This is very simple, and it has more to do with the philosophy and marketing of operating systems than the technology of the operating systems themselves, though the technology does matter a great deal as well. First, lets have a look at how this ransomware attack was allowed to happen to begin with.
The vast majority of affected systems in this latest world wide cyber attack were Windows based computers that were not updated with recently available and easily deployed patch. The attack did not affect other operating systems, and Windows systems that had a recently released security patch were not affected. (I was going to put a link here to direct people to the Microsoft web page with info on what to do if you were attacked, but a minute or two of perusal on the Microsoft site mostly told me about Microsoft’s new products, and I did not find any such page. If you have a link, please place it in a snark free comment below.)
Why was the patch not deployed on so many computers? For several reasons.
Some of the operating systems were running under administrative policies that did not allow patching for some reason or another. I’ve only heard rumors of this but it sounds like a blind-future style pre-decision, in the same category of other bone-headed human processes like no tolerance policies for knives in schools and three strikes you are out sentencing policies. It works like this: You remove thinking from the process by making all decisions in advance, and then get the heck out of there with limited liability and whatever happens happens. If you do this you are probably a member of congress or a school board member planning on retiring soon. It never goes well. Telling security IT people in advance what they can and can’t do because of HR or personnel regulations is like going to a doctor and telling them what your diagnosis and treatment is going to be, in advance. You will die of something curable, eventually, if you do that regularly.
Some of the operating systems were running on computers that are, in theory, never supposed to be turned off. This is similar to the first reason in its stupidity level. For one thing, making it impossible to patch an OS ever is really not smart. For another thing, that computer you plan to never turn off is going to turn itself off now and then. But it is also bad at another level, the level of the operating system. Windows has operated, for years, under the principle that when enough stuff goes wrong, you turn off the computer and start again, and if that does not work you reinstall the operating system from scratch. Now, I know, you Windows lovers will jump in at this point and tell me that “Windows doesn’t work that way any more” but you know what? After decades of hearing how Windows Past is not Windows Present, when it really is, I don’t care what you say. Also, actual on the ground Windows users have been trained, by Microsoft policy, to reboot or reinstall for decades. Anyway, the point is, Windows can not be updated on the fly, and thus, the system utterly fails in a situation where updating is critical, which by the way is all the time and all machines, because even computers you use for nothing but curating recipes for muffins, if hooked to the Internet (where all the good muffin recipes are), can still be the platform for launching a secondary cyber attack.
Some of those operating systems were in health related fields (referring here to both of these first two excuses) and that is why so many health related facilities were hit initially.
Another reason, which is a bit tricky, is the problem with updating stolen software. If you stole the OS it might be hard to get an update or patch. It seems like a good idea for the company making the OS to do this, as it encourages buying the product and discourages stealing it. Yet, many tens of thousands of computers, maybe hundreds of thousands, are currently locked down by WannaCry because they were pirated, and not updated. This becomes a public health (cyber-health, eHealth) risk. It is like vaccination. We all suffer because so many others get the disease, even those of us who did not fail to do the right thing.
This is a moment when we look at something like computer operating systems and realize that they are actually a public good as much as, or more then, they are a commercial product. Think of roads and canals in the old days. Roads and canals were often privately owned (as were fire departments and police forces in many cases) and eventually it became apparent that these are all public goods, so they were essentially taken over by the government. Similarly, power companies and railroads. Not exactly taken over but made into quasi public entities through integration with public agencies and heavy regulation.
I’ve often argued that things like Google, Amazon.com, Facebook, Twitter, etc. have become the equivalent of public goods, like roads and the post office, etc., in a similar way. To some extent, this is also true of operating systems.
There is of course a solution to all of this. What we need is an operating system that is made by the public itself. If all interested parties simply became involved, and maybe large companies with a lot of stake in computers would put aside a meaningful amount of their own software development resources, and a few public and private agencies would provide some grants and bounties and stuff, we could have an operating system that was free, easily installed, updated every week with common updates (like, maybe, on Sunday evenings or something) with a very easy and easily automated system of updating, that would be great.
Ideally most software would come from well maintained and secure repositories that were checked for malicious code. There could be several different such repositories more or less redundant with each other but maybe tweaked to cater to different types of users. The added advantage of several different but similar repositories is this: even if some bad code gets into one repository, the fact that across users, many different repositories are used, would slow its spread.
By making the operating system free, easy, effective, powerful, flexible, and easily updated almost every one of the limitations in the way we do things that allowed WannCry to spread and ruin everything would simply not have happened. A few people would be hit, it would be a minor story.
On top of this, let’s make this new operating system have a few other security related features.
