Want to stop the next WannaCry? Stop classifying and start sharing

A push to declassify cyber-related intelligence would lead to better information-sharing and be the most effective way to face down the next WannaCry, former U.S. Chief Information Security Officer Gregory Touhill said at a June 15 congressional hearing. That global ransomware attack, he warned, "could have been much, much worse."

Touhill, speaking at a joint hearing held by two subcomittees of the House Science, Space and Technology Committee, said both government and private industry should engage in frequent exercises and drills as preparation for the next event.

"Public private partnerships are an instrumental tool" in preventing the next WannaCry, agreed

Darin LaHood (R-Ill.). The congressman praised another witness, Kryptos Logic CEO Salim Neino, as a case in point -- noting it was a Kryptos employee who first identified the WannaCry "kill switch" that enabled governments and other organizations to contain the ransomware's spread.

The chief barrier to better public-private collaboration is a systemic lack of information sharing, Touhill declared. And "the biggest inhibition to information sharing between the public and private sector," he said, "is over-classification of information by the government."

Touhill noted that a disproportionate amount of information marked top secret was at the same time widely available in the public domain. One fix? "Change the default setting," he said, so that more information is initially unclassified. One study has shown, he said, that classified information appears online in about seven days anyway.

This transparency would assist in preparation, noted Touhill -- a point echoed by Charles H. Romine, director of the Information Technology Laboratory at the National Institute of Standards and Technology.

Such preparations are not always about prevention, he stressed. "We are often thinking about detection and prevention of attacks," he said. "We don't pay enough attention to response and recovery."

Touhill agreed, adding that serious planning and preparation should involve exercises and drills that include personnel at all levels.

Regular drills "including the C-suite" would invest preparation with the urgency it deserves, he said. "I think that's a conversation that boards and C-suites should be having, because frankly, if I'm somebody who's an investor in a company that's attacked, I'm going to be asking, 'why weren't you doing due care and due diligence?'"