Technology

The U.S. government may not be able to prevent another global cyberattack like WannaCry, a senior cybersecurity official has said.

Jeanette Manfra, the assistant director for cybersecurity for Homeland SecurityCybersecurity and Infrastructure Security Agency (CISA), said on stage at TechCrunch Disrupt SF that the 2017 WannaCry cyberattack, which saw hundreds of thousands of computers around the world infected with ransomware, was uniquely challenging because it spread so quickly.

&I don&t know that we could ever prevent something like that,& said Manfra, referring to another WannaCry-style attack. &We just have something that completely manifests itself as a worm. I think the original perpetrators didn&t expect probably that sort of impact,& she added.

The WannaCry cyberattack was the first major global security incident in years. Hackers believed to be associated with North Korea used a set of highly classified hacking tools that only weeks earlier had been stolen from the National Security Agency and published online. The tools allowed anyone who used them to infect thousands of vulnerable computers with a backdoor. That backdoor was used to deliver the WannaCry payload, which locked out users from their own files unless they paid a ransom.

Making matters worse, WannaCry had wormable properties, allowing it to spread across a network and making it difficult to contain.

Although the National Security Agency never publicly acknowledged the theft of its hacking tools, Homeland Security said at the time that users were &the first line of defense& against the threat of WannaCry. Microsoft released security fixes weeks earlier, but many had not installed the patches.

&Updating your patches would have prevented a fair amount of people from from being a victim,& said Manfra. Yet data shows that two years after the attacks, more than a million computers remained vulnerable to the ransomware.

Manfra said &bad things are going to happen,& but that efforts to mobilize government and the private sector can help combat cyberattacks as they emerge.

&Luckily, there was a an enterprising individual who was able to find a way to kill it and it didn&t impact the U.S. as much,& she said.

Marcus Hutchins, a malware reverse engineer and security researcher, registered adomain name found the ransomwarecode which when registered acted as a &kill switch,& stopping the ransomware from spreading. Hutchins was hailed as an &accidental hero& for his efforts. Hutchins and his colleague Jamie Hankins spent a week ensuring the kill switch stayed up, helping to prevent millions of further infections.

Manfraremarks came just weeks after her department warned of a new, emerging threat posed by BlueKeep, a vulnerability found in Windows 7 and earlier, which experts say has the capacity to trigger another global incident similar to the WannaCry attack. BlueKeep can be exploited to run malicious code — such as malware or ransomware — on an affected system.

Like WannaCry, BlueKeep also has wormable properties, allowing it to spread to other vulnerable computers on the same network.

Itestimated that a million internet-connected devices are vulnerable to BlueKeep. Security researchers say it is only a matter of time before bad actors develop and use a BlueKeep exploit to carry out a similar WannaCry-style cyberattack.

EditorNote

This week, we hosted 23 panels on all aspects of building startups on the Extra Crunch stage at TechCrunch Disrupt SF. Thanks to the thousands of attendees who attended those talks, as well as the workshops we held on the Breakout Stage — your enthusiasm was palpable.

We also had hundreds of new EC members join during the conference — to all of you: welcome!

This newsletter covers all of last week, and is a bit abbreviated thanks to Disrupt. Back to normal next week.

Where top VCs are investing in edtech

Extra Crunch media columnist Eric Peckham interviewed almost a dozen leading venture capitalists about the state of edtech, including Jennifer Carolan of Reach Capital, Aydin Senkut of Felicis Ventures, and Charles Birnbaum of Bessemer. There is still a lot of enthusiasm for the space, but the theses for these investors have diverged quite significantly.

Marlon Nichols , Managing Partner at MaC Venture Capital (a new LA-based seed fund with investments in Catalyte, Codeverse, and Wonderschool):

&Many education technology companies target individual teachers, which presents a long path to sizable revenue (requires too many customers) while others usually attempt to navigate the lengthy and bureaucratic sales cycle of selling to school districts. VCs prefer companies that have short sales cycles that can scale revenue quickly so in general, edtech companies are difficult investments for venture capital.