For instance, monitoring code. The way it works now with Windows, is that a finite number of paid and I’m sure brilliant individuals are in charge of coding and maintaining the operating system, and updated and patches, while a much larger number of criminal-minded nefarious but also brilliant individuals are focused on breaking the security. This means that there is an uneven arms race where day to day Microsoft will always be a step ahead of the bad guys, except every now and then when the bad guys jump ahead and make a huge mess.
I propose that this ratio be reversed, that the arms race between the good and the evil become totally one sided in the other direction. Have a very large number of individuals, a proportion of the above mentioned community of private individuals and interested corporations and agencies, working on security, swamping out the nefarious bad guys. There would be very few moments when the bad guys got very far ahead of the good guys.
In addition, the operating system itself could have other security related features. For example, the basic tools inside the operating system could be well maintained, highly traditional, really clean and neat code, and free to use. So, for example, basic tasks that any new software might use are figured out, so you don’t have to add your own new version of the code to do them. This means that new code will generally be fast, effective, clean, easier to maintain, and more secure.
Also, the operating system can work more like a prison than, say, a food court. In a food court, you do what you want to do (eat, meet your friends, hang out) in a rather chaotic environment where you can move freely from place to place. Someone puts their food down on a table to go back to the Azian Kuizine window to get the chopsticks they forgot, and you can grab their pot stickers, sit down at a nearby table, and no one can really figure out that you just sole their food. And so on.
In a prison, you can theoretically leave your cell and walk down the hall to the gym, then go to the cafeteria, then the law library. But, the entire route is blocked by a series of doors that only specific people have permission to open, at specific times, for specific reasons. Everything you do requires having permission at every step of of the way, and it is all constantly being carefully watched.
Life should be more like the food court. What happens inside computers should be more like the prison.
Of course, by now, most of you have figured out that I’m talking about Linux. Linux is an operating system that is already widely used when certain conditions pertain. Since the Android OS is based on Linux, and the majority of servers run Linux, and Linux is becoming the preferred desktop in China, it may well be that Linux is more widely deployed right now than any other operating system, though most Westerners think of it as nearly non-existent on desktops.
Critical tasks are often trusted to Linux or similar operating systems (Unix, BSD, etc.) because of reliability and security. When efficiency is required, Linux is often tapped because it can be deployed in a very efficient manner. Linux acts internally like the prison, not the food court. The system itself is constantly monitored open source code, and most of what runs on it is openly monitored as well. Software is usually distributed via secure repositories. The system is free and easily updated, there is no such thing as a pirated copy of Linux. There is a regular schedule of updates, they come out every Sunday.
Another important feature of Linux is the separation of the operating system and the surface appearance of the system. The operating system itself comes in a number of varieties, but most people use one of two: Red Hat or Debian (there are others). But the surface of the OS, the part the user sees, is not related to that at all. Most people use a “desktop” which provides the windows and stuff, the parts that you interface with, and there are several versions of this, from which users can more or less pick and chose.
Here is why this is important: The desktop provides the user experience, and the user experience sells the product. If you develop a proprietary operating system like Windows, many of your decisions, including when to produce major updates, etc. is driven by the marketing department. The development and deployment of the operating system is a complex process where designers and marketing gurus are at the same table, essentially, as security experts and developers concerned with efficiency.
In the Linux system, the security people and efficiency and functionality developers work most of the time independently from the equivalent of “marketers” or “designers” because of this two layer aspect of the system. It is quite interesting to visit the communities of desktop developers and hear what they are saying to each other, then visit the community of system developers and hear what they are saying to each other. They are pretty much two distinct conversations. There will never be a marketing or design decision about Linux that impacts security.
Linux is the female operating system in a patriarchic world. Refer to the appropriate John Lennon song for a starker analogy. It does a lot of the work, maybe most of the work, but is usually not recognized. When people make comparisons, Linux has to dance backwards and in high heels.
If I say, like I just said here, that “if Linux was widely in use, the WannaCry attack would have been much less severe” people will respond “Linux can be attacked too” and that will be taken by others, and possibly meant to begin with, as stating “Linux and Windows are the same, its just that attackers attack Windows and not Linux.” That is a pernicious falsehood that feels a lot like many sexist comments about the limitations of women. Yes, Linux could in theory be attacked. No, Linux is pretty much not attacked very often or ever, so your fantasy about how it can be attacked has no empirical back up. No, Linux and Windows are not the same in which they are developed, designed, maintained, deployed, updated, or secured, and every single one of those differences gives Linux a huge leg up on security and Windows one or more disadvantages.
If a cyber attack is a mugger, Windows is a physically small drunken person with wads of money sticking out of his pockets, staggering down a dark ally near the convention hall during a mugger’s conference, while Linux is a hundred sober and smart well trained Navy Seals each driving a separate armored car in undisclosed locations.
Yes, you can attack the Navy Seals. But if you do that, they’ll make you wanna cry.