thinking with my comment. I don't like the idea of being liable for software I make. I love that the MIT license has a clause saying whatever happens to your computer is not my fault. It's comforting when you're just trying to share something.

But.. there are certain classes of software that I think should be written differently.

I feel like we made a lot of bad decisions. There should be a completely separate stack for hospitals, power plants, etc., including a custom operating system. Why is Windows running on every machine? Isn't this a national security issue at this point?

[FpUser]

>"Why is Windows running on every machine? Isn't this a national security issue at this point?"

Because for better or worse people make their choices and who are you to tell them what to run.

Infrastructural software - sure there should be some kind of security certification. this probably will not help much. Switches and routers are not running Windows and are still being attacked and crippled. Or consider the Stuxnet.

[asdfasgasdgasdg]

Sometimes analogies can be misleading. It's a lot harder to design a secure hospital IT apparatus than a safe. Also, in the event of a safe getting cracked, you'd likely have no recourse against the safe vendor. Safes are designed to present a firewall against tampering, but with sufficient physical access, no safe will stand for long. So your analogy fails two ways: one is that it trivializes the difficulty of the problem you're analogizing, and the other is that even if it were a good analogy, it would cut against your argument.

[rudedogg]

> It's a lot harder to design a secure hospital IT apparatus than a safe.

Yeah I agree there.

I'm curious what the surface area could look like. What is the minimum a hospital could operate with? How locked down could things be? Anyone in healthcare care to comment?

[RandallBrown]

My house would be trivially easy to break into but if someone did, I wouldn't be responsible.

Even if I leave the door unlocked, it's still a crime to break in and take my stuff.