May 16, 2017

FTC's McSweeny on lessons learned from ransomware attack

Rebecca Zisser / Axios

With the so-called WannaCry ransomware attack "zipping around the world" and " some of the really interesting aspects of our cybersecurity debate," Federal Trade Commission Democrat Terrell McSweeny says there are some things consumers can do to protect their computers:

  1. Update your software so it incorporates recent security patches. That can mean turning automatic updates back on for many users. "If you've disabled that function, turn it back on and update your software package," McSweeny said during an interview for C-SPAN's "The Communicators" slated to run this weekend.
  2. Back up your data so you don't lose much if hackers hold it hostage. "Backing up your files [in] a reliable way, so that if your system is suddenly encrypted through a ransomware attack you still have another copy of all of that important personal information in a safe place that's disconnected from that computer so that you can recreate it and you're not dependent on that computer," McSweeny said.

When it comes to whether users should pay a ransom to retrieve their data, "generally in this situation with this attack, the advice has been not to pay it because you may not get your information back anyway."

Why it matters: WannaCry isn't the last time Americans will hear about ransomware, especially as it becomes a more common tool to attack connected devices in the Internet of Things.

On the FTC's role: McSweeny noted that global law enforcement agencies are looking into the attack, and that the FTC's role in responding to the worldwide story would likely be more about educating users. She said, however, that there was a hypothetical, broad situation in which a company that was attacked by ransomware but had lax data security could be the target of an FTC probe.

"You could say that if you were not adequately maintaining your cybersecurity hygiene as an organization, you fell victim to a ransomware attack or lost a lot of consumer information through a ransomware attack, that could actually give rise to FTC liability," she said.

A warning: "So if we're just relying on consumers and end users, then we will end up in situations where this kind of ransomware attack is able to exploit vulnerabilities that aren't patched," she said.

Companies take note: McSweeny also said that the WannaCry attack was a reminder of the importance of cybersecurity for corporate America. "I think it really underscores an important feature of this discussion, though, which is cybersecurity best practice is no longer a thing that lives in a Chief Information Security Officer role within an organization, it's something that should be understood at the highest levels of organizations and companies," she said.

Go deeper