Tom Bossert Briefing on Wannacry/Wannacrypt Ransomware delivered 15 May 2017, White House, Washington, D.C. Good afternoon. I’m Tom Bossert. I’m the Assistant to the President for Homeland Security and Counterterrorism. And if I could, I’d like to start today by acknowledging the fallen police officers that the President and Vice President acknowledged today. They are the frontlines of our homeland security. And the event today was an honor for me to attend.On cybersecurity, as the President’s Homeland Security Advisor, part of my responsibilities is to coordinate U.S. government cybersecurity efforts. I want to give you an update today on the ransomware attack that’s been known as WannaCry or WannaCrypt. We continue closely monitoring the situation around the clock at the highest levels of government. We’re bringing all the capabilities of the U.S. government to bear on this issue, and are working side-by-side with our partners in the private sector and our international partners. I spoke moments ago with my counterpart in Great Britain and learned an update from them that they have a feeling of control over this ransomware event and that as their affected computers seemed to have been tied to this is a fact that there healthcare system is so large in network. They are painfully aware, though, of the fact that this is a global attack, as are we. As of this morning, it has reached approximately 150 countries and infected more than 300,000 machines. The good news is the infection rates have slowed over the weekend. We had been concerned about that when last we talked. The ransomware has disrupted telecommunications companies, hospitals, and other organizations. The UK National Health Care Service announced 48 of its organizations were affected, and that resulted in inaccessible computers and telephone service, but an extremely minimal effect on disruption to patient care. That was something quite evident in my conversation. Computers at the Spanish telecommunications company, Telefonica, were compromised, and we had a small number of affected parties in the U.S., including FedEx. Secretary Kelly at the Department of Homeland Security continues to lead operations and public/private coordination. His team is issuing twice daily situation reports, is holding multiple calls per day among experts in operational centers managing our response. As of today, no federal systems are affected. Over all, the U.S. infection rate has been lower than many parts of the world, but we may still see a significant impact on additional networks as these malware attacks morph and change. Despite appearing to be criminal activity intended to raise money, it appears that less than $70,000 has been paid in ransoms, and we are not aware of payments that led to any data recovery. The Cyber Threat Intelligence Integration Center is also keeping us informed of the classified insights considering the investigation into the attacks. And let me talk about now briefly the way ahead. It’s important for our business and individuals to know that three variance of this ransomeware are reported to have emerged, using similar techniques. We talked last I was here about variance in this malware. If you follow the mitigation advice published by DHS, the FBI and Microsoft, and have patched your systems, you are protected against all these variance. It’s also important to know that pirated, stolen or otherwise unlicensed versions of affected software often will not receive patches. So it’s important to not use that unlicensed software. If you do you’ll be subject to extraordinarily susceptible infection. While it would be satisfying to hold accountable those responsible for the attack, something that we are working on quite seriously, the worm is in the wild, so to speak, at this point, and patching is the most important message, as a result. Our business and government have responded with upgrades and patches, defensive mitigations, and this has dramatically reduced the vulnerable population over the last three days. But this needs to continue to be our focus. I would finish by repeating advice that all organizations be vigilant in updating their software and that the only computers that can be compromised by the WannaCry or WannaCrypt virus are ones that do not have the latest security patches available from Microsoft. Question: So this is one episode of malware or ransomware. Do you know from the documents and the cyber hacking tools that were stolen from NSA if there are potentially more out there? Mr. Bossert: So there’s a little bit of a double question there. Part of that has to do with the underlying vulnerability exploit here used. I think if I could, I’d rather, instead of directly answering that, and can’t speak to how we do or don’t do our business as a government in that regard, I’d like to instead point out that this was a vulnerability exploit as one part of a much larger tool that was put together by the culpable parties and not by the U.S. government. So this was not a tool developed by the NSA to hold ransom data. This was a tool developed by culpable parties, potentially criminals of foreign nation states, that was put together in such a way so to deliver it with phishing emails, put it into embedded documents, and cause an infection in encryption and locking. So the problem — and I think I said this morning — of the underlying vulnerability is something that is a little bit less of a direct point for me. Question: I guess a shorter way to put it would be is there more out there that you’re worried about that would lead to more attacks in the future? Mr. Bossert: I actually think that the United States, more than probably any other country, is extremely careful with their processes about how they handle any vulnerabilities that they’re aware of. That’s something that we do when we know of the vulnerability, not when we know we lost a vulnerability. I think that’s a key distinction between us and other countries — and other adversaries that don’t provide any such consideration to their people, customers, or industry. Question: You mentioned your British counterparts are feeling a sense of control. Was there any time that you monitored this here in the States where you felt there was any lack of control or this could get out of hand here? And if not, what is it about what was here that was protected that didn’t exist, for example, in Europe or other parts that have obviously taken a much bigger hit? Mr. Bossert: No comparative lack of control, but my conversation today led me to believe that he felt quite comfortable — my counterparts felt quite comfortable with where they stood today. Not compared — Question: Right. But was there any time that you felt here that things could spiral out of control? Mr. Bossert: Well, as we were gaining and gathering more information, it was important for us to determine the parameters of this. Once we got our hands around the parameters of the malware, that’s, of course, in the beginning moments that you’re trying to get ahold of — get the malware, analyze it, determine what’s happening. In that time frame, you don’t feel entirely in control, but you’re searching for information. Once we got it and realized what the situation was, we realized there were patches available and had been available since March. And so, from that point, operation centers and communications become the key and they’re imperative to how we handle this response. And from the British perspective, I thought it was important to pass along from them two points — one, that they thought it was an extremely small number of patients that might have been inconvenienced and not necessarily a disruption to their clinical care, as opposed to their administrative processes. And two, that they felt that some of those reports might have been misstated or overblown given how they had gotten themselves into a position of patching. So we’ll have to do the analysis and investigation later as to why certain organizations, systems or sectors were more greatly affected than others. So that’s the point I’d like to elaborate. Question: What is this bottom line to the average consumer? And what are we going forward to make sure that it doesn’t get out in the open and affect — Mr. Bossert: The bottom line for the consumer is patch your software, provide automated patch support if you can — turn that automated on. Make sure your IT service providers or IT folks within your organizations are patching your software. That’s the bottom line. And this particular malware and the three reported variance that we’ve seen since are all fixable with patch. And that’s something that you can get from Microsoft. So that’s our bottom line. And I don’t want to encroach too much here of Mr. Spicer’s time, but if I could, with that, maybe I’ll take one more question, Sean, okay? Question: Who did it? Mr. Bossert: We don’t know. That’s the attribution that we’re after right now. It would be satisfying for me and for all of our viewers, I think, that if we find them and bring them to justice. I think that’s something that sometimes — attribution can be difficult here. I don’t want to say we have no clues. As I stand here today I feel that the best and brightest are working on that. So thank you very much. I’ll let you know. Thank you very much. Book/CDs by Michael E. Eidenmuller, Published by McGraw-Hill (2008) Text, Audio, Video Source: WhiteHouse.gov Audio Note: AR-XE = American Rhetoric Extreme Enhancement Page Updated: 9/28/17 U.S. Copyright Status: Text = Public domain. Audio = Property of AmericanRhetoric.com.