That said, education is a giant opportunity in the US because high quality education is not evenly distributed across communities or social classes. Ita crisis. Companies that address this at scale are attractive if the revenue model makes sense. Thatwhy I led the first round into Wonderschool, which delivers high quality education and child care at costs relative to onezip code. The schools double as the educatorhome so there isn&t a need for real estate investment.&

Why is Dropbox reinventing itself? A chat with Dropbox VP of Product Adam Nash and CTO Quentin Clark

Dropbox may be known for its singular file storage product, but the company is adapting and changing as it seeks new customers and also learns more about what &file storage& really means to users.

The tech industry has won at capitalism. From America to China, from Amazon to Alibaba, from Alphabet to Tencent, the most valuable and most dynamic companies in the world are technology companies. But what kind of capitalism? Because there are really two different modes, two ways to get rich.

One is to claim a share of the wealth that already exists. This is the capitalism of Wall Street, of Russia¹, of cronies and rent-seekers, of the infamous &resource curse.& Obviously the more wealth there is around you, the more incentivized this approach becomes. Call it the siphon.

The other is to create new wealth; manufacture better goods, offer better services, design better hardware, write better software. This is — or is supposed to be — the capitalism of Silicon Valley, of China², of rocket ships and electric cars, of MooreLaw. Obviously this is the purer, more idealistic form of capitalism. Call it the forge.

It seems apparent that public opinion has turned sharply against the tech industry of late:

Isn&t that surprising? After all, Silicon Valley is building new and better things for us all, while Wall Street, having offered essentially no generally beneficial financial innovations in decades, is greedily siphoning off roughly a quarter of all American profits; the pharmaceutical industry is spending vastly more on marketing than on R-D; and the rest of the US health-care industry is basically a huge kludge of a bloodsucking siphon.

So why has tech, the forge of the modern world, found itself in the crosshairs of a backlash?

I put it to you that this is in part because while tech likes to portray itself as a forge, in many prominent cases, it is actually a siphon. Consider Facebook, Twitter, and Google. All are unquestionably forges, whose new products have done many good things. But thatnot their business model. Their business model, their original sin, is that siphon called advertising.

You could once have argued that advertising is a forge, in that is makes consumers aware of desirable products, just as you could once have argued Wall Street was a forge, in that it makes capitalism more efficient. No longer, in both cases. Online display / social-media advertising has become the tech equivalent of high-frequency trading: a pure siphon. (You can, however, make a good case for GoogleAdWords as a forge.)

People know when they&re being siphoned. Whatmore, the industry being siphoned from is the media, which is unsurprisingly now inclined to train its own guns on tech as a result.

Itnot just ads. A more nuanced view is that &siphon& and &forge& are two ends of a spectrum, and numerous notable tech companies are closer to the former than the latter. Every app aimed at the wealthy-urbanite target market is essentially a siphon aimed at the wallets of the rich. (Yes, forge technology is often only affordable by the rich at first, too; but thatvery different from servants-as-a-service.) WeWork was, apparently, largely a siphon for SoftBank.

When people are angry at Amazon, Uber, and Lyft for how they treat warehouse workers, Whole Foods clerks, and drivers, itin large part because it seems to them like the wealthiest industry in the world is acting like a siphon geared to drain the minimal wealth of struggling workers, rather than a forge building new systems to empower and enrich us all.

Of course some of this criticism is unfair. And what almost every tech luminary really wants is to follow the Elon Musk model, wherein his stint at PayPal — which, like all payments companies³, is at least half siphon, albeit one largely aimed at even less appealing rivals — funded the forges of SpaceX and Tesla.

But all too often, the road to a siphon is paved with good intentions of a forge. Say what you want about Wall Street, at least they&re not hypocrites; high-frequency traders and hedge funds rarely pretend to be making the world a better place for anyone but themselves and their clients. This perceived hypocrisy is especially acute for companies like Facebook and Twitter, which offer &free& products from their forges … carefully engineered to optimize the siphons on which they survive.

In retrospect itsurprising it took this long for the tension between the siphon and the forge to erupt into the cultural dissonance in which social media, and gig-economy apps, and indeed much of the publicly visible tech industry, now exists. While that tension continues, ithard to imagine this dissonance diminishing.

¹ An oversimplification — again, itreally more a spectrum than a binary — but not an invalid one.² An oversimplification — again, itreally more a spectrum than a binary — but not an invalid one.³ Excepting those which create whole new kinds of payments, such as M-Pesa.